- Article
As you plan your Microsoft Sentinel deployment, you typically want to understand its pricing and billing models to optimize your costs. Microsoft Sentinel's security analytics data is stored in an Azure Monitor Log Analytics workspace. Billing is based on the volume of data analyzed in Microsoft Sentinel and stored in the Log Analytics workspace. The cost of both is combined in a simplified pricing tier. Learn more about the simplified pricing tiers or learn more about Microsoft Sentinel pricing in general.
Before you add any resources for Microsoft Sentinel, use the Azure pricing calculator to help estimate your costs.
Costs for Microsoft Sentinel are only a portion of the monthly costs in your Azure bill. Although this article explains how to plan costs and understand the billing for Microsoft Sentinel, you're billed for all Azure services and resources your Azure subscription uses, including Partner services.
This article is part of the Deployment guide for Microsoft Sentinel.
Free trial
Enable Microsoft Sentinel on an Azure Monitor Log Analytics workspace and the first 10 GB/day is free for 31 days. The cost for both Log Analytics data ingestion and Microsoft Sentinel analysis charges up to the 10 GB/day limit are waived during the 31-day trial period. This free trial is subject to a 20 workspace limit per Azure tenant.
Usage beyond these limits will be charged per the pricing listed on the Microsoft Sentinel pricing page. Charges related to extra capabilities for automation and bring your own machine learning are still applicable during the free trial.
During your free trial, find resources for cost management, training, and more on the News & guides > Free trial tab in Microsoft Sentinel. This tab also displays details about the dates of your free trial, and how many days you have left until it expires.
Identify data sources and plan costs accordingly
Identify the data sources you're ingesting or plan to ingest to your workspace in Microsoft Sentinel. Microsoft Sentinel allows you to bring in data from one or more data sources. Some of these data sources are free, and others incur charges. For more information, see Free data sources.
Estimate costs and billing before using Microsoft Sentinel
Use the Microsoft Sentinel pricing calculator to estimate new or changing costs. Enter Microsoft Sentinel in the Search box and select the resulting Microsoft Sentinel tile. The pricing calculator helps you estimate your likely costs based on your expected data ingestion and retention.
For example, enter the GB of daily data you expect to ingest in Microsoft Sentinel, and the region for your workspace. The calculator provides the aggregate monthly cost across these components:
- Microsoft Sentinel: Analytics logs and basic logs
- Azure Monitor: Retention
- Azure Monitor: Data Restore
- Azure Monitor: Search Queries and Search Jobs
Understand the full billing model for Microsoft Sentinel
Microsoft Sentinel offers a flexible and predictable pricing model. For more information, see the Microsoft Sentinel pricing page. Workspaces older than July 2023 might have Log Analytics workspace charges separate from Microsoft Sentinel in a classic pricing tier. For the related Log Analytics charges, see Azure Monitor Log Analytics pricing.
Microsoft Sentinel runs on Azure infrastructure that accrues costs when you deploy new resources. It's important to understand that there could be other, extra infrastructure costs that might accrue.
How you're charged for Microsoft Sentinel
Pricing is based on the types of logs ingested into a workspace. Analytics logs typically make up most of your high value security logs. Basic logs tend to be verbose with low security value. It's important to note that billing is done per workspace on a daily basis for all log types and tiers.
Analytics logs
There are two ways to pay for the analytics logs: Pay-As-You-Go and Commitment Tiers.
Pay-As-You-Go is the default model, based on the actual data volume stored and optionally for data retention beyond 90 days. Data volume is measured in GB (109 bytes).
Log Analytics and Microsoft Sentinel have Commitment Tier pricing, formerly called Capacity Reservations. These pricing tiers are combined into simplified pricing tiers which are more predictable and offer substantial savings compared to Pay-As-You-Go pricing.
Commitment Tier pricing starts at 100 GB/day. Any usage above the commitment level is billed at the Commitment Tier rate you selected. For example, a Commitment Tier of 100-GB bills you for the committed 100-GB data volume, plus any extra GB/day at the discounted rate for that tier.
Increase your commitment tier anytime to optimize costs as your data volume increases. Lowering the commitment tier is only allowed every 31 days. To see your current Microsoft Sentinel pricing tier, select Settings in Microsoft Sentinel, and then select the Pricing tab. Your current pricing tier is marked as Current tier.
To set and change your Commitment Tier, see Set or change pricing tier. Workspaces older than July 2023 will have the option to switch to the simplified pricing tiers experience to unify billing meters, or continue to use the classic pricing tiers which separate out the Log Analytics pricing from the classic Microsoft Sentinel classic pricing. For more information, see simplified pricing tiers.
Basic logs
Basic logs have a reduced price and are charged at a flat rate per GB. They have the following limitations:
- Reduced querying capabilities
- Eight-day retention
- No support for scheduled alerts
Basic logs are best suited for use in playbook automation, ad-hoc querying, investigations, and search. For more information, see Configure Basic Logs in Azure Monitor.
