Azure Sentinel pricing

Pricing for cloud-native SIEM that provides intelligent security analytics for your entire enterprise

Azure Sentinel provides intelligent security analytics across your enterprise. The data for this analysis is stored in an Azure Monitor Log Analytics workspace. Azure Sentinel is billed based on the volume of data ingested for analysis in Azure Sentinel and stored in the Azure Monitor Log Analytics workspace. Azure Sentinel offers a flexible and predictable pricing model. There are two ways to pay for the Azure Sentinel service: Capacity Reservations and Pay-As-You-Go.

Capacity Reservations

With Capacity Reservations you are billed a fixed fee based on the selected tier, enabling a predictable total cost for Azure Sentinel. Capacity Reservation provides you a discount (up to 60%) on the cost based on your selected capacity reservation compared to Pay-As-You-Go pricing. You have the flexibility to opt out of the capacity tier any time after the first 31 days of commitment. Prices shown below are related to the analytics enabled by Azure Sentinel and do not include the related data ingestion charges for Log Analytics. Please refer to the Azure Monitor Log Analytics pricing for the related data ingestion charges.

Charges for Azure Sentinel will go into effect on November 1, 2019. Capacity Reservations for Azure Sentinel will be available starting November 1, 2019


You can use the Azure Sentinel pricing calculator to customize and understand the total cost for your enterprise.

Capacity1 Price Discount2
100 GB per day $- per day 50%
200 GB per day $- per day 55%
300 GB per day $- per day 57%
400 GB per day $- per day 58%
500 GB per day $- per day 60%
More than 500 GB per day $- per day + $- per day (for each 100 GB increment after 500 GB in daily capacity) 60%

1If the amount of data ingested into Azure Sentinel exceeds your selected daily capacity reservation then additional data is charged at Pay-As-You-Go rates listed below.

2When compared to Pay as you go model

Pay-As-You-Go

With Pay-As-You-Go pricing, you are billed per gigabyte (GB) for the volume of data ingested for analysis in Azure Sentinel and stored in the Azure Monitor Log Analytics workspace. Prices shown below are related to the security analytics enabled by Azure Sentinel. Prices shown below are related to the analytics enabled by Azure Sentinel and do not include the related data ingestion charges for Log Analytics. Please refer to the Azure Monitor Log Analytics pricing for the related data ingestion charges.

Charges for Azure Sentinel will go into effect on November 1, 2019.

Feature Price
Azure Sentinel $- per GB-ingested

Free Trial

Azure Sentinel can be enabled at no additional cost on an Azure Monitor Log Analytics workspace for the first 31-days. Usage beyond the first 31-days will be charged per pricing listed above. Charges related to Azure Monitor Log Analytics for data ingestion and additional capabilities for automation and bring your own machine learning are still applicable during the free trial.

Data Retention

Once Azure Sentinel is enabled on your Azure Monitor Log Analytics workspace, every GB of data ingested into the workspace can be retained at no charge for the first 90 days. Retention beyond 90 days will be charged per the standard Azure Monitor Log Analytics retention prices.

Azure Monitor Log Analytics

Azure Sentinel is built on the proven foundation of Azure Monitor Log Analytics platform and enables an extensive query language to analyze, interact with, and derive insights from huge volumes of operational data in seconds. Azure Sentinel is billed based on the volume of data ingested for analysis in Azure Sentinel and stored in Azure Monitor Log Analytics workspace. Please refer to the Azure Monitor Log Analytics pricing for the related data ingestion charges.

Automation and Bring your own Machine Learning

Azure Sentinel integrates with many other Azure services providing enhanced capabilities for Security Information and Event Management (SIEM) and Security Orchestration and Automation and Response (SOAR). Some of these services may have additional charges:

FAQs

  • Capacity reservations allow you to reserve a fixed amount of daily data ingestion capacity for Azure Monitor and Azure Sentinel for a fixed, predictable daily fee. You can upgrade your requested capacity at any time. However, the minimum commitment period before you can opt out or reduce your capacity reservation is 31 days.

    • Adding more capacity to your reservation – You can upgrade your requested capacity at any time. Your new capacity reservation will be effective at the start of the next UTC day.
    • Reducing your selected capacity reservation - You can reduce your capacity reservation or opt out entirely from the capacity reservation model after the first 31 days. This 31-day clock resets every time you make any change (increase or decrease) to your selected capacity reservation. Your new capacity reservation or business model choice will be effective at the start of the next UTC day.
  • You can opt into a capacity reservation at any time. Once you opt in, you will continue to be in your selected capacity tier unless you decide to opt out to a different pricing model or upgrade or downgrade your capacity reservation.
  • Capacity reservations are applicable at a workspace level and cannot be grouped across workspaces or subscriptions.
  • Azure Activity Logs, Office 365 Audit Logs (all SharePoint activity and Exchange admin activity) and alerts from Microsoft Threat Protection products (Azure Security Center, Office 365 ATP, Azure ATP, Microsoft Defender ATP, Microsoft Cloud App Security, Azure Information Protection) can be ingested at no additional cost into both Azure Sentinel, and Azure Monitor Log Analytics.

    Please Note: Azure Active Directory (AAD) audit data is not free and is billed for ingestion into both Azure Sentinel, and Azure Monitor Log Analytics.

  • Any Azure services that you use in addition to Azure Sentinel are charged per their applicable pricing. For example – Log Analytics, Logic Apps, Machine Learning, etc.
  • There are no additional charges for Azure Sentinel features that are in preview (indicated by a “Preview” tag). Pricing for features that are in preview will be announced in the future and a notice will be provided prior to the end of the preview. Should you choose to continue using preview features after the notice period, you will be billed at the applicable rates.