Microsoft Sentinel SIEM Pricing: Licensing Options
Introduction: Understanding Microsoft Sentinel Pricing in 2025
Microsoft Sentinel is a cloud-native SIEM and SOAR solution running in Azure. Its licensing is based on data volume, not per-user or per-server counts.
This per-GB ingestion pricing model means costs scale with the amount of logs and telemetry you send into Sentinel. As organizations generate more security data, cost management becomes a top concern for CISOs and FinOps teams.
In 2025, with ever-growing log volumes, understanding Sentinel’s pricing structure is critical to avoid budget surprises.
Microsoft Sentinel’s pricing has a reputation for flexibility, but also carries the potential for consumption-based cost spikes. Read our overview for Microsoft Security Solutions Licensing.
Unlike traditional SIEMs with fixed licenses, Sentinel’s pay-as-you-go approach can lead to unpredictable bills if usage isn’t controlled.
Below, we break down the licensing options, costs, and practical strategies to optimize and even negotiate your Sentinel spend.
Microsoft Sentinel Licensing Model Explained
Microsoft Sentinel uses a data ingestion licensing model.
You are billed per gigabyte (GB) of data ingested into the Sentinel Log Analytics workspace. Every log, event, or telemetry record you send to Sentinel counts toward your usage.
This is different from legacy SIEM licensing (which might charge per device or per user). Sentinel’s license is effectively “by the GB,” so your costs directly follow your data volume.
All Sentinel billing is handled through your Azure subscription. When you enable Microsoft Sentinel on a Log Analytics workspace, it starts tracking the volume of data analyzed and stored.
What counts as ingested data? Essentially, all logs and alerts that Sentinel analyzes: security event logs, Azure activity logs, Office 365 audit logs, firewall and network logs, etc. Data is ingested in two main tiers:
- Analytics Logs: Full-featured logs with advanced analytics, used for mission-critical data. These support complex queries, real-time alerts, and have 90 days of retention included.
- Basic Logs: A lower-cost log tier intended for high-volume, lower-security data. Basic Logs have limited query capabilities and shorter included retention (8 days by default), but cost much less per GB.
(There is also an Auxiliary Logs tier in preview for very high-volume, low-fidelity data like raw network flows. Auxiliary logs are currently offered at a deep discount to explore their usage.)
Microsoft Sentinel’s pricing model offers two payment approaches:
- Pay-As-You-Go (PAYG): The default model where you pay a fixed price per GB ingested, with no upfront commitment. This is ideal if your data volumes vary or if you’re just starting.
- Commitment Tiers: Also known as capacity reservations, where you commit to a certain daily ingestion volume (e.g., 100 GB/day) for a discounted rate. This suits organizations with steady, predictable log volumes.
Understanding this licensing model is crucial: costs increase with data volume, so controlling what and how you ingest data is the primary lever for managing Microsoft Sentinel expenses.
Pay-As-You-Go Pricing: Default Sentinel Costs
By default, Azure Sentinel (now Microsoft Sentinel) uses a pay-as-you-go pricing model. Pay-As-You-Go (PAYG) means you simply pay for each gigabyte of data ingested, with no long-term commitment. This model offers maximum flexibility, but it’s also the most expensive per GB.
What does PAYG cost? As of 2025, Microsoft Sentinel’s combined ingestion and analysis charge is roughly $5 per GB in many regions (about $5.20/GB, though rates can vary by region and currency). This rate includes both the Azure Log Analytics storage cost and the Sentinel analysis cost in one simplified price. While $5/GB might sound small, it adds up fast with large data volumes.
For example:
- Ingesting 100 GB of logs per day at PAYG rates costs about $500 per day, which is over $15,000 per month. This is a substantial bill for a mid-sized environment.
- Smaller usage is directly proportional: 10 GB/day would cost approximately $1,500 per month on a PAYG plan.
The advantage of pay-as-you-go is no commitment or wastage: you only pay for what you actually ingest each day. This is perfect for organizations with highly variable log volumes or those piloting Sentinel.
There’s no risk of overcommitting to too high a tier.
However, the disadvantages are significant for larger deployments:
- Higher Unit Cost: PAYG has the highest per-GB price. It can become prohibitively expensive at scale.
- Budget Unpredictability: If log volumes spike due to an incident or new data sources, your monthly costs will spike too. This unpredictability makes budgeting difficult.
Many teams start with PAYG to evaluate Sentinel, but as data ingestion grows, they quickly look to optimize costs.
The sticker shock of a big Azure bill (often thousands or tens of thousands of dollars per month) has made FinOps teams skeptical of sticking with the default pricing. In summary, PAYG is flexible but can be a budget-killer if your SIEM ingest is large and steady.
