You dont have javascript enabled! Please enable it! Microsoft Sentinel Sizing And Pricing – Optimize Costs And Enhance Security - CHARBEL NEMNOM - MVP | MCT | CCSP | CISM - Cloud & CyberSecurity

Microsoft Sentinel Sizing and Pricing – Optimize Costs and Enhance Security

13 Min. Read

When you first learn about Microsoft Sentinel, sizing, pricing, and planning can be complex. This article discusses and demonstrates what influences Microsoft Sentinel’s costs, different pricing models, archive and long-term retention options, and logs of how to estimate and measure spending over time. So, you can master Microsoft Sentinel, elevate it, and excel in deployment.

Microsoft Sentinel Sizing and Pricing

Understanding sizing and pricing is crucial when planning your Microsoft Sentinel deployment. The following sections will explore the factors influencing Sentinel’s costs, the various pricing models available, and data retention and storage options. We’ll cover how to effectively estimate and manage spending over time, ensuring you can leverage Sentinel’s capabilities without incurring unexpected expenses.

By the end of this article, you will be equipped to start optimizing your deployment strategy and making informed decisions based on our deployment experience with many customers since Microsoft Sentinel was launched in 2019. Thus, you can balance cost and performance, enhancing your security operations efficiently.

Let’s dive in!

Data Ingestion and Storage Costs

Data ingestion and storage costs in Microsoft Sentinel depend on the volume and type of data being handled. The size of data and the duration for which it’s stored directly influence the expenses, with each gigabyte adding up.

Pay-as-you-go ingestion costs about $4.30 per GB in the East US region. Commitment tiers offer a more favorable option, where committing to a certain daily intake amount lowers the cost. For example, committing to 100 GB per day reduces the cost to around $2.96 per GB. The Basic logs usually involve vast quantities but carry less valuable threat detection data. If managed efficiently, they can save costs. Analytics logs, packed with high-value data for identifying threats, are pricier.

The storage of ingested data also varies. The initial 90 days (3 months) within Log Analytics don’t incur extra charges. However, long-term storage beyond this incurs additional costs based on the chosen retention strategy, whether keeping it in Log Analytics, moving to a Log Analytics Archive tier, or utilizing Azure Data Explorer (ADX) and Azure Data Lake Storage (ADLS). For archival storage, expect around $0.02 per GB per month.

The location of data storage significantly impacts cost. Azure regions have differential pricing, meaning that where you store and manage your cloud data can lead to varying expenses. Some regions are more budget-friendly than others, like Central India, North Central US, West US 2/3, and East US. However, new features will roll out first in East US, Sweden Central, and France Central. Moving data between different Azure regions or from other clouds like AWS or GCP also incurs egress and ingress costs (bandwidth pricing).

Different billing models are available. The pay-as-you-go model is straightforward but often more costly monthly. Capacity tiers or dedicated clusters might be beneficial for high-volume environments. Committing to a higher volume tier in Azure’s capacity tiers significantly reduces the per-GB rate. The simplified pricing tier includes the total cost for Azure Monitor Log Analytics data ingestion and Microsoft Sentinel analysis of all analytics logs in the workspace.

Microsoft Sentinel offers various programs to trim down costs:

  • The free trial provides up to 10 GB per day at no cost for the first 31 days.
  • Certain licensing plans (E5, A5, F5, G5) include 5 MB of free data ingestion per user each day.
  • Defender for Servers Plan 2, part of Microsoft Defender for Cloud, provides free 500 MB per server per day.
  • Some special log types, like Azure activity logs and Office 365 audit logs, have zero ingestion fees.

Enabled features in Sentinel also matter. Python Notebooks use Machine Learning (ML) workspaces, leading to additional charges. User and entity behavior (UEBA) analytics increase storage usage. Running Azure logic apps adds to the costs, and retaining data for more than 90 days in the Log Analytics workspace is billable.

Log Analytics workspace | Usage and estimated costs
Log Analytics workspace | Usage and estimated costs

If you have a very large environment where you’re ingesting a lot of Sentinel data and perhaps using log analytics workspaces for Azure Monitor. Keep in mind the different use cases here. Sentinel is mainly used to track and alert on security-focused data, event logs, audit logs, etc. You can also use log analytics workspaces for Azure Monitor, which has a slightly different use case.

