Editorial photograph of a Microsoft Sentinel ingestion cost review with table tiering analysis on screen
Article · Microsoft · Security Cost

Microsoft Sentinel. Ingest less. Pay less.

Microsoft Sentinel is the fastest growing line in most Microsoft security budgets. Data ingestion bills at 1.78 to 4.30 USD per GB depending on commit tier. The customer that ingests every log unfiltered pays for it twice, in Sentinel and in Azure Log Analytics. The optimization moves cut the bill 30 to 60 percent.

Read the Briefing Microsoft Knowledge Hub
45%Median Sentinel cost reduction captured
a leading industry analyst firmRecognized
Read the briefing. · Independent. Buyer side. Reads in your browser. Read the briefing →
Industry Recognized
500+ Enterprise Clients
$2B+ Under Advisory
11 Vendor Practices
100% Buyer Side Independent
Home Microsoft Hub Microsoft Sentinel Licensing OptimizationMicrosoft Hub Microsoft Services M365 Optimizer Vendor Shield Contact Us
Portrait placeholder for Morten Andersen, Co Founder
Written by Morten Andersen Co Founder · ex IBM, ex Oracle
PublishedMay 20, 2024
Last updatedMay 20, 2026

Microsoft Sentinel grew from 8 percent of typical enterprise Microsoft security spend in 2022 to over 30 percent in 2026. The pricing model is consumption based with significant complexity around log tiering, commitment tiers, and retention.

The customer that does not actively manage the data plane pays the highest rate across the largest spend base. The optimization moves below cut the bill without compromising security outcomes.

Key Takeaways

The eight levers that decide Sentinel cost

  • Commit tier selection. Move from pay as you go to the right daily commit.
  • Table tiering. Analytics, basic, and auxiliary logs used together.
  • Source filtering. Filter at source before ingestion.
  • Retention strategy. 30 to 90 days hot, longer on archive.
  • Dual workspace pattern. Production and compliance workspaces separated.
  • Data Collection Rules. Drop low value fields and events.
  • Microsoft commitment. 3 year commit captures larger discount.
  • Competitive alternative. Documented SIEM alternative for negotiation leverage.

1. How Sentinel bills

Sentinel bills as an analytics add on price on top of Azure Log Analytics ingestion. The combined cost per GB ingested into the analytics tier is roughly 4.30 USD at pay as you go list.

The two billing layers

  • Sentinel analytics layer. Roughly 2.00 USD per GB. Covers detection, investigation, and Sentinel specific features.
  • Log Analytics layer. Roughly 2.30 USD per GB. Covers data ingestion, storage, and query.
  • Combined pay as you go rate. Roughly 4.30 USD per GB.
  • Combined committed rate. 2.50 to 3.55 USD per GB depending on tier.

What is included in the ingestion charge

The ingestion charge covers the data ingestion event, the 90 days of analytics retention at default, the Sentinel analytics rules, the User Entity Behavior Analytics, the workbooks, and the hunting queries. The charge does not cover retention beyond 90 days, certain data restoration scenarios, and some premium add ons.

2. The commitment tiers

Sentinel and Log Analytics offer daily commitment tiers from 100 GB per day up to 5000 GB per day. The commitment tier sets the unit rate. The customer that consistently ingests above 100 GB per day should not be on pay as you go.

Commitment tier indicative rates

Commitment tierCombined indicative rateDiscount versus pay as you go
Pay as you go4.30 USD per GB0 percent
100 GB per day3.55 USD per GB17 percent
200 GB per day3.20 USD per GB25 percent
500 GB per day2.55 USD per GB41 percent
1000 GB per day2.30 USD per GB47 percent
5000 GB per day1.78 USD per GB58 percent

How to size the commitment

  1. Pull the trailing 90 days of daily ingestion. Average daily and P95 daily.
  2. Forecast the next 12 months. Source additions, source retirements, application growth.
  3. Pick the tier at the average plus modest buffer. Above tier consumption bills at the next tier rate, not penalty.
  4. Review monthly. Tier moves are easy. The cost of being one tier too low is small.

