I’m a Microsoft fanboy – guilty as charged. With an E5 license, you get a treasure chest of security capabilities, and I’ll happily admit I lean hard into Redmond’s ecosystem. But here’s the thing: no platform is perfect. Not even Microsoft’s crown jewels.
The future is built on taking the platform you have and making the most out of it. Like the Agent said in The Matrix (and I’ve said in earlier posts), change is inevitable. More than the inevitability, though, it’s billable. The key isn’t to resist change, but to learn to bend it to your advantage, like Neo in the training program. Sadly, we can’t just have someone upload how it all works, but we can put some effort into learning.
Adapting and understanding your systems will allow you to get the most out of your investment—and give you the power to make random movie references about what you’ve done. Win-win.
Where Sentinel Falls Short
Microsoft Sentinel is a strong SIEM, especially for Microsoft-native logs. The add-ons—like Security Copilot—are impressive, and setup isn’t bad at all. But when you start pulling in third-party logs, the costs get ugly, fast.
We started with just hoping to get firewall logs in. After a couple of attempts, they were there, and it was glorious. Then the bill came for the first month—and we had to figure out why we were apparently billed for a small yacht.
We tried it. It was a disaster. We even worked with Microsoft and basically got a, “Yeah, the prices can get pretty high.” So we backpedaled, stopping the bike like an ’80s kid skidding in the driveway. In a month, our bill went up an exponential amount. Looking at it, we knew it wasn’t going to work; talking with Microsoft confirmed it.
Sentinel isn’t a bad product (far from it), but once ingestion costs kick in, you start shopping around. That’s where Splunk and other SIEM players—QRadar, LogRhythm, FortiSIEM, Log360—come into the conversation.
Why Splunk Plays Nice with Microsoft
I’ve worked with a good friend who’s a bonafide “Splunkie,” and while I drive him crazy sometimes with my love of Microsoft, after looking into it with me even he had to admit there was a lot of really good data.
Together, we dug into Splunk + Microsoft integrations. Splunk has some solid apps out of the box, but they rely heavily on APIs. That means:
- Logs can lag behind real-time
- Certain data points are missing
Good, but not great.
But Splunk is kind of the Lego block of the SIEM world. You can build a castle, a spaceship, or (if you’re not careful) a very unsteady bridge. With some patience, effort, and maybe even budget, you can build out virtually whatever you want. The point is: you’re in control.
When we realized Entra’s API wasn’t giving us everything we needed, we discovered that the real gems were in the diagnostic logs. Missing bricks like non-interactive sign-ins and service principal sign-ins suddenly clicked into place. So, we fired up the test environment, sent some logs, and dug in. And dug. And dug. And voila—the blueprints for a nifty little Lego castle came together.
The Event Hub Trick
Here’s where Microsoft has really improved over the years. There was a time, not so many years ago, when their entire goal was to keep you firmly entrenched in the ecosystem. Working outside it was either impossible or so kludgy that you’d want to curl up in the fetal position after downing a fifth of something hard straight from the bottle.
Thankfully, that’s changed. By streaming logs from Defender, Intune, Entra, and other services into Event Hubs, you can feed Splunk directly. It’s cleaner, faster, and much richer than relying on APIs.
Highlights:
- Defender logs → timeline data, endpoint signals, and identity events (without deploying Sysmon or Universal Forwarders everywhere). The whole Defender ecosystem is ready to stream to Event Hubs out of the box—not just alerts and incidents, but all the raw data.
- Entra logs → richer than API logs, delivered closer to real-time, with missing areas filled in. Glorious.
- Azure Policy → ensures new resources (like storage accounts) start sending logs automatically. No more hiding in the background—consistency is key.
The result? A big, beautiful stream of auditing and logging goodness, flowing right into Splunk and correlating a whirlwind of data across the environment.
Pro Tip: If you’re planning to use Event Hubs, size them a little larger than you think you need. That gives you budget headroom and avoids unexpected throttling. We used Microsoft’s KQL baseline script, then budgeted at about 4x the recommendation to give ourselves room to grow.
Cost in Perspective
Here’s the kicker: Event Hubs usually run well under $500/month in smaller environments, so outbound data isn’t a heavy burden. Splunk’s ingestion throttling and processing let you balance cost and visibility on that side, too.
Compare that with Sentinel pulling in external logs, and Splunk often comes out ahead. Those firewall logs? I’ve heard of people getting hit upwards of $20k a month simply from third-party firewall logging. Splunk’s ingestion model—while still a bit pricey—is much, much less than that, and comprehensive. They don’t care what logs you send, as long as you stay within your budgeted ingest.
Sentinel vs. Splunk
This isn’t a knock on Sentinel—it shines when you stick to Microsoft logs, and it’s gotten significantly better each year. But if your environment is hybrid or multi-vendor, Splunk is a strong alternative that plays well with Microsoft and gives you the customization you need.
While Splunk engineers can be harder to find, many MSSPs and vendors provide services to help you get rolling. In my case, I’ve got friends who like to tinker, so it works well.
Coming Up Next
Later, I’ll walk through how to actually wire Event Hubs to Splunk, including some config details and a few potholes to avoid.
Spoiler: It involves less fetal-position-bottle-of-whisky work than you might think.
Xenodyne Technologies 
Leave a comment