Microsoft Sentinel Cost Control: Log Analytics, Commitment Tiers and Waste

Why Sentinel Costs Spiral Out of Control

Microsoft Sentinel is one of the most powerful cloud-native SIEM platforms available, but it is also one of the most expensive if left ungoverned. Unlike per-user Microsoft security products where costs are predictable, Sentinel pricing is consumption-based and tied directly to the volume of data you ingest into Log Analytics. Every log source you connect, every event you collect, and every alert you generate adds to your monthly bill.

We regularly see enterprises that expected to pay $15,000 to $20,000 per month for Sentinel receiving invoices of $80,000 to $150,000 because they connected every available data source without considering the cost implications. The Microsoft security licensing landscape is complex enough; adding consumption-based SIEM pricing on top creates a cost management challenge that requires dedicated attention.

The good news is that Sentinel costs are highly manageable with the right governance framework. The strategies in this guide can typically reduce Sentinel costs by 30 to 60 percent without reducing security coverage. The key is understanding which data is valuable for detection and investigation, and which data is noise that inflates your bill without improving your security posture.

Understanding Sentinel Pricing Mechanics

Sentinel pricing has two primary components: data ingestion (the cost of getting data into Log Analytics) and data retention (the cost of keeping it there). Ingestion is the dominant cost driver for most enterprises.

Pay-as-you-go ingestion costs approximately $2.46 per GB in most Azure regions. Commitment tiers reduce this rate significantly. At 100 GB per day, the effective rate drops to approximately $1.96 per GB (a 20 percent saving). At 500 GB per day, approximately $1.55 per GB. At 1,000 GB per day, approximately $1.43 per GB. The commitment tiers require you to commit to a minimum daily ingestion volume; if you fall below the commitment, you still pay the committed rate for the minimum volume.

Data retention is free for the first 90 days in interactive retention (where data is immediately queryable). Beyond 90 days, interactive retention costs approximately $0.10 per GB per month. Archive retention (where data must be restored before querying) is cheaper at approximately $0.02 per GB per month. For compliance-driven organisations that need to retain logs for one to seven years, the retention cost can become significant and should be factored into your FinOps framework.

Choosing the Right Commitment Tier

Selecting the optimal commitment tier requires analysing your historical ingestion patterns. Pull 90 days of ingestion data from your Log Analytics workspace and calculate your daily average, peak, and minimum volumes. If your daily average is 150 GB but your minimum is 80 GB, committing to 100 GB per day gives you the tier discount on most of your ingestion while avoiding overpayment during low-volume periods.

The commitment tier applies at the workspace level. If you have multiple Sentinel workspaces (common in large enterprises with regional or business unit separation), each workspace has its own commitment tier. Consider whether consolidating workspaces could allow you to reach a higher (cheaper) commitment tier. A single workspace ingesting 500 GB per day gets better pricing than five workspaces each ingesting 100 GB per day.

Microsoft also offers "Sentinel Benefit Tiers" where Microsoft 365 data ingested into Sentinel (Office 365 audit logs, Defender alerts, Azure AD sign-in logs) receives a discount of up to 5 MB per user per day at no additional ingestion cost if you have certain E5 or security add-on licences. This is a significant benefit: for a 10,000-user organisation, that is up to 50 GB per day of free ingestion, which could save $35,000 to $45,000 per month at pay-as-you-go rates.

Data Source Prioritisation: What to Ingest

The most impactful cost control strategy is being selective about what data you ingest. Not all log sources are equally valuable for security detection and investigation. Prioritise data sources based on their detection value (does this data source feed active detection rules?) and investigation value (do your analysts use this data when investigating incidents?).

High-value sources that should always be ingested include Azure AD sign-in and audit logs (identity-based detections), Microsoft Defender for Endpoint alerts and advanced hunting events (endpoint detections), email delivery events from Defender for Office 365 (phishing and BEC detections), firewall and proxy logs (network-based detections), and DNS query logs (C2 and exfiltration detections).

Lower-value sources that often generate more cost than detection value include raw NetFlow data (high volume, low signal), verbose application logs from non-security-critical applications, infrastructure monitoring metrics (better handled by Azure Monitor, not Sentinel), and full packet captures (store these in blob storage and query on demand, not in Log Analytics).

Using Basic Logs and Archive Tiers

Azure Log Analytics offers a "Basic Logs" tier at approximately $0.50 per GB ingestion (versus $2.46 for Analytics logs). Basic Logs have limitations: they support only simple queries (no joins, aggregations limited to 8-day windows), and they cannot feed Sentinel analytics rules. But for data sources you need for compliance retention and occasional manual investigation (not real-time detection), Basic Logs can reduce ingestion costs by 80 percent.

Good candidates for Basic Logs include verbose application traces, network flow summaries, low-risk system event logs, and compliance-driven data sources that are rarely queried. Move these to Basic Logs and keep your detection-critical data sources on Analytics logs.

Filtering and Transformation Rules

Data Collection Rules (DCRs) and workspace transformation rules allow you to filter and transform data before it is ingested, reducing volume without losing critical information. For example, you might filter Windows Security Event logs to ingest only logon events (Event IDs 4624, 4625, 4634) rather than the full event stream, which can reduce Windows event ingestion by 60 to 80 percent while retaining the events most relevant to security detection.

Transformation rules can also enrich or normalise data at ingestion time, extract specific fields from verbose log entries (discarding the raw text), remove redundant or low-value fields from high-volume data sources, and hash or redact sensitive data (PII, credentials) before it enters Log Analytics. Invest time in building effective DCRs. The upfront effort pays for itself within the first month through reduced ingestion costs. This is one of the most effective Azure cost optimisation levers available.

Sentinel Cost Monitoring and Alerting

Set up Azure Monitor alerts on your Log Analytics workspace to track daily ingestion volume and alert when it exceeds expected thresholds. A sudden spike in ingestion often indicates a misconfigured data source, a noisy detection rule generating excessive alerts, or a security incident generating legitimate high-volume logs. In the first two cases, the alert allows you to cap unnecessary cost quickly. In the third case, the alert serves double duty as both a cost and security notification.

Create a dedicated Azure Cost Management view for Sentinel that breaks down ingestion by data source table. The Log Analytics "Usage" table provides detailed per-table ingestion metrics. Review this weekly as part of your security operations cadence to identify tables with growing ingestion that may need filtering or migration to Basic Logs.

Integrate Sentinel cost tracking into your broader FinOps governance framework. Sentinel is often the largest single line item on Azure bills for security-heavy organisations, and it deserves the same governance attention as compute and storage costs.

Getting Expert Help with Sentinel Costs

If your Sentinel costs are higher than expected, or if you are planning a Sentinel deployment and want to get the architecture right from the start, Redress Compliance can help. Our Microsoft advisory team works with enterprises to optimise Sentinel architectures, reduce ingestion waste, and align Sentinel spending with detection value. We also help with the broader security licensing strategy to ensure you are not over-licensing or under-utilising your Microsoft security investment.

Download our Microsoft EA Renewal Playbook for the complete framework covering security, productivity, and cloud licensing optimisation in a single renewal negotiation strategy.