Frontrow Technology
← All insights & guides
Guide

Cyber Security

Microsoft Sentinel vs Defender XDR: When You Need Each (Australia 2026)

Defender XDR ships with E5. Sentinel is a billed SIEM. This Australian 2026 guide explains the overlap and the SOC and compliance triggers for adding Sentinel.

Simon Aspinall · 16 June 2026 · 7 min read

There is a question that comes up in almost every Australian security review Frontrow runs once a business lands on Microsoft 365 E5: "We already have Defender. Do we still need a SIEM?" It is a fair question, and the honest answer is "it depends" — but the dependencies are specific and knowable. The confusion usually comes from two products that sound like they do the same job. Microsoft Defender XDR is included with the licence. Microsoft Sentinel is a separate, usage-billed platform. Knowing where one stops and the other starts is the difference between a tight security spend and a surprise invoice.

What Defender XDR actually is

Defender XDR is Microsoft's extended detection and response platform. It stitches together the signals from Microsoft Defender for Endpoint, Defender for Office 365, Defender for Identity and Defender for Cloud Apps into a single incident view inside the Defender portal. When an attacker phishes a user, lands on a device and tries to move laterally, XDR correlates those events into one incident automatically and, where you let it, takes action — isolating the device, disabling the account, pulling the malicious mail from every inbox.

The important commercial point is that XDR is bundled with Microsoft 365 E5 (and is available through several Defender add-on SKUs). For a business already on E5, the detection and response engine is, in effect, already paid for. That is genuinely good value, and it is why Frontrow's default position for a single-tenant Australian SMB is to get Defender XDR configured properly before spending a dollar on anything else.

What Microsoft Sentinel actually is

Sentinel is a cloud-native SIEM and SOAR platform. Where XDR is scoped to what Microsoft can see, Sentinel ingests logs from anything: firewalls, network appliances, on-premises servers, line-of-business and ERP systems, identity providers, even other clouds. It holds that data for long retention periods, and it gives analysts the Kusto Query Language (KQL) to write their own detections, run threat hunts and build automated playbooks that respond across the whole environment, not just the Microsoft slice.

The catch — and it is the whole story on cost — is that Sentinel is billed largely on data ingestion per gigabyte per day, plus retention. It is not a per-user licence. The bill is a function of how many sources you connect and how noisy they are. Two tenants with identical user counts can have wildly different Sentinel bills depending on what they pipe in. Pricing is indicative AUD list — confirm at purchase — but the principle is fixed: ingestion is the meter, and the meter never sleeps.

Where they overlap

The overlap is real and it confuses buyers. Both products will alert on a compromised Microsoft 365 account. Both surface endpoint and identity threats. Microsoft has deliberately blurred the line — the unified Defender portal now hosts both experiences, and the Microsoft 365 connectors stream Defender data into Sentinel at no ingestion charge. So for purely Microsoft-sourced incidents, XDR alone is usually enough; pushing that same data into Sentinel buys you longer retention and custom analytics, not a fundamentally better detection.

The clean mental model: Defender XDR is the response engine for the Microsoft world. Sentinel is the long-memory analytics layer for the whole world. They are complementary, not competing. The mistake Frontrow sees most often is treating Sentinel as a tick-box upgrade — switching it on, connecting every available data source, and discovering a five-figure annual ingestion bill for logs nobody is reading.

The triggers for adding Sentinel

Rather than ask "is Sentinel better", ask whether any of these conditions are true for the business. If one or more is, Sentinel earns its place. If none are, XDR alone is the disciplined choice.