Simplified pricing tiers
Simplified pricing tiers combine the data analysis costs for Microsoft Sentinel and ingestion storage costs of Log Analytics into a single pricing tier. Here's a screenshot showing the simplified pricing tier that all new workspaces will use.
Workspaces configured with classic pricing tiers have the option to switch to the simplified pricing tiers. For more information on how to Switch to new pricing, see Enroll in a simplified pricing tier.
Combining the pricing tiers offers a simplification to the overall billing and cost management experience, including visualization in the pricing page, and fewer steps estimating costs in the Azure calculator. To add further value to the new simplified tiers, the current Microsoft Defender for Servers P2 benefit granting 500 MB/VM/day security data ingestion into Log Analytics has been extended to the simplified pricing tiers. This greatly increases the financial benefit of bringing eligible data ingested into Microsoft Sentinel for each VM protected in this manner.
Understand your Microsoft Sentinel bill
Billable meters are the individual components of your service that appear on your bill and are shown in Microsoft Cost Management. At the end of your billing cycle, the charges for each meter are summed. Your bill or invoice shows a section for all Microsoft Sentinel costs. There's a separate line item for each meter.
To see your Azure bill, select Cost Analysis in the left navigation of Cost Management. On the Cost analysis screen, select the drop-down caret in the View field, and select Invoice details.
The costs shown in the following image are for example purposes only. They're not intended to reflect actual costs. Starting July 1, 2023, legacy pricing tiers are prefixed with Classic.
Microsoft Sentinel and Log Analytics charges might appear on your Azure bill as separate line items based on your selected pricing plan. Simplified pricing tiers are represented as a single sentinel line item for the pricing tier. Since ingestion and analysis are billed on a daily basis, if your workspace exceeds its Commitment Tier usage allocation in any given day, the Azure bill shows one line item for the Commitment Tier with its associated fixed cost, and a separate line item for the cost beyond the Commitment Tier, billed at the same effective Commitment Tier rate.
- Simplified
- Classic
The following tabs show how Microsoft Sentinel costs appear in the Service name and Meter columns of your Azure bill depending on your simplified pricing tier.
- Commitment tiers
- Pay-As-You-Go
- Free data meters
If you're billed at the simplified commitment tier rate, this table shows how Microsoft Sentinel costs appear in the Service name and Meter columns of your Azure bill.
| Cost description | Service name | Meter |
|---|---|---|
| Microsoft Sentinel Commitment Tier | Sentinel | n GB Commitment Tier |
| Microsoft Sentinel Commitment Tier overage | Sentinel | Analysis |
Learn how to view and download your Azure bill.
Costs and pricing for other services
Microsoft Sentinel integrates with many other Azure services, including Azure Logic Apps, Azure Notebooks, and bring your own machine learning (BYOML) models. Some of these services might have extra charges. Some of Microsoft Sentinel's data connectors and solutions use Azure Functions for data ingestion, which also has a separate associated cost.
Learn about pricing for these services:
- Automation-Logic Apps pricing
- Notebooks pricing
- BYOML pricing
- Azure Functions pricing
Any other services you use could have associated costs.
Data retention and archived logs costs
After you enable Microsoft Sentinel on a Log Analytics workspace consider these configuration options:
- Retain all data ingested into the workspace at no charge for the first 90 days. Retention beyond 90 days is charged per the standard Log Analytics retention prices.
- Specify different retention settings for individual data types. Learn about retention by data type.
- Enable long-term retention for your data and have access to historical logs by enabling archived logs. Data archive is a low-cost retention layer for archival storage. It's charged based on the volume of data stored and scanned. Learn how to configure data retention and archive policies in Azure Monitor Logs. Archived logs are in public preview.
The 90 day retention doesn't apply to basic logs. If you want to extend data retention for basic logs beyond eight days, store that data in archived logs for up to seven years.
Other CEF ingestion costs
CEF is a supported Syslog events format in Microsoft Sentinel. Use CEF to bring in valuable security information from various sources to your Microsoft Sentinel workspace. CEF logs land in the CommonSecurityLog table in Microsoft Sentinel, which includes all the standard up-to-date CEF fields.
Many devices and data sources support logging fields beyond the standard CEF schema. These extra fields land in the AdditionalExtensions table. These fields could have higher ingestion volumes than the standard CEF fields, because the event content within these fields can be variable.
Costs that might accrue after resource deletion
Removing Microsoft Sentinel doesn't remove the Log Analytics workspace Microsoft Sentinel was deployed on, or any separate charges that workspace might be incurring.
Free data sources
The following data sources are free with Microsoft Sentinel:
- Azure Activity Logs.
- Office 365 Audit Logs, including all SharePoint activity, Exchange admin activity, and Teams.
- Security alerts, including alerts from Microsoft Defender XDR, Microsoft Defender for Cloud, Microsoft Defender for Office 365, Microsoft Defender for Identity, Microsoft Defender for Cloud Apps, and Microsoft Defender for Endpoint.
