Skip to content

Sentinel Pricing

Sentinel pricing can be complex, be sure you understand your billing and potential costs for what you are attempting to ingest/enable/automate. I have attempted to break it down below but as with every page on this site, this is intended for educational purposes.

Microsoft has their pricing page here.

I will be using this page as a reference for some prices for West US 2 as of 1/30/2025.

Areas you can incur cost

The areas described below are just for Microsoft Sentinel, during the course of setting up ingestion there may be other Azure resources you are setting up that have a cost associated with them.

  • Data ingestion
  • Data retention
  • Logic app runs

Data ingestion

This is the consumption or importing of logs or events into Sentinel. There are technically three types of logs, I will not be discussing Basic logs. The two types of logs are:

  • Standard analytics logs: $4.30 per GB
    • This is meant for logs that need to be analyzed constantly such as sign-ins and endpoint logs
    • Note, if you plan to ingest more than 100 GB of data a day you can choose a commitment tier which gives you a discount, two of the many tiers available are listed below.
      • 100 GB: $2.96 per GB
      • 1000 GB: $2.48 per GB
  • Auxiliary logs (Technically in preview): $0.15 per GB
    • This is intended for logs you don't need constantly and don't want to pay standard log pricing for, possibly firewall or other high-volume logs

While auxiliary logs are great for saving on cost they are limited in capabilities. I will expand on this more in the future.

Data retention

Once data is ingested you can specify how long that data is retained for. Since Microsoft Sentinel is built on Log Analytics Workspaces the default of 30 days of retention is configured. However, when you add Sentinel to the workspace you get 90 days of data retention for free! So be sure to increase that if you haven't already.

Warning

If you are using Auxiliary logs only 30 days of data retention is included! Again, I will expand on auxiliary logs in the future.

  • Interactive retention: $0.10 per GB per month.
    • Only available for analytics logs, configurable up to 2 years
  • Long-term retention: $0.02 per GB per month.
    • All log types supported, configurable up to 12 years

Logic app runs

Automation is a key feature of any SOAR solution, basic automation such as changing the owner, setting the severity, or classification of the incident can be done for free. Any advanced automation items will likely require a Logic app.

Logic apps have two pricing models "Standard" and "Consumption". In most scenarios you would want to use the consumption based pricing, but you can see some further details from Microsoft here.

  • Consumption: 4,000 actions free then $0.000025 for each action after
    • An action is the trigger and the steps within the logic app itself. There is also a cost depending on the connectors used.

Construction

Honestly, logic app pricing is confusing, there are a ton of contradictory blogs on how its priced, how frequently you get the 4,000 actions (daily or monthly), etc.

I intend to do some first hand research to get some difinitive information.

Free ingestion opportunities

First, let me be clear, it is not possible to have a free Sentinel setup. As incidents are created they are ingested into the Incidents table and that incurs a cost. This is very negligible but obviously the more incidents in your environment, the higher the cost, so always expect to pay a few dollars a month for Sentinel.

With that out the way Microsoft does give you some data and incidents for free, this can be good for getting familiar with Sentinel and creating some analytic rules that can be useful. You can see a current list of free data sources here but as of February 5th, 2025 the following data sources are free:

  • Data connectors
    • Azure Activity
    • Office 365
      • Includes SharePoint, Exchange, and Teams
    • Microsoft Defender XDR
      • Very important, only the incidents for this data connector are included, none of the telemetry log sources like DeviceEvents, IdentityLogonEvents, etc.
      • This includes alerts for basically all "Defender for..." products except Defender for Cloud
    • Defender for Cloud
      • Again, only alerts are included
  • Settings
    • Microsoft Sentinel Health
      • This setting is tied to Sentinel Auditing, which is not free but would have very negligible cost

Other discounts and credits

It is possible to get credits towards certain types of ingestion in Sentinel if you are using Defender for Server Plan 2 or have certain licensing such as Microsoft 365 E5. There is also a trial available.

Defender for Cloud Plan 2

Microsoft licensing benefit

You can read full details about this credit here. If you have any A5, E5, G5, or F5 licenses you will receive 5 MB of data ingestion per license per day.

So if you have 250 Microsoft 365 E5 licenses, you will receive 1,250 MB of ingestion per day, close to 1.2 GB.

The link above has a very helpful FAQ at the bottom noting the exact licenses that count for the benefit as well as the tables it will cover ingestion costs for. For education customers, note that while Microsoft 365 A5 for students is included, Microsoft 365 A5 Student Use Benefit does not include the benefit.

Tip

As noted only certain tables are included for ingestion in the benefit. I highly recommend using it on the Entra ID connector, in particular for the SigninLogs and AuditLogs.

Audit logs are always helpful, especially when queryable and using analytic rules to generate incidents.

Just as beneficial, arguably more beneficial is the Sign in logs for Entra ID. If you are using Conditional Access, and everyone with Entra ID E5 licensing in almost every scenario should be, ingesting those logs allows you to use the insight and reporting page. This is a significant help when trying to evaluare the impact of of report-only policies. You can essentially get this data for Free with your E5 benefit whereas if you ingest this into a Log Analytics workspace that doesn't have a Sentinel you will pay signficantly more.

Final tip, most organizations who give the majority of their users E5 licensing will find their total daily data grant is more than enough to cover the SigninLogs and AuditLogs. If you are trying to setup a "cheap" Sentinel environment or are worried about cost be careful to not ingest for AADNonInteractiveUserSignInLogs, this often contains 10 to 20 times more event entries when compared to SigninLogs and will quickly use up your data grant.

Trial

When you first create your Sentinel environment you should be greeted by a banner stating that for the first 31 days you can ingest 10 GB per day for free. This is a great time to ingest maybe a bit more than you plan to start to estimate potential costs. Details can be found here.