Your SIEM bill is directly proportional to your data volume. Every log you ingest, every table you retain, every query you run has a cost. This guide explains every component of the Sentinel pricing model, the commitment tiers that reduce per-GB costs, the data sources that are free versus paid, the retention mechanics, and the optimisation strategies that keep your cloud SIEM effective and affordable.
This guide is part of the Microsoft Knowledge Hub. For the broader licensing reference, see the Microsoft Licensing Guide 2026. For Azure cost management, see the Azure Cost Optimisation Playbook. For the security licensing stack, see M365 E3 vs E5 vs F3.
Microsoft Sentinel is a cloud-native SIEM and SOAR platform built on Azure Log Analytics. Unlike traditional on-premise SIEMs licensed per device or per user, Sentinel is licensed on a consumption model: you pay for the volume of data you ingest, the tier of access you choose, and how long you retain it. Enterprises routinely underestimate Sentinel costs by 40–60% because they model without fully accounting for connected data sources, retention periods, and analytics rules that generate additional data.
Data ingestion typically represents 70–85% of the total Sentinel cost. Every event, alert, log entry, and telemetry record flowing into the workspace is measured in gigabytes and billed accordingly. The ingestion cost has two components: the Log Analytics ingestion cost (base storage) and the Sentinel analysis cost (SIEM analytics, detection rules, incident management, SOAR capabilities).
| Daily Ingestion Volume | Monthly Cost (PAYG ~$2.76/GB) | Annual Cost |
|---|---|---|
| 100 GB/day | ~$8,280 | ~$99,360 |
| 500 GB/day | ~$41,400 | ~$496,800 |
| 1 TB/day | ~$82,800 | ~$1,000,000+ |
Microsoft offers commitment-tier pricing for organisations that commit to a minimum daily ingestion volume. The commitment is a daily minimum: if you commit to 500 GB/day but ingest 400 GB on a given day, you pay for 500 GB. If you ingest 600 GB, you pay the commitment rate for 500 GB and pay-as-you-go for the additional 100 GB.
| Commitment Tier | Approximate Discount vs PAYG |
|---|---|
| 100 GB/day | 15–20% |
| 200 GB/day | 25–30% |
| 500 GB/day | 35–40% |
| 1,000 GB/day | 45–50% |
| 2,000 GB/day | 50–55% |
| 5,000+ GB/day | 55–65% |
Data ingested into Sentinel is available for interactive query and analysis for 90 days at no additional retention cost. Sufficient for most incident investigation and threat hunting scenarios.
For compliance-driven retention (HIPAA, PCI-DSS, SOX). An enterprise retaining 1 TB beyond 90 days pays approximately $100/month per TB, or $1,200/year per TB. Up to 2 years total interactive retention.
80% cheaper than interactive retention. Archived data can be restored on-demand (minutes to hours). The correct choice for compliance retention where data must be kept but is rarely accessed. Up to 12 years.
Beyond ingestion and retention, several capabilities generate incremental costs (typically 5–15% of total bill): SOAR playbook execution (Logic Apps consumption charges), data enrichment and UEBA (generates additional data volumes counting toward ingestion), and search jobs and data restoration (per-GB scan charges for archived data). These costs can spike during active incidents.
One of the most significant commercial advantages of Microsoft Sentinel over competing SIEMs is that data ingestion from Microsoft's own security products is free. This benefit dramatically reduces the effective cost for enterprises invested in the Microsoft security stack.
Alerts and incidents from Defender for Endpoint, Defender for Office 365, Defender for Identity, and Defender for Cloud Apps. The highest-value free data source: endpoint detection, email security, identity threats, and cloud app security telemetry at zero cost.
Sign-in logs (every authentication event) and audit logs (directory changes, role assignments, application registrations). The entire identity event stream, the foundation of Zero Trust security monitoring, at no cost.
Azure management plane events (resource creation, deletion, modification, role assignments, policy changes). Visibility into Azure infrastructure changes without ingestion cost.
User activity in Exchange Online, SharePoint Online, and OneDrive (file access, sharing events, mailbox access, admin actions) via the Office 365 connector.
Data from non-Microsoft products (firewalls, IDS/IPS, endpoint protection from other vendors, vulnerability scanners) incurs the standard per-GB cost. For multi-vendor security stacks, this is typically the largest Sentinel cost driver.
