Service pricing for Microsoft Sentinel
There are several components to consider when pricing Microsoft Sentinel:
- A charge for ingesting data into Log Analytics
- A charge for running the data through Microsoft Sentinel
- Retention of data, past the initial 90-day default retention allowance
- Charges for running Logic Apps for Automation (optional)
- Charges for running your own machine learning models (optional)
- The cost of running any VMs for data collectors (optional)
The cost of Azure Monitor and Microsoft Sentinel is calculated by how much data is consumed, which is directly impacted by the connectors: which type of information you connect to and the volume of data each node generates. This may vary each day throughout the month as changes in activity occur across your infrastructure and cloud services. Some customers notice a change based on their customer sales fluctuations, or when they come under a DDoS attack.
The pricing is also influenced by how long the data is retained within Microsoft Sentinel. The default is 90 days but can be extended to up to 2 years. Most security operations require between 6 and 12 months of hot data retention. After the set retention period, use Azure Data Explorer (ADX) to retain data for as long as required (up to 99 years).
The initial pricing option is to use Pay as You Go (PAYG). With this option, you pay a fixed price per Gigabyte (GB) ingested, charged on a per-day basis. Microsoft has provided the option to commit to varying volume tiers and receive discounts in return based on larger volumes of data.
It is worth noting that Microsoft has made available some connectors that do not incur a data ingestion cost. The data from these connectors could account for 10-20% of your total data ingestion, which reduces your overall costs. Currently, the following data connectors are not charged for ingestion (generally the free ingestion is for alerts only; some connectors do provide the full data ingestion). The details are here: https://azure.microsoft.com/en-us/pricing/details/azure-sentinel/#faq.
- Azure Activity (activity logs for Azure operations)
- Azure Active Directory Identity Protection (for tenants with Azure Active Directory P2 licenses)
- Microsoft Information Protection
- Microsoft Defender
- Azure Security Center
- Microsoft 365 Defender
- Microsoft Defender for Cloud Apps
- Microsoft Defender for Endpoint
- Microsoft Defender for Office 365
- Microsoft Defender for Identity
- Office 365 audit logs (all Teams, Exchange admin, and SharePoint activity logs)
The pricing works by charging on a PAYG basis for each day, based on actual data consumption. There are capacity commitment tiers available to provide discount pricing when the volume of data ingested regularly reaches the reservation limits:
- 100 GB
- 200 GB
- 300 GB
- 400 GB
- 500 GB
- 1,000 GB (1 TB)
- 2,000 GB (2 TB)
- 5,000 GB (5 TB)
With capacity reservation, a fixed price is paid for the data each day at that tier, then charges are incurred at a PAYG price for each GB over that tier amount. The PAYG pricing is set to the same amount as the committed tier discount price. When you work out the calculations for the pricing tiers, it makes financial sense to increase to the next tier when you reach the point where the reservation is cheaper than paying PAYG pricing, which is between 50 and 80%.
For example, if you are ingesting an average of 130 GB per day, you will pay for the first 100 GB at a fixed price per GB, and then pay a PAYG price per GB for the additional 30 GB (example per day = $296). Now, if you increase your daily usage to 185 GB, you will save money by increasing your plan to the 200 GB option (example per day = $276) and paying for the extra capacity, instead of paying for the 100 GB (fixed) + 85 GB (PAYG) (total per day = $384.80).
When you look at the amount of data you are using, you may see a trend toward more data being consumed each month as you expand the solution to cover more of your security landscape. As you approach the next tier, you should consider changing the pricing model; you have the option to change once every 30 days.
The next area of cost management to consider is retention and long-term storage of the Microsoft Sentinel data. By default, the preceding pricing includes 90 days of retention. For some companies, this is enough to ensure visibility over the last 3 months of activity across their environment; for others, there will be a need to retain this data for longer, sometimes between 2 and 7 years depending on regulatory requirements in your country or industry. There are two primary ways of maintaining data long term, and both should be considered and chosen based on price and technical requirements:
- Azure Monitor: This is the native storage for Microsoft Sentinel and provides a default hot storage option of 90 days, which can be upgraded to store the hot data for up to 2 years.
Pros: The data is available online and in Azure Monitor, enabling direct queries using KQL searches, and the data can be filtered to only retain essential information.
Cons: This is likely the most expensive option per GB compared to the other options.
- Azure Data Explorer (ADX): This solution can maintain data indefinitely; pricing is based on a combination of the volume of data and the amount of compute required to carry out searching. Generally, this will be one-tenth of the cost of Microsoft Sentinel for long-term storage.
Pros: The data is available online and in Azure, enabling direct queries using KQL searches. The data can be filtered to only retain essential information.
Cons: This is a separate service and requires some initial configuration and integration effort for unsupported tables.
- Other storage options: Cloud-based or physical-based storage solutions can be used to store the data indefinitely, usually enabled by sending data via Event Hubs or Azure Storage.
Pros: Cheaper options are available from a variety of partners.
Cons: Additional charges will be made if data is sent outside of Azure, and the data cannot be queried by Microsoft Sentinel. Using this data requires another solution to be implemented to query the data when required.
Each of these components is highly variable across deployments, so you will need to carry out this research as part of your design. Also, research the latest region availability and ascertain whether Microsoft Sentinel is supported in the various government clouds, such as in China.