We have seen customers using the same log analytics for both security and monitoring where the costs get exploded, and they put a daily cap at the workspace level to control costs. What the daily cap allows you to do if you turn this on is that data ingestion will stop when it reaches X/GB (10 GB daily limit, in this example) per day in your Sentinel workspace. This is probably NOT something you would necessarily want to cap because, from a security perspective, you don’t wanna stop receiving security data, right?

Log Analytics workspace | Daily cap
Log Analytics workspace | Daily cap

Azure Monitor is an operational tool mostly used to track the performance of a server, an application, a Kubernetes cluster, or whatever. Is it being overused? Is it being underused? Are there alerts when an application fails? Are there alerts when an application is extremely high in usage? Those aren’t necessarily security events, so they would logically fall into the Azure Monitor category and NOT in the Log Analytics workspace(s) used by Sentinel.

If you are collecting a high volume of logs, such as network firewall logs, and you identify that only a portion of these logs will be used for detection, the remaining part will not be used for detection. You have a requirement to store those logs for compliance and forensics purposes. In this case, you can leverage ingestion time data transformation to route the logs not being used for detection to a new custom table and set the ingestion plan to Basic Logs in the most cost-effective way. Log trimming reduces storage and data ingestion costs by eliminating unnecessary data, optimizing resource utilization, and driving cost savings.

Data transformation in Microsoft Sentinel
Data transformation in Microsoft Sentinel

// Learn more: Optimize Log Ingestion and Access in Microsoft Sentinel.

Leveraging these details and tools, such as the Azure online and Excel pricing calculators, can help gauge deployment costs effectively. Adjusting the region of deployment and choosing suitable pricing models will optimize costs. Understanding these cost drivers and programs can significantly impact the overall expense, particularly when managing large datasets across various regions.

Billing Models and Cost Optimization

Several billing models are available for Microsoft Sentinel, each with its own cost benefits and suitability depending on data volume and usage patterns.

As mentioned, the pay-as-you-go model is straightforward but generally the most expensive per GB basis. You pay for the data volume ingested and stored without prior commitment, offering flexibility but higher costs. For data retention initially, the cost is $4.30 per gigabyte for the East US region; however, this model is advantageous for businesses with unpredictable data ingestion volumes where flexibility is crucial.

Capacity or Commitment tiers offer substantial savings compared to the pay-as-you-go model. In this setup, you commit to a specific daily ingestion volume, which significantly reduces the per-GB cost. For instance, committing to ingesting 100 GB per day drops the rate to approximately $2.96 per gigabyte. This model is well-suited for organizations with a predictable and relatively high data ingestion rate, making it easier to manage the budget while reaping the benefits of reduced costs for higher volumes.

Dedicated clusters are another option for high-volume environments where data ingestion surpasses 500 GB daily. This model allows for precise cost management with pricing based on the effective per-GB price of the configured tier meter. It can handle significant volumes, making it ideal for large-scale enterprises or heavily data-driven operations.

Enabling various features in Sentinel also influences costs. For instance, Python notebooks, used for advanced analytics and machine learning, require a machine learning workspace backend, which incurs additional costs. Similarly, user and entity behavior analytics (UEBA) will significantly increase storage usage as more data is processed and stored in the following three tables: “BehaviorAnalytics, IdentityInfo, UserPeerAnalytics” for behavioral analysis. Azure Logic apps, which automate workflows and alert actions, also add to the cost.

// Related: Augment Microsoft Sentinel Incident Investigation with Microsoft Copilot for Security.

Watchlists in Sentinel also cost money. A watchlist and a regular table are primarily different in the sense that a watchlist generates additional logs over time and during specific activities. When you upload a watchlist, its content is transmitted into the “Watchlist” Sentinel table during the initial ingestion, which incurs a cost. Subsequently, the watchlist data is regularly pushed to Sentinel to ensure it is available for Analytics rules. This refresh process occurs once every 12 days.

Watchlist cost in Microsoft Sentinel
Watchlist cost in Microsoft Sentinel

Data is pushed into the Watchlist table every 12 days. This generates a recurring fee, even if the data is not modified. Making changes or deleting a watchlist entry will create a new event for that entry in the “Watchlist” table, resulting in at least two fees for each entry – one for creation and one for deletion. If the data is used for more than 12 days, a fee is required to refresh it. Additionally, a fee is charged for re-ingesting a single entry every time it is updated. So, before creating a watchlist, be aware of the official limitations documented on this page.

// Learn more: Step-by-Step Guide – Backup and Restore Microsoft Sentinel Watchlists.

