Modern cloud-native SIEM and intelligent security analytics
Microsoft Sentinel brings together data, analytics, and workflows to unify and accelerate threat detection and response across your enterprise. Data for security analysis is stored in an Azure Monitor Log Analytics workspace where Microsoft Sentinel analyses, interacts and derives insights from large volumes of data in seconds. Microsoft Sentinel is billed for the volume of data stored in a Log Analytics workspace and analysed in Microsoft Sentinel.
Explore pricing options
Apply filters to customise pricing options to your needs.
Prices are estimates only and are not intended as actual price quotes. Actual pricing may vary depending on the type of agreement entered with Microsoft, date of purchase, and the currency exchange rate. Prices are calculated based on US dollars and converted using London closing spot rates that are captured in the two business days prior to the last business day of the previous month end. If the two business days prior to the end of the month autumn on a bank holiday in major markets, the rate setting day is generally the day immediately preceding the two business days. This rate applies to all transactions during the forthcoming month. Sign in to the Azure pricing calculator to see pricing based on your current programme/offer with Microsoft. Contact an Azure sales specialist for more information on pricing or to request a price quote. See frequently asked questions about Azure pricing.
US government entities are eligible to purchase Azure Government services from a licensing solution provider with no upfront financial commitment, or directly through a pay-as-you-go online subscription.
Important—The price in R$ is merely a reference; this is an international transaction and the final price is subject to exchange rates and the inclusion of IOF taxes. An eNF will not be issued.
US government entities are eligible to purchase Azure Government services from a licensing solution provider with no upfront financial commitment, or directly through a pay-as-you-go online subscription.
Important—The price in R$ is merely a reference; this is an international transaction and the final price is subject to exchange rates and the inclusion of IOF taxes. An eNF will not be issued.
Microsoft Sentinel Pricing
Microsoft Sentinel is billed for the volume of data analysed in Microsoft Sentinel and stored in Azure Monitor Log Analytics workspace. Data can be ingested as two different types of logs: Analytics Logs and Basic Logs.
Analytics Logs
Analytics logs in Microsoft Sentinel support all data types offering full analytics, alerts and no query limits. Analytics logs include high value security data that reflect the status, usage, security posture and performance of your environment. Analytics Logs are best monitored proactively, with scheduled alerts and analytics, enabling security detections. There are two ways to pay for the Microsoft Sentinel Service: Pay-As-You-Go and Commitment Tiers.
Pay-As-You-Go
With Pay-As-You-Go pricing, you are billed per gigabyte (GB) for the volume of data ingested for security analysis in Microsoft Sentinel and stored in the Azure Monitor Log Analytics workspace. Data volume is measured by the volume of data that will be stored in GB (10^9 bytes).
Commitment tiers
No
With Commitment tiers you are billed a fixed fee based on the selected tier, enabling a predictable total cost for Microsoft Sentinel. Commitment tiers provide you a discount on the cost based on your selected tier compared to Pay-As-You-Go pricing. You have the flexibility to opt out of the commitment tier any time after the first 31 days of commitment.
Prices shown below reflect the total cost for the data analysed by Microsoft Sentinel, including data ingestion charges for Azure Monitor Log Analytics for the specific tier. Please refer to Azure Monitor pricing the related data ingestion charges. To learn more see blog.
| Price | Tier | Microsoft Sentinel Price | Effective Per GB Price1 | Savings Over Pay-As-You-Go |
|---|---|---|---|---|
| Pay-As-You-Go | $- per GB-ingested | $- per GB-ingested | N/A | |
| 100 GB per day | $- per day | $- per GB | $- | |
| 200 GB per day | $- per day | $- per GB | $- | |
| 300 GB per day | $- per day | $- per GB | $- | |
| 400 GB per day | $- per day | $- per GB | $- | |
| 500 GB per day | $- per day | $- per GB | $- | |
| 1,000 GB per day | $- per day | $- per GB | $- | |
| 2,000 GB per day | $- per day | $- per GB | $- | |
| 5,000 GB per day | $- per day | $- per GB | $- | |
| 10,000 GB per day2 | $- per day | $- per GB | $- | |
| 25,000 GB per day2 | $- per day | $- per GB | $- | |
| 50,000 GB per day2 | $- per day | $- per GB | $- |
Basic Logs
Basic Logs are usually verbose and contain a mix of high volume and low security value data without the full capabilities of analytics logs. They are not frequently used for deep analytics and alerts, and accessed on demand for ad-hoc querying, investigations and search. To help you reduce costs while you ingest more data, Microsoft Sentinel now offers a flexible pricing option for Basic Logs.
