The question we get most often after running a tenant audit is some version of: "should we be running Microsoft Sentinel?" The honest answer, for most of the SMBs we audit, is no. Not yet. And in some cases, not ever.
This is not a position most MSPs take. Sentinel is one of the highest-revenue products in the Microsoft security stack, with consumption-based pricing that scales with log volume. Recommending it generates margin. Recommending it generates monthly recurring revenue. Recommending it makes the MSP look sophisticated. Recommending it for an SMB that does not need it produces a tool that gets configured once, run for six months at an unexpectedly high monthly bill, and quietly turned off when leadership asks why log analytics is costing $4,000 per month.
This post is the honest framework. When Sentinel is genuinely the right tool, when Defender XDR alone is enough, and what the realistic options look like for SMBs in between.
If you have not read our post on the Microsoft Defender ecosystem and why isolated EDR is not enough, it is the necessary context for this one. Defender XDR is the ecosystem foundation. Sentinel sits on top of it.
What Sentinel actually is
Microsoft Sentinel is a cloud-native Security Information and Event Management (SIEM) and Security Orchestration, Automation and Response (SOAR) platform. It ingests log data from across your environment (Microsoft 365, Azure, on-premises systems, third-party security products, network devices, custom applications), normalizes the data, applies detection rules, correlates events across sources, and provides workflows for investigation and response.
It is genuinely good at what it does. Microsoft has invested heavily in detection content, KQL (the query language), automation playbooks, and integration with the rest of the Defender stack. For organizations that need a full SIEM, Sentinel is competitive with Splunk, IBM QRadar, and the other established platforms, often at lower cost per gigabyte.
The phrase "for organizations that need a full SIEM" is the key qualifier most discussions skip.
What Defender XDR already gives you (without Sentinel)
Before adding Sentinel, it is worth being precise about what Defender XDR provides natively to a Microsoft 365 tenant:
- Cross-domain alert correlation across Defender for Office 365, Defender for Identity, Defender for Endpoint, and Defender for Cloud Apps. Alerts from these products are already correlated into incidents within the Defender XDR portal.
- Automated Attack Disruption capable of isolating compromised accounts, revoking sessions, containing devices, and quarantining emails based on cross-signal correlation. We covered this in our post on the newest Microsoft 365 security features.
- Advanced Hunting with KQL queries across the same telemetry that would also feed Sentinel.
- Threat analytics, incident management, and response playbooks for Microsoft 365 and Azure workloads.
- 30 days of Defender data retention at no additional cost (this is the part that matters when comparing to Sentinel).
For a tenant whose entire footprint is Microsoft 365 and Azure, with no on-premises systems, no third-party security products generating logs that need correlation, and no regulatory requirement for extended log retention, Defender XDR alone covers a substantial portion of what an SMB would otherwise pay Sentinel for.
This is not a marketing claim. It is the architectural reality of how Microsoft has built Defender XDR over the past three years. The native correlation has materially closed the historical gap that justified Sentinel as a separate product for Microsoft-centric organizations.
When Sentinel is genuinely the right call
There are four scenarios where we recommend Sentinel without hesitation:
1. Regulatory or contractual log retention requirements
If your industry requires 1-7 years of log retention (NY DFS Part 500, NYDFS revisions, HIPAA, PCI-DSS Level 1-2, certain SEC and FINRA requirements, FedRAMP-adjacent contracts, defense supply chain CMMC), Defender XDR's native 30-day retention is structurally insufficient. Sentinel's Log Analytics workspace can retain data for years, and the archive tier reduces cost for older data significantly.
For organizations with these requirements, Sentinel is not optional. The compliance cost of not having retention is higher than the consumption cost of having it.
2. Multiple log sources outside the Microsoft ecosystem
If your environment includes Linux servers in AWS or GCP, network appliances generating substantial syslog volume, on-premises Active Directory with custom event subscriptions, SaaS applications with security logs that need correlation (Salesforce, Okta, Atlassian, custom CRMs), or industrial systems with proprietary protocols, you need a SIEM that can ingest, normalize, and correlate all of it.
Defender XDR cannot do this. Sentinel can. For genuinely hybrid environments, Sentinel becomes the central nervous system that Defender XDR cannot replace.
3. A dedicated SOC team that uses SIEM as their primary tool
If your organization has a security operations team large enough to run a 24x7 monitoring function, and that team has been trained on KQL, custom detections, threat hunting, and playbook authoring, Sentinel gives them the surface they need to do their job. The product's value scales with the operational maturity of the team using it.