Sentinel offers programs and methods to help lower its operational costs. A free trial allows you to ingest up to 10 GB of data per day at no cost for the first 31 days. This period provides the chance to fully test and evaluate Sentinel without incurring initial expenses. Beyond the trial, Sentinel offers notable cost-saving features based on your license type:

  • Licensing plans such as E5, A5, F5, and G5 allow ingestion of 5 megabytes per user per day at no cost.
  • Defender for Servers Plan 2 provides 500 megabytes of free data ingestion per server per day, specifically for security data. In this scenario, you must use the same Log Analytics workspace for Microsoft Defender for Cloud and Microsoft Sentinel.

Certain data sources incur no ingestion fees. The following always-free data sources include:

  • Azure Activity Logs
  • Office 365 Audit Logs
  • Security alerts from various Microsoft Defender services
  • Alerts from Microsoft Defender for Cloud and Microsoft Defender for Cloud Apps

Leveraging these programs and understanding how different billing models and features influence your overall costs are essential for optimizing expenses. Using tools such as the Azure online pricing calculator and the Excel pricing calculator can help you understand and project your costs more precisely. By carefully selecting the most appropriate billing model and leveraging available cost-saving features, you can manage a more efficient and budget-friendly Sentinel deployment.

Long-term Data Retention Options

Beyond initial data retention periods, Microsoft Sentinel offers several options for long-term data retention:

1) Log Analytics Workspace: After the initial 90-day free retention period, data stored in Log Analytics incurs a cost billed per gigabyte. This enables continuous access to historical data for running queries and generating reports. It’s the most straightforward option but can lead to higher expenses over time without efficient data management practices. Maximum retention is 2 years.

2) Log Analytics Archive: Moving data to a Log Analytics Archive is a cost-effective solution for long-term storage, incurring a very low cost of approximately $0.02 per gigabyte per month. This option is ideal for data you still need access to but doesn’t require frequent querying. The trade-off here is the lower immediate access speed compared to the Log Analytics Workspace. Maximum retention is 12 years.

3) Azure Data Explorer (ADX): ADX offers an alternative for long-term and large-scale analytical queries. It provides optimized performance for analyzing large datasets, making it suitable for data-intensive operations that need fast, ad-hoc analytical querying, even for older data. While it’s more performance-centric, the associated costs for Azure Data Explorer can vary based on factors such as query execution and data retention duration. Maximum retention is 100 years.

// Learn more: Optimize Microsoft Sentinel Log Retention with Azure Data Explorer.

4) Azure Data Lake Storage (ADLS): ADLS offers a long-term alternative with low-cost ingestion and storage for high-volume, low-fidelity data sets. ADLS allows you to optimize costs by keeping low-value data at a lower cost. To use Data Lake Storage Gen2 capabilities, you create a storage account with a hierarchical namespace enabled. Maximum retention is 400 years.

Microsoft Sentinel Long-term Data Retention Options
Microsoft Sentinel Long-term Data Retention Options

When restoring archived data back into Log Analytics for querying, there are processes and costs to consider. Data can be restored by moving it from the Log Analytics Archive back into the Log Analytics Workspace. This restored data is then subject to the regular ingestion and storage costs of Log Analytics. This added expense covers both the process of restoring and the subsequent storage, so it’s crucial to evaluate the necessity and frequency of accessing this archived data.

// Learn more: Basic Logs, Archive tier, Search jobs, and Data restoration.

The usability and performance of these options should also be a strategic consideration. While direct storage in Log Analytics provides seamless querying capabilities and is highly responsive, the Log Analytics Archive offers a significant cost reduction at the expense of data retrieval performance. On the other hand, Azure Data Explorer (ADX) balances cost and performance, providing quick access for heavy analytical workloads but requiring a detailed understanding of its cost structure to ensure optimized usage.

The choice between Log Analytics Workspace, Log Analytics Archive, Azure Data Explorer, and Azure Data Lake Storage hinges on your specific needs for accessibility, performance, and cost efficiency. Careful planning of data storage and retrieval practices will help maintain a cost-effective and efficient monitoring environment with Microsoft Sentinel.

Tools for Cost Calculation

Using tools to accurately calculate the deployment costs of Microsoft Sentinel is crucial for optimizing the budget and ensuring a clear financial roadmap. Microsoft provides two main tools to aid in this process: the online pricing calculator and the Excel pricing calculator, both of which offer comprehensive insights into projected costs considering various factors such as region, billing models, and data volume.

