Settings
From the settings page there are three tabs at the top. The tabs allow you to check your current ingestion pricing or commitment tier, the general settings for the Sentinel solution, or access the log analytics workspace Sentinel is added to.
Sentinel pricing
By default, Sentinel is charged on a pay-as-you-go pricing, this means you pay based on consumption for data ingested. You can read more about pricing I have written here, or look at actual prices provided by Microsoft here. You can also go to a commitment tier where you will pay a daily rate up to a certain amount of gigabytes, then a flat rate per GB after that limit. Generally you start to look at these at about ~75GB a day of consumption for cost savings.
The below table illustrates an environment ingesting 175 GB per day based on different pricing models. I am using pricing on February 11th, 2025 for West US 2 for my examples below.
| Plan | Ingestion | Daily cost | Price per GB | GB Overage | Total |
|---|---|---|---|---|---|
| Pay-as-you-go | 175 GB | $0 | $4.30 | 175 GB | $752.50 |
| 100 GB Commitment Tier | 175 GB | $296 | $2.96 | 75 GB | $518 |
| 200 GB Commitment Tier | 175 GB | $548 | $2.74 | 0 GB | $548 |
Ingestion varies per day, but as you can see, in our scenario where we anticipate ingesting 175 GB per day, the 100 GB tier makes the most cost-effective sense. However if you were ingesting 185 GB per day the next tier could actually make more sense.
| Plan | Ingestion | Daily cost | Price per GB | GB Overage | Total |
|---|---|---|---|---|---|
| 100 GB Commitment Tier | 185 GB | $296 | $2.96 | 85 GB | $547.60 |
| 200 GB Commitment Tier | 185 GB | $548 | $2.74 | 0 GB | $548 |
Tip
Don't forget to calculate for your potential E5 data grant.
Also these prices are just for analytics logs not auxilliary logs.
Settings
User entity behavior analytics (UEBA)
Note that there is no charge for UEBA, however, it does ingest data into Sentinel which are subject to ingestion pricing. The cost really depends on the environment, but generally I would budget for $5-$50 a month for UEBA. You can utilize the trial if you are concerned about pricing.
UEBA looks at your users, their typical behavior and finds activities or behaviors that are unusual for your users, it can also do correlations across peer groups. These peer groups are based on Security groups, so maybe something is unusual for the user but not uncommon for a user in the same group as the user therefore lowering the suspicious score of the activity.
The UEBA essentially works by selecting the data source you want to monitor identifies for then selecting the data connectors you want to monitor activities for those identities on.
Currently, you can monitor identities from:
- Active Directory
- Entra ID
And monitor those identities for activities in:
- Audit logs
- Azure Activity
- Security Events
- Signin Logs
If you do not have all of the above options available, be sure you have deployed MDI and have all the data sources connected, and you have not connected them recently. You do not need all 6 options checked to benefit from UEBA but the more data you have the better your analytics will be.
Once enabled logs will start to be ingested into the following tables:
- IdentityInfo
- BehaviorAnalytics
- UserAccessAnalytics
- UserPeerAnalytics
Anomalies
Anomalies are turned on by default, but they do not take action automatically. When enabled and in conjunction with UEBA Microsoft begins to a machine learning model. You can begin to use these anomaly detections within special anomaly analytic rules. When an anomaly is found they are placed in the Anomalies table.
Workspace manager configuration
Workspace manager helps with managing multiple Sentinel workspaces, this could be because your organization has multiple workspaces or because you are an MSSP managing Sentinel workspaces for various customers. I will not be covering this item currently, but will revisit it in the future.
Playbook permissions
If using automation with Playbooks you need to give Sentinel access to those playbooks, even if they are stored in the same resource group as Sentinel. Simply click Configure permissions, find the resource group you wish to give Sentinel access to and hit Apply.
You can view the current permissions or remove existing permissions on Current permissions tab. Alternatively you can go to the resource group and go to the Access control (IAM) section and check Role assignments for the Microsoft Sentinel Automation Contributor role. You should see a service principal listed there. You can also remove the role directly from the resource group.
How do we use your data?
Microsoft automatically opt-ins the Sentinel workspace for analytics allowing engineers to access the data to tune their models. You can opt out if desired from this page.
Auditing and health monitoring
Note that there is no charge for this feature, however, it does ingest data into Sentinel which are subject to ingestion pricing. The
SentinelHealthtable is free for ingestion but theSentinelAuditis not free for ingestion.
As you go through setting up Sentinel, you will notice that it can be as simple or complex as needed. The best Sentinel setups tend to be complex, even in the simplest Sentinel environments, auditing is an important piece to ensuring you understand changes being made in your environment as well as who made them.
Remove Microsoft Sentinel
Very straightforward, there is detailed information about what to expect when you start the removal process.
Workspace settings
This just takes you to the log analytics workspace Sentinel is attached to, this can be helpful for more advanced tasks, changing workspace data retention settings, or cost caps on the workspace.