Microsoft Sentinel is a cutting-edge cloud-based security information and event management (SIEM) solution, designed to meet the ever-evolving security needs of modern organisations.
Leveraging its advanced AI, machine learning, and analytic capabilities, Sentinel collects and analyses data from all endpoints, devices, infrastructures and workstations within your organisation, providing you with a comprehensive view of your security landscape.
Additionally, Microsoft Sentinel provides centralised event and incident management, making it easier than ever to track and respond to security incidents. It is a critical solution for organisations which handle large amounts of sensitive information.
Although highly intuitive, Sentinel’s pricing models can be confusing and it’s key cost drivers aren’t always immediately apparent.
Read on for a comprehensive Microsoft Sentinel cost breakdown.
Pay-as-you-go vs Commitment Tiers
Microsoft Sentinel offers two payment models across their billable processes which cater to different business needs and budgets; ‘Pay-as-you-go’ and ‘Commitment Tiers’.
Pay-as-you-go is the default payment model and is calculated based on the amount of GB ingested during specific periods. This pricing model allows for flexible and scalable billing, making it ideal for businesses that are starting out with Microsoft Sentinel and are unsure of their regular data ingestion volume. Unless you have specified otherwise you will automatically be billed to this plan.
Commitment Tiers are a more cost-effective option for businesses that have a stable and predictable data ingestion volume. As the name suggests, with this model you commit to purchasing a certain amount of GB for a set period, which can result in discounts of up to 65% compared to the Pay-as-you-go model.
It is important, however, to monitor your data ingestion volume and chose a Commitment Tier that closely aligns with your ingestion patterns to ensure you get the maximum savings. Unused committed to GB is not stored or banked but rather lost, equally, exceeding data ingestion is charged at Pay-as-you-go-rates.
The good news is that you can increase your Commitment Tier at anytime and decrease it every 31 days, so there is options for flexibility. Bellow is an example of a Sentinel Commitment Tier pricing model.
Microsoft Sentinel Cost Breakdown
There are a number of processes which induce costs in Microsoft Sentinel. These processes and functions work intrinsically together and primarily relate to how data is sourced and leveraged within MS.
Microsoft Sentinel Key Cost Drivers
- Data Ingestion: The amount of data that needs to be processed by MS.
- Data Analytics: The level of investigating required for ingested data.
- Data Retention/Archive: The length of time you wish to retain data.
- Users: The number of users who will be accessing MS.
- Features: Such as Search, Restore, Export and Alerts.
Relating to each cost driver are Log Tiers. Logs, put simply, impact the way in which data is processed, ingested, analysed and retained.
In order to make effective cost optimising decisions, it is crucial to understand the different log types offered by MS, and how these are billed. Choosing the right log tier for the right data is essential to reduce costs and to drive the best value for your investment.
Analytics logs are best used for data that requires full investigation support, allowing for KQL syntax and detections whilst holding no query concurrency limit. This log tier should be primarily used for data under active investigation.
Analytics Logs are billed on a Pay-As-You-Go basis, by GB ingestion rate per day and are the most expensive log type. Commitment tiers are available for Analytics logs, allowing up to 65% discount, and hold a maximum 2 year retention period.
You should use Basic Logs for data which is valuable but not critical, such as cloud storage logs, NetFlow logs, VPC flow logs and Firewall proxy logs. Basic Logs support ingestion-time transformation and parsing, however you can only carry out simple queries using a limited version of KQL on this data.
Although billed exclusively on a pay-as-you-go basis, with no commitment tiers available, Basic Logs are significantly cheaper than Analytics Logs. They hold only an 8 day retention period, with the option to move data to archived logs.
Archived logs are the cheapest option for data ingestion and are billed based on GB of data ingestion per month, with no commitment tiers available. You should use these logs for data that you may need to keep to meet compliance requirements or data which might need occasional investigation.
Archived data can be stored for up to 7 years, however this is at a limited functionality level. You are unable to investigate your organisation’s archived logs without utilising search and restore tools.
Search and Restore
These functions allow you to search through archived logs to find and fetch records for further analysis. Search is billed based on the number of GB of data scanned per day.
Once found, data can be restored for a specific time range and made available for further investigation. Restore is billed based on the amount of data restored and the time it is kept active for.
To Learn more about Microsoft Sentinel check out our Beginner’s Guide to Microsoft Sentinel.
Free Trials and Benefits
31-Day Free Trial
Microsoft offers a 31-day free trial of Microsoft Sentinel which you should definitely make the most of, offering up to 10GB of data ingestion per day.
For new log analytics workspaces (less than 3 days old) both log analytics data ingestion and Microsoft Sentinel charges are waived, making it an ideal opportunity for you to monitor and evaluate your organisation’s regular ingestion volume.
Existing log analytic workspaces can also take advantage of the trial, although only the Microsoft Sentinel charges are waived. For both the free trial is available for up to 20 workspaces per tenant
It is important to note that usage exceeding the 10GB of data ingestion per day is charged at standard pay-as-you-go rates for your region.
Benefits for License Customers
Microsoft 365 E5, A5, F5, and G5 customers are eligible for 5MB per user, per day of free data ingestion into Microsoft Sentinel. This benefit is applied automatically at the end of each payment month, with no enrolment process required.
If your organisation is already utilising Microsoft 365 services under these licences this gives another opportunity to get more bang for your buck.
How We Can Help
Microsoft Sentinel plays a crucial role in any organisation’s online network, but without proper management, it can quickly eat your budget.
To effectively manage your investment in Microsoft Sentinel, you must dedicate time and resources. Our team of experienced IT professionals have experience working with organisation’s to optimise their Microsoft costs, developing bespoke budgeting plans that meet the dynamic needs of modern businesses.
As a Microsoft Solutions Partner for Modern Work, we at Vital are ideally placed to help you:
- Understand your current Microsoft expenditure.
- Optimise your consumption.
- Secure the best Microsoft pricing.
- Maximise your investment’s value.
For a no obligation review of your Microsoft cloud infrastructure get in touch here.