Detailed events from on-premise servers and endpoints (beyond Defender for Endpoint). A single busy Windows Server can generate 1–5 GB/day. Across a 500-server estate, this alone can be 500 GB–2.5 TB/day.
Linux server logs, network device logs (firewalls, switches, routers, load balancers). Typically the second-largest ingestion volume after Windows events.
Any data sent through custom data connectors, the Log Analytics Data Collector API, or Azure Monitor ingestion pipeline.
The commercial incentive to consolidate: An enterprise using only Microsoft security products pays zero ingestion for core security data. Sentinel cost begins only when connecting non-Microsoft sources. Every third-party tool replaced by a Microsoft Defender product eliminates both the third-party licence cost and the Sentinel ingestion cost for that data source. Free data can represent 30–50% of total SIEM volume for Microsoft-centric enterprises. See M365 E3 vs E5 vs F3.
The commitment tier decision is the single largest cost optimisation lever in Sentinel licensing. The difference between pay-as-you-go and the right commitment tier can reduce the annual cost by 30–65%.
Before selecting a tier, run Sentinel in pay-as-you-go mode for at least 30 days with all planned data sources connected. Expect variation: weekdays typically generate 20–40% more data than weekends, and incidents spike ingestion temporarily.
Choose a tier at approximately the 80th percentile of daily ingestion (exceeded on only 20% of days). If daily ingestion ranges from 200–350 GB/day with most days between 250–300 GB, a 300 GB/day commitment captures the discount while limiting overage.
Security data volume grows 10–20% annually as new sources connect and the IT footprint expands. If you are at 300 GB/day today, budget for 330–360 GB/day next year. Tiers can be upgraded immediately; downgrading requires the current period to end.
Calculate: (daily commitment × tier rate × 30) + (average daily overage × PAYG rate × overage days). Sometimes a lower commitment with occasional overage is cheaper than a higher tier with no overage.
Simplified Commitment Tier (Unified Pricing): Microsoft offers a unified model covering both Log Analytics ingestion and Sentinel analytics in a single per-GB rate. This simplifies cost modelling and typically provides a slight additional discount. For most enterprises, the unified tier is the correct choice.
Not all data needs the same level of access. Microsoft offers three table tiers matching data access to data value.
| Table Tier | Cost | Query Access | Detection Rules | Best For |
|---|---|---|---|---|
| Analytics | Full per-GB rate | Full KQL, no limits | Full: scheduled rules, correlation, incidents, hunting | High-value security data driving real-time detection. |
| Basic | ~60–70% cheaper | KQL with concurrency limits | Cannot trigger scheduled rules or incidents automatically | Verbose data for investigation, not real-time detection. |
| Archive | ~$0.02/GB/month | Must be restored first (minutes to hours) | None | Compliance retention: 1–7+ years, rarely accessed. |
The three-tier approach typically reduces total Sentinel costs by 25–40%. Converting a 50 GB/day source from analytics to basic saves 60–70%. For 500 GB/day enterprises, moving 30% (150 GB/day) to basic tables saves $5,000–$10,000/month.
Microsoft has been converging Sentinel and Microsoft 365 Defender into a unified security operations platform. The unified experience brings Defender incidents, alerts, and hunting directly into the Sentinel portal.
The unified platform does not change Sentinel's consumption model. Data ingestion, retention, and commitment tiers remain the same.
Defender data flows into Sentinel at no ingestion cost and is immediately available for correlation with paid third-party sources. Connect all Defender sources immediately.
Defender's built-in AIR handles Defender-specific incidents without Sentinel playbooks (Logic Apps). Only cross-source or custom workflows need SOAR playbooks, reducing Logic Apps charges.
| SIEM | Pricing Model | Free Data Sources | Sentinel Advantage |
|---|---|---|---|
| Splunk | Per daily ingestion (workload or ingest-based). Generally higher per-GB. | None. | Free Microsoft Defender and Entra ID data can represent 30–50% of SIEM volume. |
| Google Chronicle | Flat-rate per user, not data volume. More predictable, potentially expensive for low-volume. | Google Cloud integration data. | Better ecosystem fit for Microsoft-centric enterprises. |
| Elastic Security | Self-managed (per endpoint) or cloud consumption. Requires operational investment. | Limited. | Sentinel is fully managed with no infrastructure overhead. |
For enterprises with substantial Microsoft infrastructure, Sentinel's free ingestion creates a cost advantage competing SIEMs cannot match. For enterprises with minimal Microsoft infrastructure, the advantage diminishes and the comparison becomes more balanced.
