With the Pay-As-You-Go model, Microsoft Sentinel is priced at approximately $4.30 per GB of data ingested, with exact rates varying by region. For environments with steady or high log ingestion, Microsoft offers Commitment Tiers that provide discounted rates starting at approximately $296 per 100 GB/day. Total cost depends on ingestion volume, log types, region, and retention settings.
Note: The prices presented in this article are based on the East US region.
In this guide, we’ll take a detailed look at Microsoft Sentinel SIEM pricing and answer the following questions:
- What are the different Microsoft Sentinel pricing models? (PAYG, commitment tiers, simplified pricing tiers, basic/analytics/auxiliary logs).
- What would Microsoft Sentinel cost for 50/100/500 GB per day?
- How to estimate the monthly Microsoft Sentinel cost for X GB/day and Y days of retention?
- How do you use the Azure pricing calculator to estimate Microsoft Sentinel costs?
- How much does Microsoft Sentinel cost for a small/mid/enterprise company?
- How to reduce Microsoft Sentinel costs?
How much does Microsoft Sentinel cost?
Microsoft Sentinel pricing starts from $4.30 per GB of ingested data for Pay-As-You-Go plans, while Commintement Tiers require a minimum of 100 GB/day, which will cost you $296 daily.
Annual costs range from tens of thousands of dollars for small businesses to millions for global enterprises, depending on data ingestion and retention needs.
Microsoft Sentinel is billed based on the volume of data analyzed and stored in the Azure Monitor Log Analytics workspace. However, the true cost of ownership also includes the operational effort required to manage alerts, optimize log usage, and respond to incidents across multiple data types.
To address this operational gap, UnderDefense, a member of the Microsoft Partner Network, extends Microsoft Sentinel with 24/7 managed detection and response through the UnderDefense MAXI platform.
UnderDefense MAXI enhances Microsoft Sentinel by interpreting telemetry, correlating alerts, and applying advanced analytics to identify real threats faster. Confirmed incidents are escalated to human SOC analysts for investigation and response, eliminating the need to staff an internal team for continuous triage.
Enhance Microsoft Sentinel with AI-assisted MDR, built-in SOAR, and 24/7 human-led SOC operations. Book a Demo
Try UnderDefense MAXI
We also support migrations from legacy SIEMs to Microsoft Sentinel, helping organizations modernize their security operations without losing visibility, control, or operational efficiency.
Microsoft Sentinel pricing comparison
Microsoft Sentinel offers two primary pricing models: Pay-As-You-Go for variable ingestion and Commitment Tiers for predictable volumes. Pay-As-You-Go charges per GB ingested, while Commitment Tiers provide discounted rates in exchange for a minimum daily commitment, making them better suited for steady environments.
Here’s an overview of the available options.
Package Cost Best For Pay-As-You-Go Starting at $4.30/GB Teams with fluctuating data ingestion. Commitment Tiers Starts at 100 GB/day, which comes to $296 per 100 per day (depending on the region). Businesses with steady data volumes.
Additional considerations:
- Data Retention: The default retention period is 90 days. Extending retention beyond this period incurs additional costs.
- Free Data Sources: Certain data sources, such as Azure Activity Logs and Office 365 Audit Logs, can be ingested at no additional cost, potentially reducing overall expenses.
Microsoft Sentinel packages overview
Microsoft Sentinel packages differ based on ingestion predictability and log usage. Organizations can choose Pay-As-You-Go for flexible usage or Commitment Tiers for discounted, predictable costs. Additional pricing differences depend on log types (Analytics, Basic, or Auxiliary) and data retention duration.
Microsoft Sentinel incorporates AI-powered threat detection to automatically identify and prioritize risks, ensuring a proactive approach to security. The platform integrates seamlessly with existing Microsoft tools, such as Azure and Office 365, as well as third-party data sources, offering comprehensive support for diverse environments.
Microsoft Sentinel provides different options to meet varying organizational needs. Whether you require predictable costs, scalability, or optimized data usage, there is a plan adjusted to your objectives.
Analytics Logs in Microsoft Sentinel
Analytics Logs are the primary log type in Microsoft Sentinel and support real-time detection, alerts, hunting, and advanced analytics. They are billed based on ingestion volume using either Pay-As-You-Go or Commitment Tiers and are intended for high-value security data that directly supports threat detection and response.
Analytics Logs in Microsoft Sentinel provide support for all data types, enabling advanced analytics, real-time alerts, and unrestricted queries. These logs capture high-value security data that offer insights into the status, usage, security posture, and performance of your environment. By proactively monitoring Analytics Logs with scheduled alerts and analytics, organizations can detect and respond to security threats effectively. They can be used within two pricing frameworks.
Pay-As-You-Go
Pay-As-You-Go pricing charges for the exact amount of data ingested into Microsoft Sentinel, calculated per GB. It is best suited for organizations with fluctuating or unpredictable log volumes, as it offers flexibility without long-term commitments, though costs may be higher at scale compared to Commitment Tiers.
- This model charges based on the volume of data ingested into Microsoft Sentinel for security analysis and stored in the Azure Monitor Log Analytics workspace.
- Pricing is calculated per gigabyte (GB) of data.
- Ideal for organizations with variable or unpredictable data ingestion needs.
- Offers flexibility without a long-term commitment.