3. Analytics, basic, and auxiliary logs

The single largest optimization lever in Sentinel is correct table classification across the three log tiers. The price difference between analytics and auxiliary is roughly 30 times per GB.

Tier comparison

TierIndicative ingestion priceQuery capabilityUse case
Analytics2.50 to 4.30 USD per GBFull KQL, real time alerts, full featuresDetection rule sources, investigation sources
Basic0.65 USD per GBLimited KQL, no alert rulesHigh volume search sources, occasional investigation
Auxiliary0.15 USD per GBBatch query onlyCompliance retention, low priority sources

How to classify each source

  • Is the source in an active detection rule? If yes, analytics.
  • Is the source frequently used in investigations? If yes, analytics.
  • Is the source occasionally searched but not alerted? If yes, basic.
  • Is the source retained for compliance only? If yes, auxiliary.
  • Document the classification. Per source, per workspace, with the rationale.

4. Table tiering

Table tiering is the active management of which tables sit in which log tier. The decision is made per table, per workspace, and applied as part of the Data Collection Rule.

Common table tiering decisions

  • Entra sign in logs. Analytics. Critical for detection.
  • Microsoft 365 audit logs. Analytics for the alerting subset, auxiliary for the bulk.
  • Office 365 mailbox audit logs. Basic or auxiliary unless DLP detection rules require analytics.
  • Firewall logs at the perimeter. Basic for the volume, analytics for the deny events.
  • DNS query logs. Basic for the volume, analytics for the threat intelligence matched subset.
  • Application telemetry. Auxiliary unless used in active detection.

Moving tables between tiers

Tables can be reclassified by changing the Data Collection Rule. The historical data stays in the tier it was originally written to. The forward looking data flows into the new tier. Most optimization programs reclassify forward without back filling.

5. Retention strategy

Sentinel and Log Analytics include 90 days of retention inside the ingestion price. Retention beyond 90 days bills at 0.10 USD per GB per month for warm and lower for archive. The customer that retains everything for 2 years adds significant ongoing storage cost.

The optimal retention pattern

  1. 30 to 90 days of hot retention. Inside the ingestion price.
  2. Warm tier for the next 6 to 12 months. Investigations and ad hoc queries.
  3. Archive tier for compliance retention. 2 to 7 years depending on regulatory requirements.
  4. Defined search restore process. When data is needed from archive.
  5. Documented retention policy. Per source, per table, per regulatory category.

6. Source filtering

The cheapest GB is the one that is never ingested. Source filtering removes low value events at the source before they reach Sentinel. The most common filtering opportunities are well documented.

Common filter targets

  • Repetitive heartbeat events. System status checks every minute.
  • Synthetic monitoring traffic. Internal monitoring tooling.
  • Verbose application telemetry. Debug level logs not used in security.
  • Internal scanner traffic. Network scanner generated firewall events.
  • Low risk allow events. Firewall allow events on known internal flows.
  • Duplicate sources. The same event collected by two agents.

Where to filter

Filtering happens at three layers. The agent layer applies filters at the source machine before transmission. The Data Collection Rule layer applies transformations during ingestion. The application layer reduces logging verbosity. Most optimizations combine all three layers.

7. The dual workspace pattern

The dual workspace pattern separates the production security workspace from the compliance retention workspace. Each workspace has different scale, different commitment tiers, and different retention policies.

The dual workspace shape

  • Production workspace. Analytics tier, 90 day hot retention, full Sentinel features.
  • Compliance workspace. Auxiliary tier, multi year archive retention, basic search only.
  • Defined data routing. Sources stream to production or compliance based on the use case.
  • Cross workspace search. Available when needed for investigation.

The financial outcome

A typical dual workspace deployment on an enterprise that previously spent 4M USD per year on Sentinel ends at roughly 2.2M USD. The production workspace runs at roughly 1.8M USD and the compliance workspace at roughly 400K USD. The net saving is 1.8M USD per year on the same data set.

