Plan costs for Microsoft Sentinel
Microsoft Sentinel provides intelligent security analytics across your enterprise. The data for this analysis is stored in an Azure Monitor Log Analytics workspace. Microsoft Sentinel is billed based on the volume of data for analysis in Microsoft Sentinel and storage in the Azure Monitor Log Analytics workspace. For more information, see the Microsoft Sentinel Pricing Page.
Before you add any resources for the Microsoft Sentinel, use the Azure pricing calculator to help estimate your costs.
Costs for Microsoft Sentinel are only a portion of the monthly costs in your Azure bill. Although this article explains how to plan costs and understand the billing for Microsoft Sentinel, you're billed for all Azure services and resources your Azure subscription uses, including Partner services.
Try Microsoft Sentinel free for the first 31 days. Microsoft Sentinel can be enabled at no extra cost on an Azure Monitor Log Analytics workspace, subject to the limits stated below:
New Log Analytics workspaces can ingest up to 10 GB/day of log data for the first 31-days at no cost. New workspaces include workspaces that are less than three days old.
Both Log Analytics data ingestion and Microsoft Sentinel charges are waived during the 31-day trial period. This free trial is subject to a 20 workspace limit per Azure tenant.
Existing Log Analytics workspaces can enable Microsoft Sentinel at no extra cost. Existing workspaces include any workspaces created more than three days ago.
Only the Microsoft Sentinel charges are waived during the 31-day trial period.
Usage beyond these limits will be charged per the pricing listed on the Microsoft Sentinel pricing page. Charges related to extra capabilities for automation and bring your own machine learning are still applicable during the free trial.
During your free trial, find resources for cost management, training, and more on the News & guides > Free trial tab in Microsoft Sentinel. This tab also displays details about the dates of your free trial, and how many days you have left until it expires.
Identify data sources
Identify the data sources you're ingesting or plan to ingest to your workspace in Microsoft Sentinel. Microsoft Sentinel allows you to bring in data from one or more data sources. Some of these data sources are free, and others incur charges. For more information, see Free data sources.
Estimate costs before using Microsoft Sentinel
If you're not yet using Microsoft Sentinel, you can use the Microsoft Sentinel pricing calculator to estimate potential costs. Enter Microsoft Sentinel in the Search box and select the resulting Microsoft Sentinel tile. The pricing calculator helps you estimate your likely costs based on your expected data ingestion and retention.
For example, you can enter the GB of daily data you expect to ingest in Microsoft Sentinel, and the region for your workspace. The calculator provides the aggregate monthly cost across these components:
- Azure Monitor data ingestion: Analytics logs and basic logs
- Microsoft Sentinel data analytics: Analytics logs and basic logs
- Data retention
- Data archive (archived logs)
- Basic logs queries
Understand the full billing model for Microsoft Sentinel
Microsoft Sentinel offers a flexible and predictable pricing model. For more information, see the Microsoft Sentinel pricing page. For the related Log Analytics charges, see Azure Monitor Log Analytics pricing.
Microsoft Sentinel runs on Azure infrastructure that accrues costs when you deploy new resources. It's important to understand that there could be other, extra infrastructure costs that might accrue.
How you're charged for Microsoft Sentinel
Microsoft Sentinel offers flexible pricing based on the types of logs ingested into a workspace. Analytics logs typically make up most of your high security value logs. Basic logs tend to be verbose with low security value.
There are two ways to pay for the analytics logs: Pay-As-You-Go and Commitment Tiers.
Pay-As-You-Go is the default model, based on the actual data volume stored and optionally for data retention beyond 90 days. Data volume is measured in GB (10^9 bytes).
Log Analytics and Microsoft Sentinel also have Commitment Tier pricing, formerly called Capacity Reservations, which is more predictable and saves as much as 65% compared to Pay-As-You-Go pricing.
With Commitment Tier pricing, you can buy a commitment starting at 100 GB/day. Any usage above the commitment level is billed at the Commitment Tier rate you selected. For example, a Commitment Tier of 100 GB bills you for the committed 100 GB data volume, plus any extra GB/day at the discounted rate for that tier.
You can increase your commitment tier anytime, and decrease it every 31 days, to optimize costs as your data volume increases or decreases. To see your current Microsoft Sentinel pricing tier, select Settings in the Microsoft Sentinel left navigation, and then select the Pricing tab. Your current pricing tier is marked as Current tier.
To set and change your Commitment Tier, see Set or change pricing tier.
Basic logs (preview)
Basic logs have a reduced price and are charged at a flat rate per GB. They have the following limitations:
- Reduced querying capabilities
- Eight-day retention
- No support for scheduled alerts
Basic logs are best suited for use in playbook automation, ad-hoc querying, investigations, and search. For more information, see Configure Basic Logs in Azure Monitor.
Understand your Microsoft Sentinel bill
Billable meters are the individual components of your service that appear on your bill and are also shown in cost analysis under your service. At the end of your billing cycle, the charges for each meter are summed. Your bill or invoice shows a section for all Microsoft Sentinel costs. There's a separate line item for each meter.
To see your Azure bill, select Cost Analysis in the left navigation of Cost Management + Billing. On the Cost analysis screen, select the drop-down caret in the View field, and select Invoice details.
