Pricing for Microsoft Sentinel can be challenging to understand. The information is scattered across multiple links, making getting lost in the details easy.
At a high level, the pricing for Microsoft Sentinel is simple: You pay for every gigabyte ingested into and out of the Log Analytics workspace. However, there are caveats we will make clear.
Contents
The Differences Between Analytics and Basic Logs Pricing
Microsoft Sentinel has two types of logs: Analytics and Basics. Analytics Logs are your primary data for detection rules. Basic logs have reduced capabilities. A typical customer uses a combination of both. The basic logs include high-volume verbose logs used for troubleshooting, whereas analytics logs are used for detailed analysis.
We will start explaining the pricing plans for Analytics and move to Basics after.
Analytics Logs Data Ingestion Pricing
As said before, with Analytics Logs, your primary data for detection rules, you pay for every gigabyte (GB) ingested with pay-as-you-go. At the time of writing, it’s $4.30 per GB-ingested for East US.
However, you can also use commitment tiers, paying a fixed price daily. Again, at the time of writing, you can pay $296 for 100 GB per day up to $11,550 for 5,000 GB per day.
The reason to pay a fixed price is that you will pay at a discount compared to pay-as-you-go. The chart below shows a 46% savings at the 5,000 GB per day commitment tier compared to pay-as-you-go.
Analytics Logs Data Retention Pricing
So that’s for data ingestion. Once you have your data inside Microsoft Sentinel, you also pay for log analytics data retention.
That said, the first three months are free. After that, you can extend your data retention for up to 2 years. If you extend your retention, you pay for every GB of data beyond those first free three months. When writing this, it costs $0.10 per month for every GB of data stored inside Microsoft Sentinel’s Log Analytics workspace.
Once your interactive retention ends, you have two options: lose or ingest your data into the archive tier.
The archive tier can store your data for up to seven years. Once again, inside the archive tier, you pay for every GB of data per month. The price is $0.02 per GB per month, which is cheap.
Searching Archived Analytics Logs Pricing
But what if you want to search your archived data?
You have two options: Use the search job or data restore.
With the search job, you pay $0.005 per GB of data scanned. Keep in mind that searching archived logs uses asynchronous search jobs, which incur a cost for the data scanned executing the search plus the cost of ingesting the search results.
With data restore, you pay $0.10 for every GB of data restored daily. However, proceed with caution. If you keep a restore for less than 12 hours, your bill costs the 12-hour minimum duration, meaning restores round up to 12 hours even if you only kept the data for an hour.
But wait, there’s more. Similarly, if you restore less than 2 TB of data, the volume of restored data billed rounds up to 2 TB for each day (or partial day) that the restore retains.
Because of this, prepare to pay a hefty bill even if only testing this feature in your development environment for a few MB of data. For example, restoring 2 MB of data rounds up to 2 TB, leaving you with a $200 bill ($0.10 * 2,000 GB = $200).
Analytics Logs Data Export Pricing
Lastly, the cost is $0.10 per GB of data if you need to export data. Log Analytics Data Export offers continuous streaming export of logs to destinations like Azure Storage or Event Hub.
To summarize, with analytics logs, you pay for data ingestion, data retention (beyond three months), and additional charges for searching inside archived data and exporting it.
Basic Logs Data Ingestion Pricing
We also have basic logs, which have reduced capabilities and are for high-volume verbose troubleshooting. The pricing for basic logs is different. You don’t have commitment tiers; your only option is the pay-as-you-go tier.
That said, the pricing for data ingestion is much lower for archived basic logs than for analytics logs. At the time of writing, you pay $1 per GB of data ingested.
Basic Logs Data Retention Pricing
Basic logs are accessible for eight days, and then moved to the archive. Remember this because you will pay for the archive tier sooner with basic than analytics logs, which are retained at no charge for 90 days.
You will be charged similarly to searching archived analytics logs when searching archived basic logs at a rate of $0.005 per GB of data scanned.
To summarize, with basic logs, you pay for data ingestion, data retention (beyond eight days), and additional charges for searching inside archived data.
Microsoft Sentinel SAP Pricing
If you need SAP application logs, Microsoft Sentinel has a custom solution that collects them from the entire SAP system and sends them to the Log Analytics workspace in Microsoft Sentinel.
Your SAP applications are billed as an add-on charge at $2 per system ID (production SID only) per hour. Note that this is on top of the previously explained Log Analytics pricing models.
This solution is free during the Microsoft Sentinel trial.
Microsoft Sentinel Free Trial
Now, let’s shift gears from explaining pricing for Microsoft Sentinel to the free trial. The first time you use Microsoft Sentinel, you can ingest 10 GB daily for free. This discount automatically applies for the first 31 days and is subject to a 20 workspace limit per Azure tenant.
This trial allows you to tear down and deploy Microsoft Sentinel after testing and reaching the 31-day or 10 GB daily limit.
Benefits for Existing Microsoft Customers
Additional cost-saving benefits exist for organizations with Microsoft 365 E5, A5, F5, and G5 licenses. In such cases, you can receive a data grant of up to 5 MB per user daily for ingesting Microsoft 365 data into Microsoft Sentinel.
Free Data Sources
You don’t need to pay ingestion costs for specific Microsoft-specific data like Azure Activity Logs or Microsoft Defender for Endpoint logs.
See below the entirety of free data types.
Microsoft Defender for Server P2 Customer Benefits
An allowance exists for customers with the Defender for Server Plan 2. If you own this plan, you get 500MB per VM daily of free data ingestion.
Calculator for Determining Costs
Calculating costs for Microsoft Sentinel is complicated when considering the many benefits and unique log sources. Fortunately, Microsoft provides customers with a calculator to determine their costs when considering Microsoft Sentinel.