8. The negotiation moves

The Sentinel negotiation runs inside the broader Microsoft Enterprise Agreement or Microsoft Customer Agreement renewal. The leverage points are the multi year commitment, the Azure consumption credit application, and the competitive alternative.

The commercial levers

  • Multi year Sentinel commitment. 3 year commits at the larger tiers capture additional discount.
  • Azure consumption credit. Sentinel commits can draw down against the broader Azure committed spend.
  • Competitive SIEM alternative. Documented and scoped, presented inside the renewal conversation.
  • Microsoft 365 E5 leverage. Some E5 SKUs include Defender XDR capabilities that reduce Sentinel ingestion needs.
  • Microsoft fiscal year timing. Quarter end alignment captures stronger commercial flexibility.

What to do next

The checklist takes the Microsoft Sentinel buyer from where they are today to an optimized, contracted, sustainable Sentinel position.

  1. Baseline the current ingestion. By source, by table, by tier, by workspace.
  2. Classify every source. Analytics, basic, auxiliary based on detection use.
  3. Design the dual workspace pattern. Production and compliance separated.
  4. Apply source filtering. Agent, Data Collection Rule, application logging level.
  5. Right size the commitment tier. Average daily ingestion plus modest buffer.
  6. Set the retention policy. Hot, warm, archive tiers documented.
  7. Scope the competitive alternative. Run the alternative scoping in parallel with the renewal.
  8. Run the deal through Vendor Shield. Independent buyer side review before signature.

Frequently asked questions

How does Microsoft Sentinel price data ingestion?

Microsoft Sentinel bills two layers. The Sentinel layer adds analytics ingestion on top of Azure Log Analytics. The Log Analytics layer prices the underlying data storage and query. At pay as you go, the combined cost runs roughly 4.30 USD per GB ingested into the analytics tier.

Commitment tiers reduce the unit price. A 100 GB per day commitment lowers the combined Sentinel plus Log Analytics rate to roughly 3.55 USD per GB. A 500 GB per day commitment brings the rate below 2.50 USD per GB. The customer that does not commit pays the highest rate by default.

What is the difference between analytics, basic, and auxiliary logs in Sentinel?

Analytics logs are the high price tier with full KQL query, full schema, and Sentinel analytics rules. Basic logs are a lower price tier with limited query capability designed for high volume but rarely queried sources. Auxiliary logs are a very low price tier for compliance retention with batch query only.

The cost difference is significant. Analytics logs cost roughly 10 to 30 times the auxiliary log rate per GB. The customer that classifies every source into analytics by default pays the highest possible rate for sources that could sit in basic or auxiliary.

Which data sources should sit in analytics versus basic versus auxiliary?

Analytics is for sources used in active detection rules, real time alerts, and frequent investigation. Examples include Entra sign in logs, Microsoft 365 audit logs, and key infrastructure security events. Basic is for sources occasionally queried but not in detection rules. Examples include firewall logs at the high volume edge and IIS access logs.

Auxiliary is for sources retained for compliance but rarely investigated. Examples include long term DNS logs, broad network flow data, and verbose application telemetry. The defense pattern is to map every source against the use case before choosing the tier.

How does retention pricing work in Sentinel?

Sentinel and Log Analytics include 90 days of analytics retention at no additional charge inside the ingestion price. Retention beyond 90 days bills at roughly 0.10 USD per GB per month for warm storage and lower for archive storage. The customer that retains 2 years of analytics data at the default rate pays significant ongoing storage cost.

The optimization move is to push older data into basic and then archive tiers. Most enterprise security workloads need only the last 30 to 90 days at the analytics rate. Compliance retention can sit in archive tier at one tenth the analytics retention cost.

Should the customer use multiple workspaces for cost control?

Yes for very large or very heterogeneous estates. A single workspace is simpler but loses the cost separation between business units, regions, or compliance domains. Multiple workspaces allow each business unit to fund their own ingestion and retention budget.