  • Retention beyond XDR's window. Defender XDR holds incident and hunting data for roughly 30 days. If a compliance obligation, a regulator, a cyber-insurance policy or an incident-response contract requires 12 months or longer, Sentinel (or another archive) is how you keep it.
  • Non-Microsoft sources matter. Once the threats you care about live in the firewall, the VPN concentrator, an on-prem application or another cloud, XDR cannot see them. Sentinel can ingest and correlate them.
  • You run, or buy, a real SOC. A 24/7 analyst team — in-house or an MDR provider — needs custom KQL detections, threat hunting and automated playbooks. That is Sentinel's home ground.
  • Centralised correlation across many systems. If an incident only makes sense when you join identity, network and application logs in one place, you need the SIEM to do the joining.
  • Essential Eight maturity and audit evidence. Higher maturity levels lean on centralised logging and monitoring. Sentinel is a common way Australian organisations evidence that control.

The Australian compliance angle

For Australian organisations the decision often turns on obligations rather than threat appetite. The Essential Eight's monitoring expectations, sector regulators, and the data-retention clauses now common in cyber-insurance renewals all push towards centralised, durable logging. Defender XDR's 30-day window does not satisfy a "retain 12 months of security logs" clause on its own. This is usually the single clearest trigger Frontrow encounters: not a feature gap, but a retention and evidence requirement that XDR was never designed to meet.

Data residency is the common follow-up question. Sentinel runs in Azure, and the workspace region is a deployment decision — Australian organisations typically keep it in an Australian Azure region. That is a design choice to make deliberately at setup, not an afterthought.

What Frontrow would actually do

For a typical Australian SMB landing on E5, Frontrow gets Defender XDR fully configured first — endpoint onboarding, identity protection, safe-attachment and safe-link policies, automated response tuned so it is trusted rather than muted. That alone closes most of the gap most businesses have, and it is already paid for. Only then does the Sentinel conversation start, and it starts with a question: which of the five triggers above is true here?

When Sentinel is the answer, the discipline is in the design. Frontrow models the ingestion bill before any connector is switched on, uses the free Microsoft 365 connectors where they make sense, filters noisy sources at the point of collection rather than paying to store and then discard, and tiers retention so that hot, searchable data and cheap long-term archive are billed differently. A SIEM that ingests everything is easy to stand up and expensive to keep. A SIEM scoped to the questions the SOC actually asks is the one that survives the next budget review.

Sentinel and Defender XDR are not a versus. They are a sequence. Get the included engine working, prove the need, then add the SIEM with a cost model attached. The businesses that get burned are the ones that bought the SIEM first and asked what it was for later.

Common questions

Frequently asked

Do I need Microsoft Sentinel if I already have Defender XDR?
Not by default. Defender XDR is included with Microsoft 365 E5 and covers endpoints, identity, email and cloud apps with around 30 days of incident data. Most Australian SMBs run on XDR alone for the first year. You add Sentinel when you need to retain logs beyond XDR's window (commonly 12 months or more for compliance), correlate non-Microsoft sources like firewalls and line-of-business apps, or stand up a 24/7 SOC with custom detections. If none of those apply, paying for Sentinel adds cost without adding protection.
Is Defender XDR a SIEM?
No. Defender XDR is an extended detection and response (XDR) platform — it correlates signals across the Microsoft estate and acts on them automatically. A SIEM like Sentinel is a log warehouse and analytics engine that ingests events from any source, retains them for long periods, and lets analysts write their own detection and hunting queries. XDR answers 'what is Microsoft seeing across my tenant right now'; Sentinel answers 'show me everything from every system, including the firewall and the ERP, going back a year'. They overlap but solve different problems.
How much does Microsoft Sentinel cost in Australia?
Sentinel is billed mostly on data ingested per gigabyte per day plus retention, so the bill scales with how many sources you connect and how chatty they are — not per user. A small tenant feeding only the essentials can run modestly; a noisy multi-source deployment can climb quickly. Pricing is indicative AUD list — confirm at purchase. Frontrow's view is that cost discipline is a design decision: filter at the source, use the free Microsoft 365 connectors where it makes sense, and tier retention rather than ingesting everything hot. Frontrow models the ingestion bill before any connector is switched on.

Keep reading

Related guides & insights

Want us to run this with your team?

30 minutes. No deck. We'll walk through your tenant, your priorities, and the next sensible move.

Book a chatEmail Frontrow1300 012 466