We only have one LA workspace on Sentinel, and I can see the history of daily ingest - I can see the kusto query to gather this detail includes isBillable=True so safe to say my xxx GB each day ingested is correct for billing.
I've then taken the cost each day for the Sentinel service (PAYG Analytics meter) so I know what we've been charged. And I've taken the prices from Microsoft's Sentinel pricing page.
And they don't add up, PAYG should be $5.38 per GB, and "Prices shown below reflect the total cost for the data analyzed by Microsoft Sentinel, including data ingestion charges for Azure Monitor Log Analytics for the specific tier".
Using the quantity that I know was ingested, it's coming out to around $4.14 per GB. I feel like if it was possible to view the 'Unit Price' and 'Unit Quantity' details in the cost analysis, I could at least see how many GB we've been charged for, but I can't find any way to get this detail?
Just wondering if anyone has done a deep dive on this before and could suggest why they aren't lining up?
Thanks in advance
I'm a Microsoft Sentinel pricing expert. Ask me anything.
I'm confused by the pricing for Sentinel and wonder if anyone can shed some light.
So, we currently have Log Analytic Workspaces and pay an ingestion charge at £2.147 per GB (UK South).
When we enable Sentinel it has an ingestion charge of £1.87 per GB
Does the Sentinel charge get added to all data that we currently ingest into the Log Analytics Workspace? i.e. £2.147 + £1.87 = £4.017 per GB
u/boojew nailed it, but wanted to add that the Azure Pricing Calculator will account for both the LA and Sentinel costs of you use it, and recommend reservation tiers. Sometimes those tiers differ between the LA and Sentinel products, meaning you might reserver 200GB/day on LA and only 100GB/day on Sentinel, depending on the exact ingestion. You can subtract the log sources mentioned, plus if you use Azure Security Center (now Azure Defender) and enroll servers, you get 500MB/day per server in credit for the LA ingestion; don't forget to subtract that, too, if you use it.
Certain data sources do not have the double ingestion rate
Is there a way I can guess what payment tier of Sentinel I should shoot for since cost is measured by GB analyzed? Even the 100 GB per day tier works out to $123,925 per year and that would rule out using it at all unless the pay-as-you-go option is radically more affordable for a relatively small org.
Can anyone shed some light on what your monthly cost has been? I'm evaluating going from a our MSSP that simply looks at our DCs and Firewalls to something like Exabeam or Sentinel. Exabeam for us appears to be in the 40k range a year. Sentinel, I can't really even estimate because I have to be able to judge how much data I would be ingesting -- where would I even begin with that calculation?
Anyone care to say what their bill is for their size of a company? Might be able to quantify my end from it.
Many thanks.
I'm evaluating going from a our MSSP that simply looks at our DCs and Firewalls
Lol what?
where would I even begin with that calculation?
You have to begin with your systems. If you are currently ingesting logs anywhere, can you determine how much you have brought in on a daily basis? Even if you just a have a massive folder with 1 week of data, divide that out and you can estimate.
It is hard to start from scratch.
Hi - has anyone tried Sentinel at home just to play around with it and use it a bit? Most of my log sources would just be o365 and some Defefender installs and I’d probably try some other devices which aren’t going to be ‘free’ (plus log analytics workspace costs).
Just curious if anyone has used it at home for testing and how much it ended up costing?
I'm trying to understand the pricing for Azure Sentinel through Azure's pricing program. (https://azure.microsoft.com/en-us/pricing/calculator/)
I'm having a hard time understanding how pricing works for daily ingested logs.
So the calculation uses daily capacity reservation for both Log Analytics and Sentinel.
For example, if I'm selecting US Central, if the ingested daily logs are 100GB, how can the pricing be $10275.6?
Its $2.46/GB for Sentinel, and $2.76/GB for Log Analytics. I just can't get my head around the logic.
Can someone help?
Hi,
we are trying to find a SIEM. As an all Azure shop Sentinel would be the obvious solution. But of course there is never budget. :)
So I'm at a total loss. I don't know anything about Sentinel. Just read the costs are primarily dependent on amount of logs ingested & retention - and then on 10000 other things. So nobody can tell us how much it will be for 500 users with defender for endpoint p2, 6 remote site firewalls etc. - I totally understand.