Sentinel Capacity Reservations: Reducing Cost at Scale
For organizations ingesting significant and consistent amounts of data, Capacity Reservations (Commitment Tiers) provide a way to lower the cost per GB.
With a commitment tier, you agree to pay a fixed amount for a specified daily ingestion volume, and in return, you get a discounted rate versus pay-as-you-go pricing.
How capacity tiers work: Microsoft Sentinel commitment tiers start at 100 GB per day and go up through multiple levels (200 GB/day, 500 GB/day, 1000 GB/day, and beyond). You choose a tier based on your typical daily ingestion.
You will be charged for that full amount each day, regardless of whether you use it entirely or not. If you go over the committed volume on a given day, the excess data is billed at the same discounted per-GB rate of your tier.
Discounts vs PAYG: The higher the tier, the lower the effective cost per GB. For example, committing to 100 GB/day might bring the effective rate down to roughly $3.40 per GB (about a 34% savings compared to ~$5.20 PAYG).
Larger commitments yield even better rates: at multi-terabyte levels, the cost can drop to around $2.50 per GB or less (roughly 50% discount).
In other words, big enterprises that commit to very high ingestion volumes can cut Sentinel costs nearly in half.
When do capacity reservations make sense? If your organization is consistently ingesting a large volume of security data, a commitment tier locks in a predictable monthly cost and a lower unit price. It’s often recommended to commit to a tier slightly below your peak volume – perhaps your stable baseline.
For instance, if you average 120 GB/day but sometimes spike to 150, you might reserve 100 GB/day at the lower rate and pay PAYG for the overflow.
This ensures you get savings on the bulk of your data without overpaying for unused capacity on quiet days.
A quick cost scenario: imagine an environment with ~100 GB/day of logs.
- PAYG cost: ~100 * $5.2 = $520/day (~$15.6k per month).
- 100 GB/day committed tier: ~$343/day (~$10.3k per month). This saves about $5,300 per month, a significant reduction.
The trade-off is that commitment tiers require a 31-day minimum (you can only reduce or cancel after a month). If your usage drops, you still pay the committed amount. But in practice, for a steady workload, the savings are well worth it.
Capacity reservations are the go-to strategy for large enterprises to make Sentinel cost-efficient at scale.
For more insights, E5 Security Bundle vs Standalone Licenses: Finding the Most Cost-Effective Mix.
Free Data Types and Allowances in Sentinel
One of the more encouraging aspects of Azure Sentinel pricing is that some data doesn’t cost anything to ingest.
Knowing these free data types can help you maximize what you send to Sentinel without incurring charges:
- Azure Activity Logs: Activity logs from Azure (which record management operations in your Azure resources) can be ingested into Sentinel at no cost. Microsoft does not charge for Azure platform logs in Log Analytics.
- Office 365 Audit Logs: Office 365 activity logs (like Exchange, SharePoint, Teams audit data) are also free to ingest. Connecting the Office 365 data connector won’t increase your bill for those logs.
- Alerts from Microsoft Security Services: Incidents or alerts forwarded from other Microsoft 365 Defender products (like Defender for Endpoint, Defender for Identity, etc.) are generally free for Sentinel to ingest. These are high-level alerts rather than raw logs, which helps you get security value without extra data costs.
It’s important to note that only specific log sources are free.
For example, the Office 365 connector is free for the audit logs, but if you enable additional mailbox or SharePoint telemetry beyond the basic audit record, that might incur costs.
Similarly, the Azure Activity log connector is free, but ingesting Azure resource logs (like diagnostics from VMs or storage accounts) is not free – those are billed as normal data.
Microsoft also provides promotional allowances in certain cases:
- Free Trial: When you first enable Microsoft Sentinel, you get a 31-day free trial where up to 10 GB per day of ingestion is free. This is to help new customers try Sentinel without immediate costs.
- Microsoft 365 E5 Benefit: If your organization has Microsoft 365 E5 licenses, there is an included Sentinel benefit. Microsoft provides up to 5 MB per user per day of free Sentinel ingestion for data from Microsoft 365 services. For a company with thousands of E5 users, this can translate to several GB per day of free data (e.g., 5 MB * 3,500 users ≈ 17.5 GB/day free). This benefit specifically applies to eligible M365 data sources and can greatly offset costs for those with E5 subscriptions.
In summary, always check which connectors or log types are “no-cost ingestion.” By leveraging these free data types, you can send essential security information to Sentinel without blowing up your bill.
This is a key part of Sentinel cost management: use free log sources fully, and only pay for the custom or third-party logs that truly add value.
Data Retention and Storage Costs in Microsoft Sentinel
Beyond ingestion, another cost factor in Microsoft Sentinel is data retention. Sentinel (via Azure Log Analytics) doesn’t charge extra for short-term retention of data, but if you need to keep logs long-term, there are additional costs to plan for.
