Azure Sentinel Billing Process

Copper Contributor

I am trying to understand billing process of Sentinel. So what I get is 

The total price for Azure Sentinel is the Azure Sentinel Ingestion + Log Analytics Ingestion + Data Retention (first 90 days free).   There is also a charge for using Playbooks (charged at the Logic App rates).

So when I send log to work-space then I paying for two things (Ingestion + Retention). Now when I run a search on Sentinel which stays on top of work-space, do I pay for that data as well? I mean let's say I am running a KQL & may be I am checking historical logs too & so far I have searched over 10gb data so as it is pulling the data from work-space, so I am paying for that 10gb data as well. Not sure If I can explain it properly because Azure is new to me & previous SIEM I worked with, they used to charge based on EPS (Event Per Second). Any suggestion would be appreciated.

1 Reply

@msef280 There's no cost to run queries.