But is there some resource out there that describes real world scenarios and their costs or is anybody willing to share roughly what they are doing and what that estimates to? Just to get a vage feeling for it. Would help tremendously.
Much appreciated. :)
Hey all,
I'm hoping to get some assistance with figuring out how to correctly figure out this pricing. We're only looking to, at this time, ingest Office 365 and Azure logs, which seem to mostly be included under the free ingestion FAQ, although I do see that they've clarified that Azure AD Audit Logs are not free any longer. I also know I need to pay to ingest the log(s) into Log Analytics first, but I'm just lost at how to properly calculate this out. Any pointers would be greatly appreciated. I have an open request for the same from my VAR, but they're taking quite a long time to get back to me about it. The logs we'd like to ingest would be
-
Defender for Endpoint logs
-
Defender for Office 365 logs
-
Intune logs
-
Microsoft 365 Audit Logs
-
Azure AD Activity Logs
-
Cloud App Security Logs
-
Azure Information Protection Logs
Sorry if this is a stupid question, but I'm not finding any answers that directly answer my questions about Sentinel cost for our beginner usage. After somewhat struggling with alerting in 365/Entra, I'm finding that Microsoft is moving a lot of alerting into Sentinel, presumably to add yet another source of incoming payment. As for the scope of our proposed Sentinel usage, strictly within Entra/365/Teams for now. I see where Microsoft says that Sentinel for Entra is free (assuming Teams and other normal internal stuff with separate licensing), though I imagine only for the normal retention period. If we limit our usage to just internal Entra/365 products for ingestion and stick to default retention, is that Sentinel usage really free? Makes sense if free - just shifting to a better tool for alerting instead of improving the built-in alerting, I guess, since the built-in is lacking...
I'm kind of new to Azure, using for self study/projects. I typically pay under $2 a day in Azure for storage and other really small things. However, on one particular day, my charges jumped up to more than $26 (+$16 for sentinel, +$8 for log analytics workspace, and a few bucks for the storage charges I typically pay per day).
I wasn't even using Azure within the week which the boosted charges were incurred, and my VMs were all deallocated. Just not sure how the billing here adds up.
I'm thinking that Azure charges for some resources daily, and other resources (like sentinel and log analytics) on a different time increment. Or, this is an error.
I only have a basic support plan so I can't open a ticket in Azure...if anyone can point me to an answer here I would appreciate it a lot.
We just migrated to GCC High, so RocketCyber, our current SIEM, doesn't work with it natively (and to be frank, I was never crazy about it). We had to set up a logic app, a VM, and slew of support apparatus in Azure to get it to ingest logs. It's getting quite expensive, so I'm looking at Sentinel as an alternative. I'm very confused about the pricing, with some sites saying it would practically be free, in my use case; others saying it could be hundreds or thousands of dollars a month.
We are 100% cloud-based and we only operate in Microsoft 365, so there are no third-party log sources. We have fewer than 25 full time employees, all of whom are running Windows 11 23H2 or 24H2 and have E3 licenses with Defender Plan 2. They work a standard 8 hour day, 5 day week. IdP is Entra, and all devices are enrolled in Intune. We already run Defender for Endpoint and EDR on devices.
With this scenario, given that I would only need to ingest O365, Entra, and Intune logs, with 6 months to 1 year of retention, what kind of pricing am I looking at?
Can someone help me with the costs of Azure sentinel.
I understand that there is a cost for the amount data sent to it. Except certain M365 products which are free.
Is there any other cost? Like storage maybe?
Just make sure to set a daily data ingestion limit is all I can say. Assigned an admin to start integrating this and he didn’t tune the filter for security logs being sent and we had like 2k in charges in just a few days.
https://azure.microsoft.com/en-us/pricing/details/azure-sentinel/
Taken directly from the pricing page...
Data Retention
Once Azure Sentinel is enabled on your Azure Monitor Log Analytics workspace, every GB of data ingested into the workspace can be retained at no charge for the first 90 days. Retention beyond 90 days will be charged per the standard Azure Monitor Log Analytics retention prices.