The costs shown in the following image are for example purposes only. They're not intended to reflect actual costs.
Microsoft Sentinel and Log Analytics charges appear on your Azure bill as separate line items based on your selected pricing plan. If you exceed your workspace's Commitment Tier usage in a given month, the Azure bill shows one line item for the Commitment Tier with its associated fixed cost, and a separate line item for the ingestion beyond the Commitment Tier, billed at your same Commitment Tier rate.
The following tabs show how Microsoft Sentinel and Log Analytics costs appear in the Service name and Meter columns of your Azure bill depending on your pricing tier.
If you're billed at the commitment tier rate, the following table shows how Microsoft Sentinel and Log Analytics costs appear in the Service name and Meter columns of your Azure bill.
|Cost description||Service name||Meter|
|Microsoft Sentinel Commitment Tier||
|Log Analytics Commitment Tier||
|Microsoft Sentinel overage over the Commitment Tier||
|Log Analytics overage over the Commitment Tier||
|Basic logs data ingestion||
||data ingestion - Basic Logs|
|Basic logs data analysis||
||Analysis - Basic Logs|
For more information on viewing and downloading your Azure bill, see Azure cost and billing information.
Costs for other services
Microsoft Sentinel integrates with many other Azure services to provide enhanced capabilities. These services include Azure Logic Apps, Azure Notebooks, and bring your own machine learning (BYOML) models. Some of these services may have extra charges. Some of Microsoft Sentinel's data connectors and solutions use Azure Functions for data ingestion, which also has a separate associated cost.
For pricing details for these services, see:
Any other services you use could have associated costs.
Data retention and archived logs costs
After you enable Microsoft Sentinel on a Log Analytics workspace, you can retain all data ingested into the workspace at no charge for the first 90 days. Retention beyond 90 days is charged per the standard Log Analytics retention prices.
You can specify different retention settings for individual data types. For more information, see Retention by data type. You can also enable long-term retention for your data and have access to historical logs by enabling archived logs. Data archive is a low-cost retention layer for archival storage. It's charged based on the volume of data stored and scanned. For more information, see Configure data retention and archive policies in Azure Monitor Logs. Archived logs are in public preview.
The 90 day retention doesn't apply to basic logs. If you want to extend data retention for basic logs beyond eight days, you can store that data in archived logs for up to seven years.
Other CEF ingestion costs
CEF is a supported Syslog events format in Microsoft Sentinel. You can use CEF to bring in valuable security information from various sources to your Microsoft Sentinel workspace. CEF logs land in the CommonSecurityLog table in Microsoft Sentinel, which includes all the standard up-to-date CEF fields.
Many devices and data sources allow for logging fields beyond the standard CEF schema. These extra fields land in the AdditionalExtensions table. These fields could have higher ingestion volumes than the standard CEF fields, because the event content within these fields can be variable.
Costs that might accrue after resource deletion
Removing Microsoft Sentinel doesn't remove the Log Analytics workspace Microsoft Sentinel was deployed on, or any separate charges that workspace might be incurring.
Free data sources
The following data sources are free with Microsoft Sentinel:
- Azure Activity Logs.
- Office 365 Audit Logs, including all SharePoint activity, Exchange admin activity, and Teams.
- Security alerts, including alerts from Microsoft Defender for Cloud, Microsoft 365 Defender, Microsoft Defender for Office 365, Microsoft Defender for Identity, and Microsoft Defender for Endpoint.
- Microsoft Defender for Cloud and Microsoft Defender for Cloud Apps alerts.
Although alerts are free, the raw logs for some Microsoft 365 Defender, Defender for Cloud Apps, Azure Active Directory (Azure AD), and Azure Information Protection (AIP) data types are paid.
The following table lists the free data sources you can enable in Microsoft Sentinel. Some of the data connectors, such as Microsoft 365 Defender and Defender for Cloud Apps, include both free and paid data types.
|Microsoft Sentinel Data Connector||Data type||Free or paid|
|Azure Activity Logs||AzureActivity||Free|
|Azure AD Identity Protection||SecurityAlert (IPC)||Free|
|Office 365||OfficeActivity (SharePoint)||Free|
|Microsoft Defender for Cloud||SecurityAlert (Defender for Cloud)||Free|
|Microsoft Defender for IoT||SecurityAlert (Defender for IoT)||Free|
|Microsoft 365 Defender||SecurityIncident||Free|
|Microsoft Defender for Endpoint||SecurityAlert (MDATP)||Free|
|Microsoft Defender for Identity||SecurityAlert (AATP)||Free|
|Microsoft Defender for Cloud Apps||SecurityAlert (Defender for Cloud Apps)||Free|
For data connectors that include both free and paid data types, you can select which data types you want to enable.
For more information about free and paid data sources and connectors, see Connect data sources.
Data connectors listed as public preview don't generate cost. Data connectors generate cost only once becoming Generally Available (GA).
- Monitor costs for Microsoft Sentinel
- Reduce costs for Microsoft Sentinel
- Learn how to optimize your cloud investment with Azure Cost Management.
- Learn more about managing costs with cost analysis.
- Learn about how to prevent unexpected costs.
- Take the Cost Management guided learning course.
- For more tips on reducing Log Analytics data volume, see Azure Monitor best practices - Cost management.
Submit and view feedback for