The online pricing calculator is a versatile tool designed to handle multi-region deployment scenarios. By inputting your specific requirements, you can easily navigate through the different pricing models and see how they impact your overall costs. For example, the calculator allows you to select your data region, which is a significant factor since different Azure regions have varying pricing structures. This tool also lets you simulate different data ingestion volumes and retention periods, helping to visualize the cost implications of pay-as-you-go versus commitment tiers. The online pricing calculator’s real-time updates ensure you get the most current pricing, although it may not reflect specific discounts or enterprise agreements, making it essential to supplement its estimates with other available data.

Microsoft Sentinel Online Pricing Calculator
Microsoft Sentinel Online Pricing Calculator

The Excel pricing calculator is perfect for quick, offline estimates and detailed cost planning. This calculator provides a more straightforward interface for inputting data and can be customized to your needs. It allows you to model various scenarios by adjusting the volume of data ingested, the retention periods, and other critical parameters. With its robust formulae and customizable fields, the Excel pricing calculator simplifies the process of projecting costs over extended periods, making it easier to budget and compare different deployment strategies.

Microsoft Sentinel and Azure Monitor Cost Estimation Calculator
Microsoft Sentinel and Azure Monitor Cost Estimation Calculator

When utilizing these tools, it’s essential to understand the breadth of factors influencing costs. This includes not just the volume of ingested data but also the retention policies and the choice of storage solutions—whether you’re looking at Azure’s basic logs for less critical data, analytics logs for high-value threat detection, or long-term storage in Log Analytics Archive or Azure Data Explorer. Each choice impacts the overall cost structure. For instance, data stored in Log Analytics beyond the initial free retention period or data transferred between regions can lead to additional charges. You can better anticipate and plan for such expenses by modeling these scenarios using the tools provided.

Using the tools to compare different billing models, whether considering a standard pay-as-you-go model, a capacity tier, or a dedicated cluster, allows for more strategic financial decisions. As mentioned, committing to a higher ingestion rate under capacity tiers can significantly lower per-GB costs, which the tools can illustrate clearly.

By leveraging the online and Excel pricing calculators, you could identify potential cost-saving opportunities and optimize your usage strategy. These tools ensure you make informed financial choices in your Microsoft Sentinel deployment, ultimately leading to a more cost-effective and efficient operational setup.

Programs to Reduce Microsoft Sentinel Costs

One of the standout features of Microsoft Sentinel is the range of programs available to help mitigate costs. These programs are designed to make Sentinel more accessible and affordable, particularly for organizations seeking to enhance their security without escalating expenses.

The first stop for new users is the free trial. This program allows you to ingest up to 10 gigabytes per day without cost for the first 31 days. This provides an excellent opportunity to fully explore Sentinel’s capabilities and test various data sources and security operations without upfront financial commitments. By utilizing the free trial effectively, you can assess the potential value and identify any areas where Sentinel might need optimization before transitioning to a paid model.

Licensing plans like E5, A5, F5, and G5 come with tangible financial perks. Under these licensing frameworks, you receive an allocation of 5 megabytes per user per day free of charge. For organizations with numerous users, this can translate into significant savings. For example, a company with 1,000 users would benefit from 5 GB of free data ingestion daily1. By strategically leveraging these plans, you can drastically reduce the overall cost associated with data ingestion.

Another noteworthy cost-saving measure is the Microsoft Defender for Servers Plan 2. This plan offers an additional 500 megabytes of free data ingestion per server per day, specifically for security data. Organizations with extensive server infrastructure can benefit enormously from this program. Suppose an enterprise runs 100 servers, each utilizing Microsoft Defender for Servers Plan 2; they would collectively gain 50 GB of free daily data ingestion, significantly lowering the costs of handling vast quantities of server data.

Microsoft provides a selection of always-free data sources, which are integral to many security operations. These free-tier sources include:

  • Azure Activity Logs
  • Office 365 Audit Logs
  • Alerts from various Microsoft Defender XDR services, including Microsoft Defender for Cloud and Microsoft Defender for Cloud Apps

Azure Activity Logs and Office 365 Audit Logs are free, so it’s recommended that everyone monitor cloud activities and user interactions without incurring extra data ingestion costs. This zero-cost data can supplement paid data sources, enhancing the breadth of security monitoring without additional expenses.

Examples of Leveraging Cost-Reduction Programs

1) Combining Licensing Plans and Free Data Sources: Consider an organization using Office 365 and other Azure services. By effectively utilizing the free 5 MB per user per day under an E5 plan and the always-free Office 365 Audit Logs, they can achieve extensive coverage of user activities and alerting capabilities without significant costs.

