Sentinel Cost Estimation

Brass Contributor

Good evening community,


I need some help understanding the costing for Sentinel. I'm trying to build a case for Sentinel as a compete to an existing solution.


The environment has around 1000 server, 400 endpoints, and 50 network devices.

They have a big investment in Microsoft security services (ATA, ATP, Defender, MDM, etc.) with O365 E5.


But I digress...


Am I correct that they will not be charged for any log ingestion from ATP, ASC, O365, and MCAS into Sentinel when connecting to these sources?


What will they be charged for then? Only the storage costs associated with the Log Analytics workspace? When doing the costing, do I include only those sources not explicitly mentioned as free connectors?

5 Replies

@SebastiaanR You will not get charged for O365 data and the ALERTS coming from the other Azure security products, like MCAS and ATP, and the Azure Activity logs.  Go to this page and at the bottom of the page is a FAQ that lists this out.  Also, note that the total cost for Azure Sentinel is:

1) Azure Sentinel ingestion (which the URL below is for)

2) Log Analytics ingestion

3) Data retention after 90 days (first 90 days is free no matter where the data come from)


You can also go to to get an idea of how much data you will be ingesting from your environment.

Hi @SebastiaanR  to add to @Gary Bushey points, you can use this workbook if you choose take Sentinel for a test drive, this will give you an insight on the volume of logs you are receiving, pricing and other useful things.


If you are interested in some more info drop me a line, I've deployed a few Sentinel solutions.


Kind regards


Thanks @Gary Bushey . I actually used that to determine the log sizes earlier today, thanks :)

Pardon my ignorance,

Let's assume I have my LA workspace with Sentinel on top of it. I have a server connected to this same workspace generating 50GB of logs per month. The same workspace is covered under Azure Security Center standard and as such this server is covered by Defender ATP.

Am I correct that Sentinel still sees the 50GB as ingested log volumes, and that is what will be counted against the consumption?







@SebastiaanR That is correct.  

@Gary Bushey , @SebastiaanR : To clarify:


- The free sources Gary mentions above are free for both the Sentinel cost and the Log Analytics ingestion cost. Only Log Analytics retention beyond 90 days is charged.


- The 500MB/d free consumption allocation for Security Events for systems licensed for ASC standard applies but only to the Log Anaytics ingestion cost and not to the Sentinel cost.