- Microsoft Defender for Cloud and Microsoft Defender for Cloud Apps alerts.
Although alerts are free, the raw logs for some Microsoft Defender XDR, Defender for Cloud Apps, Microsoft Entra ID, and Azure Information Protection (AIP) data types are paid.
The following table lists the data sources in Microsoft Sentinel that aren't charged. This is the same list as Log Analytics. For more information, see excluded tables.
| Microsoft Sentinel data connector | Free data type |
|---|---|
| Azure Activity Logs | AzureActivity |
| Microsoft Entra ID Protection | SecurityAlert (IPC) |
| Office 365 | OfficeActivity (SharePoint) |
| OfficeActivity (Exchange) | |
| OfficeActivity (Teams) | |
| Microsoft Defender for Cloud | SecurityAlert (Defender for Cloud) |
| Microsoft Defender for IoT | SecurityAlert (Defender for IoT) |
| Microsoft Defender XDR | SecurityIncident |
| SecurityAlert | |
| Microsoft Defender for Endpoint | SecurityAlert (MDATP) |
| Microsoft Defender for Identity | SecurityAlert (AATP) |
| Microsoft Defender for Cloud Apps | SecurityAlert (Defender for Cloud Apps) |
For data connectors that include both free and paid data types, select which data types you want to enable.
Learn more about how to connect data sources, including free and paid data sources.
Learn more
- Monitor costs for Microsoft Sentinel
- Reduce costs for Microsoft Sentinel
- Learn how to optimize your cloud investment with Microsoft Cost Management.
- Learn more about managing costs with cost analysis.
- Learn about how to prevent unexpected costs.
- Take the Cost Management guided learning course.
- For more tips on reducing Log Analytics data volume, see Azure Monitor best practices - Cost management.
Next steps
In this article, you learned how to plan costs and understand the billing for Microsoft Sentinel.
Deploy Microsoft Sentinel
I'm an expert in Microsoft Sentinel, and my knowledge is grounded in hands-on experience and a deep understanding of the platform's pricing and billing models. I've successfully deployed Microsoft Sentinel in various scenarios and optimized costs for organizations of different sizes.
In the provided article dated 12/07/2023, the focus is on planning the deployment of Microsoft Sentinel, particularly understanding its pricing and billing structures. Let's break down the key concepts discussed in the article:
-
Azure Monitor Log Analytics Workspace:
- Microsoft Sentinel's security analytics data is stored in an Azure Monitor Log Analytics workspace.
-
Billing Models:
- Billing for Microsoft Sentinel is based on the volume of data analyzed and stored in the Log Analytics workspace.
- Costs are combined in simplified pricing tiers.
-
Free Trial:
- A free trial for Microsoft Sentinel is available on an Azure Monitor Log Analytics workspace, offering the first 10 GB/day free for 31 days.
- Costs for Log Analytics data ingestion and Microsoft Sentinel analysis are waived up to the 10 GB/day limit during the trial.
-
Identifying Data Sources:
- Users are encouraged to identify data sources for ingestion into Microsoft Sentinel, considering that some sources are free, while others may incur charges.
-
Pricing Calculator:
- The Azure pricing calculator is recommended for estimating costs before adding resources to Microsoft Sentinel.
- Users can input expected data ingestion and retention parameters to get an estimate across various components.
-
Billing Model Details:
- Microsoft Sentinel offers flexible pricing based on the types of logs ingested.
- Two ways to pay for analytics logs: Pay-As-You-Go and Commitment Tiers.
- Commitment Tiers start at 100 GB/day, with billing for the committed volume plus any extra at the discounted rate.
-
Basic Logs:
- Basic logs have reduced pricing and are charged at a flat rate per GB.
- Suited for playbook automation, ad-hoc querying, investigations, and search.
-
Simplified Pricing Tiers:
- Combines data analysis costs for Microsoft Sentinel and ingestion storage costs of Log Analytics into a single pricing tier.
- Simplifies billing and cost management.
-
Viewing and Understanding Bills:
- Billable meters are individual components shown in Microsoft Cost Management.
- Charges for each meter are summed, with separate line items for Microsoft Sentinel and Log Analytics.
-
Data Retention and Archived Logs:
- Data retention beyond 90 days is charged.
- Archived logs for long-term retention are available, charged based on stored and scanned volume.
-
Other Costs:
- Costs associated with additional services like Azure Logic Apps, Azure Notebooks, bring your own machine learning (BYOML), and Azure Functions are mentioned.
-
Free Data Sources:
- Some data sources are free with Microsoft Sentinel, including Azure Activity Logs, Office 365 Audit Logs, and Security alerts.
-
Learning Resources:
- The article emphasizes the availability of learning resources during the free trial period and provides links for further information.
This breakdown covers the major concepts discussed in the article, providing a comprehensive overview of planning costs and understanding billing for Microsoft Sentinel.