Azure Monitor Log Analytics
Azure Sentinel is built on the proven foundation of Azure Monitor Log Analytics platform and enables an extensive query language to analyze, interact with, and derive insights from huge volumes of operational data in seconds. Azure Sentinel is billed based on the volume of data ingested for analysis in Azure Sentinel and stored in Azure Monitor Log Analytics workspace. Please refer to the Azure Monitor Log Analytics pricing for the related data ingestion charges.
Automation and Bring your own Machine Learning
Azure Sentinel integrates with many other Azure services providing enhanced capabilities for Security Information and Event Management (SIEM) and Security Orchestration and Automation and Response (SOAR). Some of these services may have additional charges:
-
You can use Azure Logic Apps to automate your security responses. Please refer to Azure Logic Apps pricing page for related costs.
-
You can bring in your own machine learning models for customized analysis. Please refer to Azure Machine Learning Studio and Azure Databricks pricing to understand the related costs.
I see people post about Splunk being too expensive to be an option for them.
If Splunk costs too much, could Azure Sentinel be a more economical option or are they similarly priced?
Is Azure Sentinel included in any Azure or Office 365 plans you may already be paying for?
I combined the pricing charts from several different Azure Pricing guides to show the minimum costs for Azure Sentinel in various US datacenters. My consulting firm is also giving away free 30-day PoCs of Azure Sentinel for up to 5 servers if you're interested in having someone else set it up for you. (PoC request is linked from the blog.)
I guess in many cases the data ingested in Log Analytics and Sentinel will be 1:1, Azure AD being the best example. Or does Sentinel do any filtering in between?
Can you clarify that it's a combined pricing? I.E. for 1GB of Sentinel data in US East the price would be $4.30? ($2 for Sentinel and $2.30 for Log Analytics)
Azure Sentinel Benefits described here
In our education org, we've got ~700 A5 Security licensed faculty and about 900-1000 daily (weekdays) used windows devices including servers.
The benefit would give us about 3.5 GB daily allowance, but the actual data pulled into our log analytics workspace was 7 GB-10 GB.
Conservatively assuming 3.5 GB per weekday overage gives us at least 70GB+ per month for both Sentinel and Log Analytics Workspace ingestion which gives us at least 450 per month CAD on top of our normal bill.
Compound this with the fact that this is not reflected in cost management, but is reflected on the end of the month bill makes this difficult to monitor and account for.
If you're setting up Azure Sentinel for the first time, you do get some free data intake per day for a trial period, I believe. Keep all this in mind if you're looking at setting up integration between Defender 365 and Sentinel.
Hi,
Started with the Sentinel 31 days trial 2,3 days ago. Had a quick look at the Microsoft Sentinel Cost workbook, as it looked promising. As noted in the description “it provides insight about possible impact of the Microsoft 365 E5 offer”.
According to https://azure.microsoft.com/en-us/pricing/offers/sentinel-microsoft-365-offer/ the E5 entitles for a 5 MB per user per day grant including Microsoft 365/XDR (or whatever it may be called now, tomorrow lol) advanced hunting data:
Now here’s the problem. Providing the value of the E5 licesens has absolutely no impact on the output … xd
No E5 added
E5 added
And, yes, I’m ingesting the advanced hunting tables as shown below:
Anyone ? Additionally, are you Guys aware of any other method to calculate or include the grant into the overall calculation?
Thanks !
Is there something that can be done to reduce the volumes of logs (such as removing noise, filtering, etc) before being ingested into Azure Sentinel thus reducing the costs? Is there the possibility to pass everything through a tool such as fluentd to do the filtering before forwarding them into Azure Sentinel or is this not practical?
Anyone here knows if I should include Azure Log Analytics in my pricing when I compute for Azure Sentinel on the Azure Pricing Calculator?
Or am I totally asking the wrong question?
PS. new to Azure Sentinel
Microsoft finally released Azure Sentinel to GA this week! As always, their pricing page is a bit confusing. So I put together this pricing guide for Azure Sentinel and Log Analytics to help explain the minimum costs for the service.
The great news is that ingesting the security logs from the Microsoft 365 E5 suite is included for free!