Most SMBs do not have this team. The ones that do, generally already know they need Sentinel.
4. Cyber insurance or large customer requirements
We have seen vendor security questionnaires from enterprise customers and cyber insurance underwriters that explicitly require a SIEM with central log aggregation. The questionnaire does not always say "Sentinel," but it does say things like "centralized SIEM with 1-year log retention, custom detection rules, and SOAR capability." Defender XDR's native posture does not check the box on those questionnaires. Sentinel does.
For organizations whose growth depends on closing enterprise deals or maintaining favorable insurance terms, Sentinel becomes a cost of doing business.
When Sentinel is the wrong call (most SMBs)
For organizations under 250 users, primarily on Microsoft 365 and Azure, without complex regulatory log retention requirements, without a dedicated SOC team, and without enterprise customer or insurance requirements forcing the issue, Sentinel is usually the wrong product. The reasons:
Consumption pricing is unpredictable at SMB scale. Sentinel charges by data ingested into Log Analytics, typically $2-3 per gigabyte for ingestion plus retention costs. SMB log volumes are inherently lower than enterprise, but Sentinel's per-GB price does not scale down proportionally. A 200-user tenant with reasonable telemetry ingestion can produce $1,500-3,000 per month in Sentinel consumption costs. For an SMB security budget, that is real money for a tool that may be doing 30% of what Defender XDR already does for free.
Operational complexity exceeds the team's capacity. Sentinel requires someone to author KQL queries, tune detection rules, build playbooks, manage data connector health, and triage the alerts. An IT manager who is already wearing five hats does not have the capacity. The platform's value depends on operational ownership, and SMB teams rarely have it without bringing in an MSP that specifically operates Sentinel as a service.
The detection content overlap with Defender XDR is high. Most of the high-value detections Sentinel offers for a Microsoft 365 tenant are already firing in Defender XDR. Adding Sentinel duplicates the detection layer without producing materially new signal. The marginal detection benefit is real but smaller than the marketing suggests.
The audit and retention story can usually be solved more cheaply. For tenants that need extended audit log retention specifically (and not full SIEM capability), Microsoft Purview Audit Premium provides 1-year retention for Microsoft 365 audit logs at a fraction of Sentinel's cost. For tenants that need long-term archive specifically, Azure Storage with Lifecycle Management policies costs pennies per gigabyte for cold storage. We applied this pattern in our post on the accounting firm compliance case study.
The middle ground: what we recommend for SMBs in transition
For SMBs that are not yet at the Sentinel threshold but anticipating they may need it in 12-24 months (typically growing companies in regulated industries or pursuing enterprise customers), the realistic path is:
Step 1. Fully activate the Defender XDR stack already in the tenant. Many of the operational improvements people attribute to "needing Sentinel" actually come from finally configuring what Defender already provides. We covered this in what we found auditing 50 Microsoft 365 tenants.
Step 2. Add Purview Audit Premium for 1-year audit retention if the compliance posture requires it. This solves the most common SMB driver for considering Sentinel without taking on the consumption costs.
Step 3. Stand up a Sentinel workspace in audit-only mode with minimal data connectors (Microsoft 365, Azure Activity Log, and Defender XDR). Run it for 90 days to baseline data volume and cost without committing to full deployment. Microsoft offers free ingestion of Microsoft 365 audit logs and Microsoft Defender XDR alerts via the included connectors. The base cost during this period is typically under $200 per month.
Step 4. Evaluate at the 90-day mark with real data. Did Sentinel surface detections that Defender XDR did not? Are the cost projections aligned with the value? Is there operational ownership to sustain the platform? If yes, proceed to full deployment. If not, the SMB has spent under $1,000 to make an informed decision instead of $20,000+ on a year of underused SIEM.
This is the conversation that almost never happens in MSP sales cycles. The conversation that does happen is either "you need Sentinel" or "you don't need Sentinel," and neither answer accounts for the SMB's actual trajectory.
How NeoDefender helps
We deploy Sentinel for clients where the four scenarios above apply. We explicitly recommend against it for clients where they do not. Our Cybersecurity managed services include Defender XDR operationalization as the foundation, with Sentinel added as a layer when the organization's regulatory posture, telemetry sources, or operational maturity justify it.
If your organization has been told you need Sentinel and you are not sure whether the recommendation is grounded in your actual environment or in the recommender's revenue model, schedule a Reality Check with the NeoDefender team. We will look at your tenant, your compliance posture, your telemetry footprint, and your operational capacity, and give you an honest read on whether Sentinel is the right next investment or whether the dollars are better spent activating what you already have.