2) Optimizing Server Monitoring: A business with a considerable server farm could implement Microsoft Defender for Servers Plan 2 across its infrastructure. If they have 200 servers, the 500 MB per server per day translates to 100 GB of free data ingestion daily dedicated to server security data. This setup enhances security monitoring and keeps the data ingestion costs manageable.

3) Free Trial Utilization for Initial Setup and Testing: Before committing to a paid plan, an organization can exploit the free trial to set up its Sentinel environment, ingest critical logs up to the 10 GB per day limit, and fine-tune its alerting rules and workflows. This trial phase curtails initial expenses, allowing a smoother transition into cost-effective operation post-trial.

By understanding and applying these programs, organizations can substantially mitigate the costs associated with Microsoft Sentinel. Careful planning, combined with the strategic use of available cost-reduction programs, results in an efficient, financially viable Sentinel deployment.

// Learn more: Top Best Practices for Deploying Microsoft Sentinel.

Cost Management Resources

Here are some important cost management resources that you can refer to optimize Microsoft Sentinel costs:

Documentations

Playbooks

Workbooks

  • Workspace Usage Report: The Workspace Usage Report workbook offers detailed insights into your workspace’s data consumption, costs, and usage statistics. It provides information about data ingestion status and free and billable data amounts and allows you to monitor data ingestion and costs and create custom views and rule-based alerts. Additionally, the workbook offers detailed ingestion information, breaking down the data in your workspace by data table and providing volumes per table and entry to help you understand your ingestion patterns better.
Microsoft Sentinel | Workspace Usage Report
Microsoft Sentinel | Workspace Usage Report
  • Microsoft Sentinel Cost (EUR): This workbook provides an estimated cost in EUR (€) across the main billed items in Microsoft Sentinel: ingestion, retention, and automation (SOAR). It also provides insight into the possible impact of the Microsoft 365 E5/A5/F5/G5 offer.
  • Microsoft Sentinel Cost (GBP): This workbook provides an estimated cost in GBP (£) across the main billed items in Microsoft Sentinel: ingestion, retention, and automation (SOAR). It also provides insight into the possible impact of the Microsoft 365 E5/A5/F5/G5 offer.
Microsoft Sentinel Cost (EUR) Workbook
Microsoft Sentinel Cost (EUR) Workbook
  • Microsoft Sentinel Cost (Summary): This is part of the SOC Handbook solution containing 12 Workbooks. The SOC Handbook solution for Microsoft Sentinel provides a collection of resources that enable SOC Analysts to better visualize and understand the point-in-time security posture of organizational resources. It also provides insight into the possible impact of ingestion, retention, automation (SOAR), and the Microsoft 365 E5/A5/F5/G5 offer.
Microsoft Sentinel Cost Summary
Microsoft Sentinel Cost Summary
  • Microsoft Sentinel Optimization: This workbook aims to empower security teams by providing invaluable insights into the Microsoft Sentinel environment and offering recommendations to enhance cost efficiency, operational effectiveness, overall management overview, and SOC optimization.
Microsoft Sentinel Optimization Workbook
Microsoft Sentinel Optimization Workbook

In Summary

This article explored the intricacies of sizing, pricing, and planning for Microsoft Sentinel deployments. We discussed the key factors influencing costs, including data ingestion, storage options, and various billing models. We also examined long-term data retention strategies and highlighted tools for accurate cost calculation. Additionally, we covered programs and methods to optimize costs, such as leveraging free trials, specific licensing plans, and always-free data sources.

By understanding these components and utilizing available tools and programs, you can effectively manage and reduce expenses while maximizing the benefits of Microsoft Sentinel. This knowledge will help you balance cost and performance, ensuring a robust and cost-efficient security operations strategy.

__
Thank you for reading our blog.

Please let us know in the comments section below if you have any questions or feedback.

-Charbel Nemnom-

Photo of author
About the Author
Charbel Nemnom
Charbel Nemnom is a Senior Cloud Architect with 21+ years of IT experience. As a Swiss Certified Information Security Manager (ISM), CCSP, CISM, Microsoft MVP, and MCT, he excels in optimizing mission-critical enterprise systems. His extensive practical knowledge spans complex system design, network architecture, business continuity, and cloud security, establishing him as an authoritative and trustworthy expert in the field. Charbel frequently writes about Cloud, Cybersecurity, and IT Certifications.
Previous

Secure Azure File Shares Access With Microsoft Entra Private Access

Let us know what you think, or ask a question...