Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

Sentinel cost per month for 500GB per day - questions

Iron Contributor

Hi everyone,

I'd like to be able to better explain the sentinel ingestion costs.

If I punch in 500GB/day to the cost calculator, it lists costs for Azure Monitor and Sentinel.

1. Are both part of the charge? Feels like a duplicate.

2. Do Basic logs and Analytic logs need to be 500GB? Assuming all logs should be queryable via kql for analytic rules.

 

Thank you.

 

bobsyouruncle_0-1652288884693.png

 

7 Replies
There is an Azure Monitor cost and a Sentinel cost, but those are combined in the total ingestion cost.

Unless you have a specific use-case for Basic Logs, you will probably never use them. Analytics Logs are what you want. Basic Logs also do not support Analytics Rules and are only retained for up to 8 days. Analytics Logs are the standard type of retention with 90 days of retention for active data.
For question 1, I usually explain it to my customers as Log Analytics is like SQL Server, it is where you store your data. Microsoft Sentinel is the application running on top of the storage, hence the two charges. As @Rod_Trent states, they are combined in the calculator.

 

Thanks guys, this is very helpful!
Another question based on this same example (please and thanks).
If you want to keep data available for kql queries up to 1 year, would I set Data Archive to 1 year?
So:
- Basic Logs: zero
- Analytic Logs: 500GB/day (is this for 30 or 90 days?)
- Data Archive: 1 year (can this still be queried via kql?)

- Azure Monitor Data Restore - not needed? Assume this is a 'typical' use case.

- Azure Monitor Search Queries and Search Jogs - not needed? Assume this is a 'typical' use case.

= Total monthly cost: $41,600k

 

bobsyouruncle_0-1652458610425.png

 

@SocInABox You can keep the data in Microsoft Sentinel for up to two years.  If you want to keep it for just one, set the Data Retention to 365.  You will pay for the difference between the 90 free days and the 365 days in a year (275 days).   

 

Keep in mind that you will keep adding to the amount being archived each month after your first 90 days and then it will level off after a year.  Also, you can set table level data retention so you only keep those tables you need for 90 days (see link below)

 

If you don't think you will be using the data all the time, take a look at archival capabilities that will still allow you to search (for a cost) without having them retained in MS Sentinel: Configure data retention and archive in Azure Monitor Logs (Preview) - Azure Monitor | Microsoft Doc...

Thanks very much @Gary Bushey  But I'd still like to complete my example scenario and your suggestion greatly helps.

So say i picked the 'alerts' table and I want to enable archiving:

bobsyouruncle_0-1652709391366.png

When the archiving started after 30 days I would use this reference to calculate my need for "Data Archiving at $0.02 per GB?"
https://azure.microsoft.com/en-us/pricing/details/monitor/

bobsyouruncle_1-1652709556235.png

So my total costs would be:
Table N1 * 0.02xGB  _ Table N2 * 0.02xGB ....

 

Or I could just say for 500GB: 0.02x500x30days = $300 = peanuts...
I wonder if the calculator above is wrong - it seems to be adding the full 12 months of archive retention to EACH month.

 


Correct?

good article here on Basic vs Analytic and when to use a custom solution to save $$ by storing in blob storage for your non-analytic logs.
eg. if you're ingesting TB/day and you need retention for 4+ years then there can be some big cost savings.
https://medium.com/wortell/use-sentinel-basic-and-archive-logs-fae3bb3a6299