Microsoft Sentinel – Ingestion x Retention Costs – Part I
A common question I have been getting and also a tricky topic is related to Microsoft Sentinel costs when it comes to Retention x Ingestion. We have more costs involved on this topic and it’s not my goal to explain here all the details but I wanted to explain the most frequent questions I’ve been receiving. Also, I am not a licensing specialist, but I believe this topic is important for everyone working with Sentinel to understand. I’d like to thank Flavio Honda, Security CSA in Microsoft for helping me with this topic.
First and foremost, Microsoft Sentinel is a scalable, cloud-native, security information and event management (SIEM) and security orchestration, automation, and response (SOAR) solution. If you want to know more about what Sentinel is, please visit my other post by clicking here.
It’s important that you learn about the architecture and how Sentinel is integrated with Azure Monitor (Log Analytics Workspace) to be able to understand the types of costs we have. Log Analytics is a tool in the Azure portal used to edit and run log queries with data in Azure Monitor Logs.
When it comes to Sentinel pricing it’s necessary to make a distinction between data ingested and data retention.
- We have costs for data ingestion to the Log Analytics Workspace (Azure Monitor)
- We also have ingestion costs for the Microsoft Sentinel services
We can clearly see this difference when we are using the Price Calculator.
Below, we can see the data ingestion for the Sentinel service:
Below, is the ingestion for the Log Analytics service:
There is another Data Ingestion for Basic Logs but I’ll cover this topic in the next posts.
We also have commitment tiers for both services. Commitment tiers provide you a discount on the cost based on your selected commitment tier compared to Pay-As-You-Go pricing. With that, you are billed a fixed fee based on the selected tier, enabling a predictable total cost for Microsoft Sentinel.
Note: You don’t need to have necessarily the same commitment tier for Azure Logs Analytics and Microsoft Sentinel. Each one has its own benefits in different layers. This is because some services might provide free ingestion for Log Analytics but you’ll still be charged for Sentinel, like Defender for Cloud daily allowance (Understand the enhanced security features of Microsoft Defender for Cloud | Microsoft Docs). Thanks, Davi Cruz (Security Technical Specialist at Microsoft) for the contribution on this part.
We can see this if we go to the Azure Portal, open Sentinel, and select Settings.
However, we have the same commitment tiers for the Log Analytics Workspace.
If we go to the “Understand your Microsoft Sentinel bill” documentation, we can see an example when we have the commitment tiers accessing the Cost Analysis in the left navigation of Cost Management + Billing. Here you can see your invoice details, service name, tier, etc.
This could be confusing when you take a look at it the first time, but let me explain below:
- Azure Monitor – Log Analytics Commitment Tier
- Sentinel – Microsoft Sentinel Commitment Tier
- Log Analytics – data ingestion – Log Analytics overage over the Commitment Tier
- Sentinel – analysis – Microsoft Sentinel overage over the Commitment Tier
When you don’t have any commitment tier you are not going to see the detailed cost analysis, but you will see the Meter as Pay-as-you-go, like the image below.
I want to cover Data Retention in some next blog post, but I’ll leave you with some important links about it:
Integrate Azure Data Explorer for long-term log retention | Microsoft Docs
Move Your Microsoft Sentinel Logs to Long-Term Storage with Ease – Microsoft Tech Community
Ingest, Archive, Search, and Restore Data in Microsoft Sentinel – Microsoft Tech Community
Thank you all!