Microsoft Sentinel Licensing Optimisation:
Capacity Tiers, Ingestion Costs & Data Retention 2026

Microsoft Sentinel Licensing Costs: Why Most Enterprises Are Overpaying

Microsoft Sentinel is a cloud-native SIEM that charges primarily for data ingestion. The commercial model is straightforward in theory — you pay per GB of log data ingested into your Log Analytics workspace — but most organisations default to pay-as-you-go pricing and then add data sources without reviewing the cost implications. By the time Sentinel spend appears on a monthly Azure invoice, the numbers are often 3–4× what they should be.

The Microsoft Sentinel licensing cost optimisation opportunity in 2026 sits across three levers: commitment reservations that cut per-GB rates by up to 52%, log tier selection that separates high-value security data from verbose operational logs, and archive retention management that stops organisations paying interactive retention pricing on data they access once a year. The Azure Hybrid Benefit guide covers the broader Azure cost landscape; Sentinel typically represents 15–30% of total Azure spend for organisations running full SOC operations.

Microsoft Sentinel Pricing Structure: Three Tiers That Most Teams Don't Use Correctly

Analytics Logs are the default tier and the most expensive: $4.30–$5.20 per GB depending on your Azure region. Analytics Logs support real-time KQL queries, analytics rules, and scheduled alerts. They are appropriate for security events where you need to run automated detection rules. The 90-day retention period is included — beyond that, you pay $0.10/GB/month for interactive retention up to two years.

Basic Logs cost $0.50/GB — an 88% reduction. The trade-off is that you cannot run analytics rules against Basic Logs; they support only ad-hoc queries at $0.007/GB scanned. This tier is purpose-built for high-volume, low-signal data: DNS resolution logs, HTTP access logs, firewall allow-traffic records, and verbose application diagnostics. Organisations that route everything through Analytics Logs because "we might need it" are spending 8.6× what they need to on that data category.

Archive tier costs $0.02/GB/month — 80% cheaper than interactive retention. Data archived beyond 90 days can still be searched via asynchronous search jobs and restored to interactive tier on demand. For compliance data that must be retained for 2–7 years but is accessed rarely, archive tier transforms a potentially enormous retention bill into a manageable cost. For a full analysis of Microsoft security licensing that contextualises Sentinel within the broader Defender ecosystem, see our Microsoft Defender XDR licensing guide.

Commitment Reservations: The Fastest Single Lever for Sentinel Cost Reduction

Microsoft's commitment reservation tiers save up to 52% against pay-as-you-go pricing. A 200 GB/day commitment runs approximately $591/day ($17,730/month) versus the PAYG equivalent of roughly $2,150/day ($64,500/month) — a saving of $560,000 per year for the same data volume. The commitment tier is not a lock-in: organisations can upgrade to a higher tier at any time, and downgrade after 31 days. There is no annual contract for the commitment tier itself; it operates on monthly billing.

The common error is selecting a commitment tier based on average daily ingestion rather than 90th percentile peak. A SOC that typically ingests 150 GB/day but peaks at 280 GB/day during incident response will still pay PAYG rates on data above its commitment tier — but at the same discounted rate as within-tier data (unlike traditional overage pricing, Microsoft applies the same per-GB rate above the reservation). This means the calculus is: pick the tier that matches your consistent daily floor, not your maximum.

Microsoft added a 50 GB/day tier in public preview from October 2025, available at locked promotional pricing through March 2027. For organisations ingesting 30–60 GB/day — typically mid-market enterprises with partial SOC coverage — this tier opens commitment pricing for the first time without the $296/month minimum of the 100 GB/day tier. Engaging our Microsoft advisory team before locking a commitment tier avoids the common mistake of over-committing to a higher tier that sits 40–60% underutilised. Download our Azure Cost Containment guide for the full framework.

Log Filtering and Basic Logs: Reducing Ingestion Volume at Source

The most durable cost reduction comes from reducing data volume before it enters the workspace, not from managing it after ingestion. Microsoft's Data Collection Rules (DCRs) support KQL-based transformation queries — called DCR transformations — that are free to run when Sentinel is enabled. This means you can filter, aggregate, or drop log fields before ingestion with no additional charge beyond the storage you avoid.

Windows Security Event logs are the most common offender. Event ID 4663 (object access auditing) and Event ID 4688 (process creation) generate enormous volumes in enterprise environments and are frequently ingested in full even though 99% of the records carry no security signal. XPath filters in DCRs allow you to include only specific Event IDs. A 10,000-endpoint estate running unfiltered Windows Security Events can generate 50–80 GB/day from that source alone; targeted filtering typically reduces it to 5–8 GB/day.

Firewall logs from perimeter devices are the second highest-volume category. Most organisations ingest both allow and deny traffic. Deny records carry security signal; allow records at scale are largely operational noise. Routing allow traffic to Basic Logs (at $0.50/GB) and deny traffic to Analytics Logs (at $4.30/GB) is a straightforward architectural change that typically reduces effective cost for that log category by 70–75%. Enterprises commonly achieve 30–50% total workspace volume reductions through DCR transformation and Basic Logs routing before touching retention policies. To book a confidential call on your Sentinel architecture, our Azure security licensing team is available to model specific ingestion scenarios.

Retention Costs and Archive Strategy for Compliance Workloads

Financial services, healthcare, and government organisations face regulatory requirements to retain security logs for 2–7 years. The standard approach — keeping all data in interactive retention — costs $0.10/GB/month beyond 90 days, which accumulates rapidly. A 200 GB/day workspace ingesting for 3 years and keeping everything at interactive retention costs approximately $1.44M/year in retention fees alone beyond the 90-day free window.

Archive tier at $0.02/GB/month reduces that figure by 80%. The only operational trade-off is query latency: archived data requires an asynchronous search job rather than real-time KQL. For 18-month-old audit logs accessed during annual compliance reviews, that latency is operationally irrelevant. Microsoft's restore function brings archived data back to interactive tier within minutes when real-time analysis is required. A 6-year retention strategy across a 200 GB/day workspace, optimised with archive tiering after 12 months, saves approximately $720,000 per year against the all-interactive approach.

EA Negotiation for Sentinel in 2026

Microsoft eliminated tiered EA volume discounts in November 2025. Sentinel costs are incurred through Azure consumption, which means they flow through your Azure Consumption Commitment (MACC) rather than EA seat-based licensing. The primary negotiation lever is therefore the MACC threshold: the higher your committed Azure spend, the greater the Sentinel effective discount that flows through from overall Azure deal terms.

For organisations renewing EA agreements in 2026, Sentinel spend should be included in the aggregate Azure consumption commitment calculation. Commitment tiers of $500K–$2M per year in Azure unlock progressively deeper Azure discounts — typically 10–25% — that apply to all services including Sentinel. The Q4 Microsoft financial year (April–June in Microsoft's calendar) represents the strongest negotiation window, when Microsoft's sales teams face maximum revenue pressure. Starting EA renewal conversations 9–12 months before expiry gives procurement teams the leverage needed to negotiate MACC terms that meaningfully reduce the effective Sentinel per-GB cost.