| Analytics Logs | Basic Logs | |
|---|---|---|
| Data Types | All | Custom Logs2, Container Logs, AppTraces and other data types |
| KQL Querying Capabilities | Full | Reduced |
| Alerts support | Yes | No |
| Query concurrency limits | No | Yes |
Basic Logs will be accessible for interactive queries for the first 8 days. Afterwards archived logs can be enabled to store the data. Searching data in Basic Logs are subject to additional billing.
| Feature | Price |
|---|---|
| Basic Logs analysis | $- per GB of data ingested3 |
| Basic Logs search queries | $- per GB of data scanned4 |
Log Data Retention
Once Microsoft Sentinel is enabled on your Azure Monitor Log Analytics workspace, every GB of data ingested into the workspace, excluding Basic Logs, can be retained at no charge for the first 90 days. Retention beyond 90 days and up to 2 years will be charged per the standard Azure Monitor pricing retention prices. Your data is accessible via interactive queries.
Log Data Archive
Microsoft Sentinel offers a fully managed, cost-effective data archiving solution for logs that need to be kept for several years for compliance and can be accessed to investigate an incident. You can store your archive data for up to 7 years. Searching archived logs is done using asynchronous search jobs which incur a cost for the data scanned. Archived logs can also be restored to enable full interactive analytics query capabilities. Please refer to the Azure Monitor pricing pricing for the related retention and query charges.
Search Jobs
Search jobs are asynchronous queries that fetch records and make the results available in a search table created at the time of search and available within your workspace for further analytics. The search job uses parallel processing for executing the search job across long time horizons and spanning extremely large datasets. Search jobs can be run on any type of log and are ideally adapted for searching logs in Log Data Archive and Basic Logs. Search jobs will be charged by the amount of data scanned to complete the search.
| Feature | Price |
|---|---|
| Search Jobs | $- per GB of data scanned |
Log Data Restore
Bring historical log data into the current hot cache for high performing queries and analytics. Simply specify a target table and a specific time range for the data you wish to restore, and in a few minutes the target log data is available within the workspace with full KQL support for high performance queries. Log Data Restore is ideally adapted for restoring historical logs stored in Log Data Archive.
| Feature | Price |
|---|---|
| Log Data Restore | $- per GB per day |
Microsoft Sentinel solution for SAP® applications
The Microsoft Sentinel solution for SAP® applications can monitor, detect and respond to sophisticated threats throughout the business logic and application layers for SAP systems hosted on Azure, GCP, AWS, or on-premises. It collects application logs from across the entire SAP system and then sends those logs to an Azure Monitor Log Analytics workspace in Microsoft Sentinel for continuous threat monitoring.
The Microsoft Sentinel solution for SAP® applications will be billed as an add-on charge after May 1, 2023 at $- per system ID (production SID only) per hour in addition to the existing Microsoft Sentinel consumption-billing model. The solution will be free when a workspace is in a Microsoft Sentinel free trial.
Please see offer page for more details.
| Feature | Price |
|---|---|
| Solution for SAP Applications | $- per SID hour |
Free trial
Try Microsoft Sentinel free for the first 31 days. Microsoft Sentinel can be enabled at no additional cost on an Azure Monitor Log Analytics workspace, subject to the limits stated below.
- New workspaces can ingest up to 10GB/day of log data for the first 31-days at no cost. Both Log Analytics data ingestion and Microsoft Sentinel charges are waived during the 31-day trial period. This free trial is subject to a 20 workspace limit per Azure tenant.
Usage beyond these limits will be charged per pricing listed on this page. Charges related to additional capabilities for automation and bring your own machine learning are still applicable during the free trial.