By default, Analytics Logs in Sentinel are kept for 90 days at no extra charge. This means once you’ve paid to ingest the data, you can search and analyze it for up to three months without paying for storage.
Basic Logs (and preview Auxiliary Logs) have a much shorter included retention, typically 8 days, reflecting their lower-cost model.
If you require longer retention for compliance or forensic purposes, you have a couple of options:
- Extended Retention in Analytics Tier: You can keep data in the active Log Analytics store beyond 90 days (up to 2 years) by paying a per-GB per month retention fee. This is roughly equivalent to $0.10 per GB per month for hot retention. For example, storing 500 GB of data for an extra month beyond the free period would cost approximately $50. Over a year, this adds up, so it’s crucial to only retain what you need in hot storage.
- Archive Tier: For truly long-term storage (up to 7 years or even 12 years in Azure), Sentinel provides an archive tier. Archived logs are much cheaper to store (on the order of **$0.10 per GB per month or less) because they are kept in cold storage. However, archived data is not readily searchable on the fly. You typically need to initiate a restore or use specialized search jobs to retrieve archived logs, which can take hours and may incur a small data access charge.
Many organizations adopt a tiered retention strategy to optimize cost:
- Keep the last 30–90 days of critical logs in the active Analytics tier (fast and free within 90 days).
- After 90 days, move older logs to the Archive tier to dramatically cut storage costs.
- Only pull back archived logs if needed for an investigation or audit.
For example, you might keep three months of high-value security logs in hot storage for quick incident response, but archive the rest out to a lower-cost tier for one year. This ensures you meet compliance (one year of log retention) without paying full price to keep all data hot.
It’s worth noting that queries against archived data are slower and may incur a data scanning fee (often a few cents per GB scanned). Despite that, using the archive can cut retention costs by 80–90% compared to keeping everything in the analytics tier.
Bottom line: 90 days is free for analytics logs, but plan for retention costs beyond that. Use Archive storage for older data to meet retention requirements at a fraction of the cost, accepting the trade-off of slower access.
This is a crucial aspect of Sentinel cost optimization, particularly in industries with extended log retention requirements.
Optimization Tips for Sentinel Cost Management
Controlling Microsoft Sentinel costs requires a proactive approach.
Here is a checklist of practical Azure FinOps strategies to tame your Sentinel bill without sacrificing security visibility:
- Filter out noisy or unnecessary logs before ingestion. Only collect data that provides security value. For example, you might not need every single debug log from a development system in Sentinel. Use data filters or agent configuration to drop useless events at the source.
- Use Basic Logs for low-priority data. If you have verbose logs (e.g., detailed network flow logs or system metrics) that you rarely query, ingest them as Basic Logs instead of Analytics. Basic Logs cost dramatically less (roughly ~$1 per GB) but are still available for on-demand search or investigations.
- Apply sampling or throttling on high-volume sources. For extremely chatty data sources, consider sampling (ingesting only a percentage of events) or setting a cap. For example, collect every Nth log or limit ingestion rate from non-critical sources.
- Review data connectors and disable what you don’t need. Microsoft Sentinel comes with many connectors – ensure you haven’t accidentally enabled data ingestion from a source that isn’t useful. Disconnect any “noisy” connectors that generate high volumes of low-value data.
- Set appropriate retention policies. Don’t keep data longer than necessary in the costly analytics tier. If 90 days is enough for most logs, stick to that. For logs that require longer retention, use archive tier policies so that data rolls off to low-cost storage after the free period.
- Leverage built-in free quotas and benefits. Make sure you utilize the free 31-day trial for new workspaces and the Microsoft 365 E5 free ingestion benefits if applicable. Also, prefer using Azure-native sources (which might be free) over sending that data via custom routes that incur charges.
- Monitor your Sentinel usage daily. Set up Azure cost alerts or workbooks to track daily ingestion volume and costs. This helps catch unusual spikes (maybe a misconfigured system spamming logs) so you can respond quickly. FinOps teams should treat log volume like a utility bill and react to anomalies.
- Consider Azure Reservations or Savings Plans. If you have an Enterprise Agreement or large Azure spend, speak to Microsoft about commitment discounts or credits. Sometimes, large customers can negotiate better Sentinel pricing or use Azure Consumption Commitments to offset Sentinel costs.
- Use automation to manage costs. For example, use Logic Apps or scripts to automatically purge or archive certain logs after a period, or to alert when ingestion goes beyond a threshold so an engineer can intervene.
By implementing these strategies, organizations have been able to significantly reduce their Sentinel costs while still capturing the security data that matters. Cost optimization for Sentinel is an ongoing process – regularly review what data you’re collecting and whether it’s worth the price.