Ensure every free source is connected: M365 Defender (Endpoint, Office 365, Identity, Cloud Apps), Entra ID logs, Azure Activity logs, Office 365 audit logs. Baseline detection capability at zero ingestion cost.
Once data enters Sentinel, you pay. Use "Common" or "Minimal" Windows event sets. Send deny/alert logs from firewalls but consider excluding routine allow logs. Every GB should contribute to detection or investigation.
DNS queries, web proxy access logs, verbose telemetry: move to basic tables, save 60–70%. Create manual hunting queries for investigations instead of real-time rules.
Measure 30 days, size at 80th percentile, model overage costs. Revisit quarterly. The 15–65% discount is the single largest cost lever. See negotiating Azure commitments.
High-value data: 180 days interactive. Verbose operational data: 30 days before archiving. Compliance data: archive after 90 days. Configure per-table retention, not workspace defaults.
For 1–7 year retention, export to Azure Blob Storage ($0.01–$0.02/GB/month cool/archive) instead of retaining in workspace. Separates SIEM operations from compliance archive.
Each firing rule creates incidents, enrichment data, and entity records consuming storage. High false-positive rules create cost without value. 50 high-fidelity rules outperform 200 noisy rules.
Sentinel consumption counts toward the MACC in the Enterprise Agreement. Ensure MACC sizing includes Sentinel. An undersized MACC results in PAYG overage charges.
Commitment tier pricing is per-workspace. Two workspaces at 100 GB/day each get individual pricing. One at 200 GB/day qualifies for a higher (cheaper) tier. Consolidate unless regulatory reasons require separation.
Set Azure Monitor alerts for spikes. Misconfigured sources or incidents can spike ingestion 200–500%. Alert at 120% of commitment tier for early warning before costs compound.
"Microsoft Sentinel is one of the best-designed cloud SIEMs available today. It is also one of the easiest to accidentally overspend on. The consumption model means there is no upper limit on your bill. The enterprises that manage Sentinel costs well treat the SIEM budget like the Azure budget: commit to the right tier, filter at the source, tier the data by value, and monitor every day. The ones that manage it poorly connect every source at maximum verbosity, retain everything in analytics tables for two years, and discover at the quarterly review that their SIEM costs more than their SIEM team."
— Fredrik Filipsson, Co-Founder, Redress Compliance
At pay-as-you-go rates, approximately $2.76/GB for combined ingestion and analysis (varies by region). Commitment tiers reduce this by 15–65%. At 500 GB/day commitment, the per-GB cost drops 35–40%. The first 90 days of retention are included at no additional charge.
Yes. Alerts and incidents from Defender for Endpoint, Office 365, Identity, and Cloud Apps are free. Additionally, Entra ID sign-in/audit logs, Azure Activity logs, and Office 365 audit logs are free. For Microsoft-centric enterprises, free data can represent 30–50% of total SIEM volume.
Basic tables are 60–70% cheaper than analytics tables for data needing retention and occasional search but not real-time detection. Data can be queried with KQL but cannot trigger scheduled analytics rules. Ideal for DNS queries, web proxy logs, and informational telemetry.
Interactive retention: up to 2 years. First 90 days free; beyond that ~$0.10/GB/month. Archive retention: up to 12 years at ~$0.02/GB/month (must restore before querying). For compliance exceeding 2 years, use archive tier or export to Azure Blob Storage.
Upgrade anytime (immediate effect). Downgrade requires current commitment period to end (typically 31-day auto-renewal). Monitor daily ingestion continuously and revisit tier sizing quarterly as data sources and volumes change.
Yes. Sentinel consumption counts toward the MACC in the Enterprise Agreement. Ensure MACC sizing includes Sentinel ingestion and projected growth. An undersized MACC results in pay-as-you-go overage charges for consumption exceeding the commitment.