Microsoft Sentinel is priced on ingestion. Defender XDR overlaps the use case. E5 changes the math. Read the buyer side reference for SIEM consolidation under the 2026 catalog.
Microsoft Sentinel is the Azure native SIEM priced primarily on data ingestion. The 2026 catalog adds Defender XDR overlap, archive tier math, and an E5 license offset that resets the buyer side picture. Most estates run 20 to 55 percent off the first Sentinel quote after a clean ingestion review and a commitment tier match.
Pair this article with the Microsoft security licensing guide, the Azure FinOps framework, and the EA renewal playbook before the next Sentinel scoping call.
Sentinel pricing is consumption based. The customer pays per GB ingested into the workspace. Volume drives the bill. Volume grows with log enrichment, new data sources, and broader detection coverage.
Sentinel is sold on a pay as you go rate with commitment tiers that step down the rate. The commitment is a daily GB floor. Volume above the commitment is billed at the same rate.
| Daily commitment | Indicative rate | Buyer side note |
|---|---|---|
| Pay as you go | $4.30 per GB | Baseline, no commitment |
| 100 GB per day | $2.96 per GB | ~31% off PAYG |
| 500 GB per day | $2.50 per GB | ~42% off PAYG |
| 1 TB per day | $2.30 per GB | ~46% off PAYG |
| 5 TB per day | $2.00 per GB | ~53% off PAYG |
Not all logs need the analytics tier. Sentinel offers Basic Logs and Auxiliary Logs at lower rates with query and retention constraints. Matching log type to tier is the highest leverage saving on most estates.
Run the log tier match test before signing a Sentinel commitment. Sort each data source by query frequency and retention need. Daily queries belong in Analytics. Weekly or monthly queries belong in Basic Logs. Compliance only logs go to Auxiliary or Archive. The reshuffle typically saves 20 to 35 percent without losing detection.
Defender XDR carries endpoint, identity, email, and cloud app logs. Many of these logs also feed Sentinel. The overlap is the most common over spend on the security stack.
| Log source | In Defender XDR | In Sentinel | Buyer side response |
|---|---|---|---|
| Endpoint detections | Yes | Optional | Pull only summary, not raw |
| Identity sign in | Yes | Often duplicated | Use connector with filters |
| Email threats | Yes | Sometimes duplicated | Detect in XDR, alert in Sentinel |
| Cloud app logs | Yes | Optional | Filter at source, not in Sentinel |
Microsoft 365 E5 and certain Microsoft Defender bundles include a Sentinel data benefit. The benefit covers up to 100 MB per user per day on specific log types. The offset is meaningful on large E5 estates.
The commitment tier is the primary buyer side lever. Pick the tier that matches the forecast volume after the log tier match and the Defender XDR overlap fix.
Sentinel is the single line in the Microsoft security stack where the buyer side can make the biggest dollar saving in the shortest time. The log tier match and the XDR overlap fix together typically deliver thirty percent without losing detection coverage.
The seven step checklist below moves a Sentinel deployment from open consumption to a defended commercial picture.
Sentinel is priced on data ingested into Log Analytics. The per GB rate steps down at commitment tiers from 100 GB per day up to 5 TB per day. Volume above the commitment is billed at the commitment rate. Different log types attract different rates. The full picture includes ingestion, retention, and archive restore operations.
Analytics Logs support real time query and alerting with standard retention. Basic Logs support limited query against an eight day window at a lower rate, useful for audit logs. Auxiliary Logs sit lower again with tight query constraints, for long retention with minimal active query. Archive is the lowest cost tier with on demand restore.
Defender XDR overlaps in capability for Microsoft sourced logs but does not replace Sentinel for the wider SIEM use case. Defender XDR is strong on endpoint, identity, email, and cloud app detection. Sentinel is the place where third party logs, network telemetry, and custom detections come together. Most estates run both, with careful connector tuning to avoid duplicate ingestion.
The benefit covers up to 100 MB per eligible user per day on specific connectors. On a 20,000 user E5 estate the daily benefit is up to 2 TB per day, a material offset against the post fix forecast. The benefit applies per workspace and only on the eligible connectors, so the inventory work matters as much as the headcount.
The right number depends on regulatory boundaries, data residency, and operational ownership. Fewer workspaces concentrate the commitment tier leverage and simplify the commercial picture. More workspaces help where data residency or tenant boundaries demand it. Most estates land on a small number of workspaces with cross workspace query for the operations team.
Volume above the commitment is billed at the commitment per GB rate. There is no penalty rate for overage. Growth that consistently exceeds the commitment is the signal to step up to the next tier. The buyer side response forecasts volume quarterly and adjusts the commitment at the contract anniversary rather than waiting for renewal surprises.
Redress runs Sentinel as part of the broader Microsoft security stack engagement. The work covers data source inventory, log tier match, Defender XDR overlap, E5 offset, and the commitment tier decision. Engagements close in eight to twelve weeks.
Read the related Vendor Shield, Renewal Program, Benchmark Program, Software Spend Assessment, Benchmarking, about us, management team, locations, and contact pages.
A buyer side playbook for Microsoft EA and MCA renewals that includes the Sentinel commitment tier framework, the Defender XDR overlap map, the E5 offset rules, and the broader Microsoft security stack anchor table used across hundreds of EA engagements.
Independent. Buyer side. Built for CISOs, security operations leads, and procurement teams carrying Sentinel, Defender, and Microsoft 365 E5 contracts. No vendor influence. No sales kickback.
Open the white paper in your browser. Corporate email only.
Open the Paper →The log tier match plus the Defender XDR overlap fix cut our Sentinel bill by thirty four percent in three months. Detection coverage did not move. The commitment tier moved down a step at the next anniversary.
We have run 500+ enterprise clients across 11 publishers. Every engagement starts with one conversation.
Sentinel per GB pricing movement, Defender XDR coverage changes, E5 benefit examples, Log Analytics commitment patterns, and the wider Microsoft security stack commercial leverage signals across every engagement.
Once a month. Audit patterns, renewal benchmarks, vendor commercial signals across Oracle, Microsoft, SAP, Salesforce, IBM, Broadcom, AWS, Google Cloud, ServiceNow, Workday, Cisco, and the GenAI vendors. No follow up sales pressure.
Free providers (Gmail, Yahoo, Outlook) cannot subscribe. Work email only. Unsubscribe in one click.