Tip: Microsoft offers a free 31-day trial with up to 10 GB/day of Sentinel ingestion waived.
Commitment Tiers
Commitment Tiers provide discounted Microsoft Sentinel pricing in exchange for a minimum daily ingestion commitment, starting at 100 GB per day. They are ideal for environments with stable, predictable log volumes and offer improved cost control compared to Pay-As-You-Go, with a minimum commitment period of 31 days.
- This model offers a fixed monthly fee based on a chosen data tier, allowing for predictable costs and discounted pricing compared to Pay-As-You-Go rates.
- Organizations select a tier based on their expected data volume. Discounts increase with higher tiers.
- A minimum commitment of 31 days is required, after which you can adjust or cancel your tier.
- This model provides cost predictability and potential savings for consistent data ingestion volumes.
The total cost for Analytics Logs includes data ingestion charges for Azure Monitor Log Analytics based on the selected pricing model. Commitment tiers are especially beneficial for organizations with stable, high-volume data needs, offering significant cost savings while maintaining advanced security monitoring capabilities.
Basic Logs in Microsoft Sentinel
Basic Logs are designed to handle high-volume data with relatively low security value. These logs are typically verbose and lack the advanced capabilities of analytics logs. They are best suited for ad-hoc querying, investigations, and on-demand searches rather than for deep analytics or real-time alerts. The pricing for Basic Logs in Microsoft Sentinel is $1.12 per GB within a Pay-As-You-Go pricing framework.
Auxiliary Logs (Preview) in Microsoft Sentinel
Auxiliary Logs are high-volume, low-fidelity data sources, such as firewall or network logs, used mainly for investigation context. Currently in preview, Auxiliary Logs are not yet billed, allowing organizations to explore their functionality without additional costs. The pricing for Auxiliary Logs (Preview) in Microsoft Sentinel is $0.19 per GB within a Pay-As-You-Go pricing framework.
How can UnderDefense help you maximize Microsoft Sentinel SIEM?
UnderDefense offers Managed SIEM services to help businesses fully leverage Microsoft Sentinel’s capabilities. By partnering with UnderDefense, you benefit from:
- Expert setup and optimization: Ensure tools and configurations are tailored to your environment.
- 24/7 threat hunting and response: Proactively identify and mitigate risks.
- Cost management: Optimize your Sentinel setup to reduce unnecessary costs.
- Enhanced visibility: Correlate data across platforms for a comprehensive security view.
UnderDefense transforms alerts into answers and makes sure your SIEM works harder, improving your security visibility with co-managed or fully managed SIEM services. At the same time, you are in control of your IT infrastructure 24/7.
1. Are there any free data sources available on Microsoft Sentinel?
Yes. Certain data sources, such as Office 365 audit logs, Azure activity logs, and alerts from Microsoft threat protection solutions, can be ingested into Sentinel at no additional cost.
2. How can I estimate my Microsoft Sentinel costs?
You can estimate Microsoft Sentinel costs by calculating daily data ingestion (GB/day), selecting log types (Analytics, Basic, and Auxiliary), and defining retention duration. These inputs are entered into the Azure Pricing Calculator to estimate monthly ingestion, retention, and commitment tier costs.
3. What are the benefits of the simplified pricing tiers introduced in July 2023?
Simplified pricing tiers combine Sentinel analytics charges with Log Analytics ingestion costs into a single, predictable rate. This reduces billing complexity, improves cost forecasting, and is best suited for organizations with stable ingestion volumes that want fewer variable cost components.
4. How can I reduce my Microsoft Sentinel costs?
You can reduce Microsoft Sentinel costs by moving predictable workloads to Commitment Tiers, routing low-value logs to Basic Logs, limiting retention to compliance needs, filtering noisy data sources, and excluding non-security telemetry from Sentinel workspaces. Ongoing tuning and MDR optimization can significantly lower monthly ingestion spend.
5. When should I use basic logs vs analytics logs to save money in Sentinel?
Use Analytics Logs for high-value security data requiring real-time detection, alerts, and correlation. Use Basic Logs for high-volume, low-signal data needed mainly for investigations or audits. Basic Logs cost significantly less per GB but do not support scheduled analytics or alerting.
6. Are commitment tiers cheaper than pay-as-you-go for Sentinel?
Yes, Commitment Tiers are cheaper than Pay-As-You-Go when your daily ingestion volume is predictable and consistently exceeds the tier threshold. They offer discounted per-GB pricing in exchange for a 31-day minimum commitment. For fluctuating or low volumes, Pay-As-You-Go is usually more cost-effective.
7. What are simplified pricing tiers in Microsoft Sentinel, and should you switch?
Simplified pricing tiers bundle Sentinel analytics and Log Analytics ingestion into one rate. You should consider switching if your ingestion volume is stable and you want predictable monthly costs. Organizations with highly variable ingestion may benefit more from traditional Pay-As-You-Go pricing.
8. How do you use the Azure pricing calculator to estimate Microsoft Sentinel costs?
To use the Azure Pricing Calculator, enter your estimated daily ingestion volume (GB/day), select Analytics or Basic Logs, define retention duration, and apply Commitment Tiers if applicable. The calculator then estimates monthly Sentinel ingestion, retention, and Log Analytics costs based on region.
