Microsoft Sentinel is priced on the data you ingest, not on seats. Commitment tiers, free Defender data, and cheaper log tiers decide the bill. Ingestion discipline is the whole game.
Microsoft Sentinel is priced by data ingestion, not by seats. Commitment tiers, free Microsoft Defender data, and cheaper log tiers decide the bill. Ingestion discipline, not feature choice, is what controls Sentinel cost.
Sentinel is priced on the volume of data you ingest and analyze, billed per gigabyte. There is no per seat license.
The charge combines a Sentinel analysis fee and the underlying Log Analytics workspace cost. Microsoft sets the rates on its Sentinel pricing page. Volume is the variable that matters.
Pay as you go bills each gigabyte at the standard rate. Commitment tiers reserve a daily volume at a discount. Microsoft documents the mechanics in its billing guide.
Commitment tiers reserve a fixed daily ingestion volume in exchange for a lower per gigabyte rate. The higher the commitment, the deeper the discount.
Sentinel pricing options at a glance
| Option | How it bills | Best for | Watch out for |
|---|---|---|---|
| Pay as you go | Per gigabyte ingested | Low or variable volume | Highest unit rate |
| Commitment tier | Reserved daily volume | Steady predictable volume | Over committing to peak |
| Basic and auxiliary logs | Reduced per gigabyte | High volume low value logs | Limited query features |
| Data lake | Low cost retention | Long term storage | Separate query model |
Size the commitment to steady state ingestion, not to peak. A commitment set to peak pays for headroom you rarely use. Measure a full month before committing.
Two paths cut cost: free Microsoft Defender data and the cheaper log tiers.
Microsoft Defender XDR alert and security data largely ingests at no charge. Routing security signal through that path avoids paying twice for the same telemetry.
Basic and auxiliary logs ingest high volume, low value data at a fraction of the analytics rate. Microsoft explains the table plans in its table tiers documentation. Route verbose sources there.
The common advice is to ingest everything into Sentinel so nothing is missed, then optimize later. We disagree. More data does not mean more security, it means a larger bill, and the verbose sources that inflate cost rarely change a detection outcome. In our reviews the cheapest and most effective Sentinel deployments fed only the logs that earned their place, routed high volume noise to cheaper tiers, and leaned on the free Defender path. The buyer side move is to design ingestion before turning the taps on, not to ingest broadly and tune under budget pressure later. Detection value comes from the right logs, not all logs.
Source: Redress Compliance advisory engagement file, 2024 to 2025.
Sentinel does not bill for security. It bills for data. The cheapest Sentinel is the one fed only the logs that earn their place.
Verbose sources in the analytics tier drive almost every overrun.
Filter at the source, route noise to cheaper tiers, and resize commitments to steady state. Microsoft offers concrete guidance in its cost reduction documentation.
Three moves control the bill without weakening detection.
Decide which sources earn analytics ingestion before onboarding them. Design beats retrofitting under budget pressure.
Send high value logs to analytics, noise to basic tiers, and security signal through the free Defender path.
Measure a month, then commit to steady state volume, leaving peaks on pay as you go.
Microsoft Sentinel is priced by the volume of data ingested and analyzed, billed per gigabyte. Pricing combines a Sentinel analysis charge and the underlying Log Analytics cost, so ingestion volume is the main driver.
Commitment tiers let you reserve a daily ingestion volume at a discount against pay as you go. The more you commit per day, the lower the effective per gigabyte rate, provided the commitment matches real volume.
Much Microsoft Defender XDR alert and security data flows into Sentinel at no ingestion charge. Routing security signal through the free Defender path instead of paid ingestion is a major cost lever.
Basic and auxiliary log tiers ingest high volume, low value data at a much lower per gigabyte rate than analytics logs. Verbose sources can be routed to these cheaper tiers when full analytics is not needed.
The Sentinel data lake provides lower cost long term storage and querying for large volumes of security data. It separates cheap retention from the higher cost analytics tier.
Verbose log sources ingested into the analytics tier without filtering. Firewall, proxy, and endpoint logs at full volume are the usual culprits, and they inflate the bill without adding detection value.
In our reviews, filtering verbose sources and routing to cheaper tiers typically cut Sentinel ingestion cost by 25 to 45 percent without losing detection coverage. The range depends on how unfiltered the original feed was.
Ingesting everything into the analytics tier on the assumption that more data means more security. It means more cost. Detection value comes from the right logs, not all logs.
Microsoft renewal moves, the EA framework, the M365 SKU framework, the Copilot framework, and the buyer side moves across the full Microsoft estate.
Used across more than five hundred enterprise engagements. Independent. Buyer side. Built for procurement leaders running the next renewal cycle.
