Forum Discussion
Microsoft Sentinel Pricing Factors
The major ways Sentinel pricing can be affected:
- Size of logs ingested per day
- Type of logs
- Location of Log Analytics deployment
- Number of E5, A5, F5 and G5 licenses
- Free Data Sources
- Log Data Retention
- Type of Retention
Size of logs ingested per day
Simply the more you ingest into Sentinel per day, the more cost you will have to pay. My advice would be to instead of ingesting everything in one go, try understanding the risks for the company and create a phased plan for data ingestion.
Type of Logs
We can ingest two types of logs into Sentinel – Basic and Analytical. The analytical logs are what we ingest generally and can use them for alerting. The basic logs cannot be used for alerts, have limited KQL capability and have search queries concurrency limits. Cost of basic logs is significantly less than analytical logs with reduction of up to 75%.
Location of Log Analytics deployment
There is some difference to costs depending which location is data stored for log analytics workspace. For e.g., per GB pay as you go price for Switzerland is around 5£ v/s UK South which is £4.5
Number of E5, A5, F5 and G5 licenses
Microsoft 365 E5, A5, F5 and G5 Security customers can receive a data grant of up to 5MB per user/day to ingest Microsoft 365 data. This includes AD sign in and audit logs, 365 advanced hunting data and couple more.
Free Data Sources
Some Microsoft 365 data sources are free for everyone like azure activity, office 365 audit, alerts from defender 365 and cloud etc.
Log Data Retention
The default is 30days free retention in Log Analytics, however for a Sentinel Workspace, you can increase that free retention to 90days (you have to opt in to this). Analytic logs can be further retained for up to 730days (but this requires a retention cost per GB).
Type of Retention
The priciest is the active storage where you can search effectively. Additionally, we can either use archive function of sentinel OR can export data to others like azure data lake etc which is cheaper than active storage, but we must go through some hoops to search the data.
Can I suggest a update to:
"We can choose per data source the time we want it to be stored for our searching. The default is set to 730 days"
The default is 30days free retention in Log Analytics, however for a Sentinel Workspace, you can increase that free retention to 90days (you have to opt in to this). Analytic logs can be further retained for up to 730days (but this requires a retention cost per GB).
2 Replies
Can I suggest a update to:
"We can choose per data source the time we want it to be stored for our searching. The default is set to 730 days"
The default is 30days free retention in Log Analytics, however for a Sentinel Workspace, you can increase that free retention to 90days (you have to opt in to this). Analytic logs can be further retained for up to 730days (but this requires a retention cost per GB).- Clive_Watson thanks for pointing that out.
