Forum Discussion
CyrilChu
Jun 06, 2022Copper Contributor
Pricing Calculator for Microsoft Sentinel
Hi everyone, I am using the Pricing Calculator for Microsoft Sentinel.
I can see the pricing split into two parts - Azure Monitor and Microsoft Sentinel.
In my understanding, Microsoft Sentinel will process the log stored in the Log Analytics Workspace. The Cost is based on the log size in the Log Analytics Workspace. It may not relate to the Azure Monitor part. The Pricing Calculator will charge the Azure Monitor part because Azure Monitor and Microsoft Sentinel share the same Log Analytics Workspace?
Basically, I am not using Azure Monitor. Any method to reduce the cost of the Azure Monitor part?
Hello CyrilChu,
The pricing is split into two parts - Azure Monitor and Microsoft Sentinel because:
Azure Monitor is considered to be the "Ingestion" part (GB of logs that are ingested into Log Analytics Workspace) and Microsoft Sentinel is the SIEM system itself that operates logs, queries, workbooks, connectors etc.
- ollie9323291Copper Contributor
It seems Microsoft Sentinel and Azure Monitor share the same Log Analytics Workspace, impacting cost calculations. To reduce Azure Monitor costs, consider optimizing log retention periods, data ingestion rates, and possibly using the Age Calculator to assess data relevance before storage.
- shanksrainaCopper ContributorThe major ways Sentinel pricing can be affected:
1. Size of logs ingested per day
2. Type of logs
3. Location of Log Analytics deployment
4. Number of E5, A5, F5 and G5 licenses
5. Free Data Sources
6. Log Data Retention
7. Type of Retention
Size of logs ingested per day
Simply the more you ingest into Sentinel per day, the more cost you will have to pay. My advice would be to instead of ingesting everything in one go, try understanding the risks for the company and create a phased plan for data ingestion.
Type of Logs
We can ingest two types of logs into Sentinel – Basic and Analytical. The analytical logs are what we ingest generally and can use them for alerting. The basic logs cannot be used for alerts, have limited KQL capability and have search queries concurrency limits. Cost of basic logs is significantly less than analytical logs with reduction of up to 75%.
Location of Log Analytics deployment
There is some difference to costs depending which location is data stored for log analytics workspace. For e.g., per GB pay as you go price for Switzerland is around 5£ v/s UK South which is £4.5
Number of E5, A5, F5 and G5 licenses
Microsoft 365 E5, A5, F5 and G5 Security customers can receive a data grant of up to 5MB per user/day to ingest Microsoft 365 data. This includes AD sign in and audit logs, 365 advanced hunting data and couple more.
Free Data Sources
Some Microsoft 365 data sources are free for everyone like azure activity, office 365 audit, alerts from defender 365 and cloud etc.
Log Data Retention
We can choose per data source the time we want it to be stored for our searching. The default is set to 730 days and can be changed for all using log analytics workspace OR using PowerShell for individual sources.
Type of Retention
The priciest is the active storage where you can search effectively. Additionally, we can either use archive function of sentinel OR can export data to others like azure data lake etc which is cheaper than active storage, but we must go through some hoops to search the data. - mikhailfSteel Contributor
Hello CyrilChu,
The pricing is split into two parts - Azure Monitor and Microsoft Sentinel because:
Azure Monitor is considered to be the "Ingestion" part (GB of logs that are ingested into Log Analytics Workspace) and Microsoft Sentinel is the SIEM system itself that operates logs, queries, workbooks, connectors etc.