Azure Sentinel Billing Process

%3CLINGO-SUB%20id%3D%22lingo-sub-2262190%22%20slang%3D%22en-US%22%3EAzure%20Sentinel%20Billing%20Process%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2262190%22%20slang%3D%22en-US%22%3E%3CP%3EI%20am%20trying%20to%20understand%20billing%20process%20of%20Sentinel.%20So%20what%20I%20get%20is%26nbsp%3B%3C%2FP%3E%3CP%3E%3CBR%20%2F%3EThe%20total%20price%20for%20Azure%20Sentinel%20is%20the%20%3CSTRONG%3EAzure%20Sentinel%20Ingestion%3C%2FSTRONG%3E%20%2B%20%3CSTRONG%3ELog%20Analytics%20Ingestion%3C%2FSTRONG%3E%20%2B%20%3CSTRONG%3EData%20Retention%20(first%2090%20days%20free)%3C%2FSTRONG%3E.%26nbsp%3B%26nbsp%3B%20There%20is%20also%20a%20charge%20for%20using%20Playbooks%20(charged%20at%20the%20Logic%20App%20rates).%3CBR%20%2F%3E%3CBR%20%2F%3ESo%20when%20I%20send%20log%20to%20work-space%20then%20I%20paying%20for%20two%20things%20(Ingestion%20%2B%20Retention).%20Now%20when%20I%20run%20a%20search%20on%20Sentinel%20which%20stays%20on%20top%20of%20work-space%2C%20do%20I%20pay%20for%20that%20data%20as%20well%3F%20I%20mean%20let's%20say%20I%20am%20running%20a%20KQL%20%26amp%3B%20may%20be%20I%20am%20checking%20historical%20logs%20too%20%26amp%3B%20so%20far%20I%20have%20searched%20over%2010gb%20data%20so%20as%20it%20is%20pulling%20the%20data%20from%20work-space%2C%20so%20I%20am%20paying%20for%20that%2010gb%20data%20as%20well.%20Not%20sure%20If%20I%20can%20explain%20it%20properly%20because%20Azure%20is%20new%20to%20me%20%26amp%3B%20previous%20SIEM%20I%20worked%20with%2C%20they%20used%20to%20charge%20based%20on%20EPS%20(Event%20Per%20Second).%20Any%20suggestion%20would%20be%20appreciated.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

I am trying to understand billing process of Sentinel. So what I get is 


The total price for Azure Sentinel is the Azure Sentinel Ingestion + Log Analytics Ingestion + Data Retention (first 90 days free).   There is also a charge for using Playbooks (charged at the Logic App rates).

So when I send log to work-space then I paying for two things (Ingestion + Retention). Now when I run a search on Sentinel which stays on top of work-space, do I pay for that data as well? I mean let's say I am running a KQL & may be I am checking historical logs too & so far I have searched over 10gb data so as it is pulling the data from work-space, so I am paying for that 10gb data as well. Not sure If I can explain it properly because Azure is new to me & previous SIEM I worked with, they used to charge based on EPS (Event Per Second). Any suggestion would be appreciated.

1 Reply

@msef280 There's no cost to run queries.