Comparison of Microsoft Sentinel Pricing Options
To summarize the licensing models and cost-saving tiers, the table below compares the main Sentinel pricing options:
| Licensing Option | Model (Data Tier) | Example Cost | Pros | Cons |
|---|---|---|---|---|
| Pay-As-You-Go | Analytics Logs (default) | ~$5/GB ingested 100 GB/day ≈ $15k/month | – No commitment, start or stop anytime – Easy to scale up or down | – Highest cost per GB – Costs can spike unpredictably |
| Capacity Reservation | Analytics Logs (committed) | Commit 100 GB/day ≈ $10k/month (effective ~$3.4/GB) | – Lower unit price with volume discounts – Predictable fixed daily cost | – Pay for committed volume even if not fully used – Requires 31-day commitment minimum |
| Basic Logs | Lower-tier log storage | ~$1/GB ingested (illustrative) | – Very cheap ingestion for non-critical data – Good for infrequently queried logs | – Only 8-day free retention (short-term) – Limited query capabilities (no real-time analytics) |
| Archive Tier | Long-term log storage | ~$0.10/GB per month stored | – Extremely cost-effective for retention – Meets compliance for long-term storage | – Data not immediately searchable (slower retrieval) – Small extra cost to access archived data |
Note: The costs above are approximate for 2025 and rounded for illustration. Actual pricing varies by region and may change. Still, the relative differences hold – pay-as-you-go is the most expensive, while committing to capacity or using basic/archive tiers can drastically lower costs.
FAQ: Microsoft Sentinel Pricing Questions
Q1: How is Microsoft Sentinel licensed?
A1: Microsoft Sentinel uses a per-GB licensing model. You are charged based on the volume of data ingested into the SIEM (measured in gigabytes). There are no per-user or per-server license fees – it’s purely about how much data you send to Sentinel.
Q2: Is there a free tier for Sentinel?
A2: Yes, there are a few free allowances. When you first enable Sentinel, there is a 31-day free trial with up to 10 GB/day of data ingestion at no cost. Additionally, some data types are always free to ingest (such as Azure Activity Logs and Office 365 audit logs). If you have Microsoft 365 E5 licenses, you also get a free daily ingestion allowance (5 MB per user per day) for certain Microsoft 365 data in Sentinel.
Q3: Can I reduce Sentinel costs without losing visibility?
A3: Absolutely. The key is to be selective and strategic with your logging. Filter out unnecessary logs to only pay for ingesting high-value data. Use Basic Logs for verbose data you might need occasionally, and rely on the Archive tier for long-term retention instead of keeping everything hot. These measures let you maintain security visibility while trimming the data volume (and cost).
Q4: What’s cheaper — pay-as-you-go or capacity reservations?
A4: In the long run, capacity reservations are cheaper if your daily ingestion is consistently high. Pay-as-you-go has a high per-GB price. If you commit to a tier (say 100 GB/day or more), the effective per-GB cost drops significantly (often 30–50% lower than PAYG). However, for very small or highly irregular workloads, PAYG might be fine. Once you have a stable, large volume, commitment tiers provide immediate savings.
Q5: How do I decide how much data to commit to in a reservation?
A5: A good strategy is to commit to slightly less than your steady daily average. You want to cover your baseline usage with the discounted rate, but not over-commit and pay for unused GBs. Analyze your ingestion over a few months – if you typically ingest 80 GB on slow days and 120 GB on busy days, a 100 GB/day commitment could be suitable. You’ll pay the lower rate for 100 GB each day, and only pay PAYG for the occasional excess above that.
Q6: Does Sentinel’s pricing include data storage beyond 90 days?
A6: Not in the base price. The default per-GB price covers ingestion and up to 90 days of retention for analytics logs (8 days for basic logs). If you want to keep logs longer than that in Sentinel, you will incur retention charges. You can either pay for extended retention in the analytics tier (charged per GB-month after 90 days) or move data to the Archive tier, which has its own low monthly storage cost. Either way, long-term retention is an extra cost to plan for.
Q7: Can I negotiate Sentinel pricing in an enterprise agreement (EA)?
A7: Yes, enterprises often have room to negotiate or optimize costs. While the list prices are fixed, large customers can use Azure consumption commitments or credits to offset Sentinel costs. In an EA or CSP agreement, you might negotiate discounts on Azure in general that make your effective Sentinel costs lower. Additionally, Microsoft occasionally offers promotions (like the free ingestion for M365 E5 data) which you should leverage. It’s wise to engage your Microsoft account team or cloud provider – they can sometimes provide cost optimization recommendations or special pricing if your Sentinel deployment is very large.
Read about our Microsoft Advisory Services