The cost trade off is the cross workspace query overhead and the duplicated commitment tier discount opportunity. A single very large commitment tier captures more discount than multiple smaller commitments. Most enterprises end at 2 to 4 workspaces aligned to regions or compliance boundaries.

Are there alternatives to Microsoft Sentinel for the same security outcome?

Yes. Other SIEM platforms cover the same enterprise security use cases. The choice depends on the broader Microsoft ecosystem commitment, the integration with Entra and Microsoft 365, and the existing security operations center tooling. Sentinel is the strongest fit when the customer is heavily committed to Microsoft 365 E5 and Entra ID P2.

The negotiation lever is the credible competitive alternative scoped in parallel with the Sentinel commitment renewal. The Microsoft commercial team responds to a documented alternative with stronger pricing flexibility than to a Sentinel only conversation.

How does Redress engage on Microsoft Sentinel optimization?

Redress runs Sentinel optimization inside the Vendor Shield subscription, the dedicated Microsoft service line, and the Software Spend Assessment. The work covers the ingestion baseline, the table tiering decision, the retention strategy, the commitment tier selection, the source filtering plan, and the renewal negotiation.

Typical engagements deliver 35 to 55 percent reduction in the Sentinel and Log Analytics combined line against the prior 12 months baseline. The work runs alongside the broader Microsoft EA renewal where applicable.

How Redress engages

Redress runs this practice inside the Vendor Shield subscription, the Renewal Program, the Microsoft Knowledge Hub, and the Software Spend Assessment.

Read the related Microsoft EA Renewal Playbook, the Microsoft Hub, the case studies, the benchmarking service, the management team page, the about us page, and the contact page.

Right size the Microsoft 365 license stack and the security add ons with the M365 license optimizer.
Open the Tool →
White Paper · Microsoft

Download the Microsoft EA Renewal Playbook.

The companion playbook covers the Enterprise Agreement renewal sequence, the M365 SKU stack, Azure commit leverage, and the negotiation moves that capture 18 to 32 percent against the publisher's first proposal.

Independent. Written for CIOs, CFOs, and procurement leaders. No Microsoft partner affiliation.

Microsoft EA Renewal Playbook

Open the playbook in your browser. Corporate email only.

Open the Paper →
45%
Median Sentinel cost reduction
3
Log tiers used together
500+
Enterprise Clients
$2B+
Under advisory
100%
Buyer side

Sentinel pricing is decided in the data plane, not in the contract. The customer that filters source data, tiers tables correctly, and caps retention will pay 60 percent less than the customer who does not, on the same security outcome.

Former Microsoft Sentinel Engineering Lead
Now on the buyer side, 30 Sentinel deployments optimized
More Reading

More from this practice.

Microsoft Knowledge Hub →
Microsoft advisory services
Microsoft · Services
Microsoft Advisory Services
Buyer side advisory across Microsoft.
9 min read
Microsoft EA renewal playbook
Microsoft · White Paper
Microsoft EA Renewal Playbook
EA, M365, Azure leverage.
16 min read
Microsoft knowledge hub
Microsoft · Hub
Microsoft Knowledge Hub
All Microsoft research in one place.
7 min read
Microsoft Unified Support negotiation article
Microsoft · Article
Unified Support Negotiation
Cut the percentage, keep the cover.
14 min read
Power Platform governance article
Microsoft · Article
Power Platform Governance
Prevent license sprawl.
13 min read
Editorial photograph of a Microsoft Sentinel optimization war room with security operations center data on screens

Filter the source. Bank the saving.

We have run Sentinel optimization on 30 enterprise deployments with median 45 percent reduction captured. Every engagement starts with one conversation.

Contact Us Vendor Shield

Microsoft intelligence, monthly.

Sentinel ingestion benchmarks, Azure security commitment data, EA leverage, and the moves that worked. Written for buyer side teams running active Microsoft decisions.