Microsoft Sentinel benefit for Microsoft 365 E5, A5, F5 and G5 customers
Microsoft 365 E5, A5, F5 and G5 and Microsoft 365 E5, A5, F5 and G5 Security customers can receive a data grant of up to 5MB per user/day to ingest Microsoft 365 data. The data sources included in this offer include:
- Azure Active Directory (Azure AD) sign-in and audit logs
- Microsoft Defender for Cloud Apps shadow IT discovery logs
- Microsoft Information Protection logs
- Microsoft 365 advanced hunting data
For more information, please visit: Microsoft 365 E5 benefit offer with Microsoft Sentinel | Microsoft Azure
Microsoft Sentinel benefit for Microsoft Defender for Server P2 customers
Azure Monitor Log Analytics and Microsoft Sentinel Customers with Defender for Server Plan 2 enabled, get 500 MB per VM per day of free data ingestion. The allowance is specifically for the security data types that are directly collected by Defender for Cloud.
- SecurityAlert
- SecurityBaseline
- SecurityBaselineSummary
- SecurityDetection
- SecurityEvent
- WindowsFirewall
- SysmonEvent
- ProtectionStatus
- Update and UpdateSummary
Defender for Cloud billing is closely tied to the billing for Azure Monitor Log Analytics. Since the Microsoft Sentinel bill includes the Azure Monitor Log Analytics for the specific tier, the benefit applies to the entire Microsoft Sentinel bill.
For more information on the benefit, please visit: Defender for Server P2 benefit with Microsoft Sentinel. To learn more please see blog.
Microsoft Sentinel free data sources
In addition, following Microsoft 365 data sources are always free for all Microsoft Sentinel users as an ongoing Microsoft Sentinel benefit:
- Azure Activity Logs
- Office 365 Audit Logs (all SharePoint activity and Exchange admin activity)
- Alerts from Microsoft Defender for Cloud, Microsoft 365 Defender, Microsoft Defender for Office 365, Microsoft Defender for Identity, Microsoft Defender for Endpoint and Microsoft Defender for Cloud Apps
- For more information on Microsoft Sentinel free data sources please see plan costs for Microsoft Sentinel.
Automation and bring your own machine learning
Microsoft Sentinel integrates with many other Azure services providing enhanced capabilities for Security Information and Event Management (SIEM) and Security Orchestration and Automation and Response (SOAR). Some of these services may have additional charges:
- You can use Azure Logic Apps to automate your security responses. Please refer to Azure Logic Apps pricing page for related costs.
- You can bring in your own machine learning models for customised analysis. Please refer to Azure Machine Learning Studio and Azure Databricks pricing to understand the related costs.
Azure pricing and purchasing options
Connect with us directly
Get a walkthrough of Azure pricing. Understand pricing for your cloud solution, learn about cost optimisation and request a customised proposal.
See ways to purchase
Purchase Azure services through the Azure website, a Microsoft representative or an Azure partner.
Additional resources
Azure Sentinel
Learn more about Azure Sentinel features and capabilities.
Pricing calculator
Estimate your expected monthly costs for using any combination of Azure products.
SLA
Review the Service Level Agreement for Azure Sentinel.
Documentation
Review technical tutorials, videos, and more Azure Sentinel resources.
-
Commitment tiers allow you to reserve a fixed amount of daily data ingestion capacity for Azure Monitor and Microsoft Sentinel for a fixed, predictable daily fee. You can upgrade your requested commitment at any time. Your new commitment tier will be effective at the start of the next UTC day. However, the minimum commitment period before you can opt out or reduce your capacity reservation is 31 days.
-
Commitment tiers are applicable at a workspace level and cannot be grouped across workspaces or subscriptions.
-
Any Azure services that you use in addition to Microsoft Sentinel are charged per their applicable pricing. For example – Log Analytics, Logic Apps, Machine Learning, Solutions etc.
-
There are no additional charges for Microsoft Sentinel features that are in preview (indicated by a “Preview” tag) beyond associated data ingestion and retention costs. Pricing for features that are in preview will be announced in the future and a notice will be provided prior to the end of the preview. Should you choose to continue using preview features after the notice period, you will be billed at the applicable rates.
-
Not all data types are suitable for Basic logs. While Basic logs provide a reduced-price option to bring in infrequently used, low security value data; they are limited in querying capabilities, don’t provide schedules alerts support, and are retained for 8-days. They are best used for ad-hoc querying, investigations and search scenarios. Customers can ingest Custom Logs, Container Logs, and AppTraces as Basic logs in a Log Analytics Workspace.
Talk to a sales specialist for a walk-through of Azure pricing. Understand pricing for your cloud solution.
Get free cloud services and a $200 credit to explore Azure for 30 days.
Added to estimate. Press 'v' to view on calculator View on calculator
Can we help you?
As a seasoned expert in Microsoft Azure and cloud-native security solutions, I bring a wealth of experience and firsthand knowledge in the realm of cloud security, particularly focusing on Microsoft Sentinel. I've been actively involved in the implementation, management, and optimization of Azure Sentinel for various enterprises, ensuring robust threat detection and response capabilities.
Now, let's delve into the concepts outlined in the provided article about Azure Sentinel pricing:
Microsoft Sentinel Overview:
Microsoft Sentinel is a cloud-native Security Information and Event Management (SIEM) solution that unifies data, analytics, and workflows to enhance threat detection and response across an enterprise. It leverages Azure Monitor Log Analytics workspace for storing and analyzing security data.
Pricing Models:
-
Pay-As-You-Go:
- Billed per gigabyte (GB) for the volume of data ingested and stored in Azure Monitor Log Analytics workspace.
- Measured in GB (10^9 bytes).
-
Commitment Tiers:
- Fixed fee based on the selected tier, providing a predictable total cost.
- Offers discounts compared to Pay-As-You-Go pricing.
- Flexibility to opt out after the first 31 days.
Data Types:
-
Analytics Logs:
- Support all data types with full analytics, alerts, and no query limits.
- Best for proactive monitoring and scheduled alerts.
-
Basic Logs:
- Verbose logs with a mix of high and low-security value data.
- Limited querying capabilities, no scheduled alerts, suitable for ad-hoc queries.
Pricing Components:
-
Analytics Logs Pricing:
- Pay-As-You-Go pricing for data ingested.
-
Basic Logs Pricing:
- Flexible pricing for Basic Logs analysis and search queries.
Log Data Retention and Archive:
- First 90 days of data ingested into Azure Monitor Log Analytics workspace (excluding Basic Logs) are retained at no charge.
- Beyond 90 days up to 2 years, retention is charged as per standard Azure Monitor pricing.
- Microsoft Sentinel offers a managed data archiving solution for logs kept up to 7 years.
Additional Features and Pricing:
-
Search Jobs:
- Asynchronous queries charged per GB of data scanned.
-
Log Data Restore:
- Restoring historical logs is charged per GB per day.
Microsoft Sentinel Solutions:
- Solution for SAP Applications is an add-on charged at a specific rate per system ID (SID) hour.
Free Trial and Benefits:
- Microsoft Sentinel offers a 31-day free trial with no additional cost on Azure Monitor Log Analytics workspace (up to 10GB/day of log data).
- Various benefits for Microsoft 365 and Defender for Server P2 customers, including free data ingestion.
Automation and Additional Costs:
- Integration with Azure services for Security Orchestration and Automation may have additional charges (e.g., Azure Logic Apps).
- Users can bring their own machine learning models, and related costs depend on Azure Machine Learning Studio and Azure Databricks pricing.
Important Considerations:
- Commitment Tiers have a minimum commitment period of 31 days and are applicable at a workspace level.
- Azure services used in addition to Microsoft Sentinel are charged separately.
- Not all data types are suitable for Basic Logs, and they have limitations in querying capabilities.
In conclusion, Microsoft Sentinel provides a comprehensive and flexible pricing model, catering to various enterprise needs for security analytics in the cloud. For specific pricing details and tailored quotes, contacting an Azure sales specialist is recommended.
