Skip to main content

Microsoft Sentinel pricing

Modern cloud-native SIEM and intelligent security analytics

Microsoft Sentinel brings together data, analytics, and workflows to unify and accelerate threat detection and response across your enterprise. Data for security analysis is stored in an Azure Monitor Log Analytics workspace where Microsoft Sentinel analyzes, interacts and derives insights from large volumes of data in seconds. Microsoft Sentinel is billed for the volume of data stored in a Log Analytics workspace and analyzed in Microsoft Sentinel.

Explore pricing options

Apply filters to customize pricing options to your needs.

Prices are estimates only and are not intended as actual price quotes. Actual pricing may vary depending on the type of agreement entered with Microsoft, date of purchase, and the currency exchange rate. Prices are calculated based on US dollars and converted using London closing spot rates that are captured in the two business days prior to the last business day of the previous month end. If the two business days prior to the end of the month fall on a bank holiday in major markets, the rate setting day is generally the day immediately preceding the two business days. This rate applies to all transactions during the upcoming month. Sign in to the Azure pricing calculator to see pricing based on your current program/offer with Microsoft. Contact an Azure sales specialist for more information on pricing or to request a price quote. See frequently asked questions about Azure pricing.

Microsoft Sentinel Pricing

Microsoft Sentinel is billed for the volume of data analyzed in Microsoft Sentinel and stored in Azure Monitor Log Analytics workspace. Data can be ingested as two different types of logs: Analytics Logs and Basic Logs.

Analytics Logs

Analytics logs in Microsoft Sentinel support all data types offering full analytics, alerts and no query limits. Analytics logs include high value security data that reflect the status, usage, security posture and performance of your environment. Analytics Logs are best monitored proactively, with scheduled alerts and analytics, enabling security detections. There are two ways to pay for the Microsoft Sentinel Service: Pay-As-You-Go and Commitment Tiers.

Pay-As-You-Go

With Pay-As-You-Go pricing, you are billed per gigabyte (GB) for the volume of data ingested for security analysis in Microsoft Sentinel and stored in the Azure Monitor Log Analytics workspace. Data volume is measured by the volume of data that will be stored in GB (10^9 bytes).

Commitment Tiers

With Commitment tiers you are billed a fixed fee based on the selected tier, enabling a predictable total cost for Microsoft Sentinel. Commitment tiers provide you a discount on the cost based on your selected tier compared to Pay-As-You-Go pricing. You have the flexibility to opt out of the commitment tier any time after the first 31 days of commitment.

Prices shown below reflect the total cost for the data analyzed by Microsoft Sentinel, including data ingestion charges for Azure Monitor Log Analytics for the specific tier. Please refer to Azure Monitor pricing the related data ingestion charges. To learn more see blog.

Price Tier Microsoft Sentinel Price Effective Per GB Price1 Savings Over Pay-As-You-Go
Pay-As-You-Go $- per GB-ingested $- per GB-ingested N/A
100 GB per day $- per day $- per GB $-
200 GB per day $- per day $- per GB $-
300 GB per day $- per day $- per GB $-
400 GB per day $- per day $- per GB $-
500 GB per day $- per day $- per GB $-
1,000 GB per day $- per day $- per GB $-
2,000 GB per day $- per day $- per GB $-
5,000 GB per day $- per day $- per GB $-
10,000 GB per day $- per day $- per GB $-
25,000 GB per day $- per day $- per GB $-
50,000 GB per day $- per day $- per GB $-
1Data ingested into Microsoft Sentinel exceeding the selected daily commitment tier is charged at the effective tier prices listed above.

Basic Logs

Basic Logs are usually verbose and contain a mix of high volume and low security value data without the full capabilities of analytics logs. They are not frequently used for deep analytics and alerts, and accessed on demand for ad-hoc querying, investigations and search. To help you reduce costs while you ingest more data, Microsoft Sentinel now offers a flexible pricing option for Basic Logs.

Analytics Logs Basic Logs
Data Types All Custom Logs2, Container Logs, AppTraces and other data types
KQL Querying Capabilities Full Reduced
Alerts support Yes No
Query concurrency limits No Yes

2This only pertains to custom log tables created with the Data Collection Rule (DCR)-based custom logs API and configured to the Basic Log data plan.

Basic Logs will be accessible for interactive queries for the first 8 days. Afterwards archived logs can be enabled to store the data. Searching data in Basic Logs are subject to additional billing.

Feature Price
Basic Logs analysis $- per GB of data ingested3
Basic Logs search queries $- per GB of data scanned4

3Price is inclusive of Log Analytics Basic Logs. Please refer to the Azure Monitor pricing for the related data ingestion charges.

4Please refer to the Azure Monitor pricing for related query charges.

Log Data Retention

Once Microsoft Sentinel is enabled on your Azure Monitor Log Analytics workspace, every GB of data ingested into the workspace, excluding Basic Logs, can be retained at no charge for the first 90 days. Retention beyond 90 days and up to 2 years will be charged per the standard Azure Monitor pricing retention prices. Your data is accessible via interactive queries.

Log Data Archive

Microsoft Sentinel offers a fully managed, cost-effective data archiving solution for logs that need to be kept for several years for compliance and can be accessed to investigate an incident. You can store your archive data for up to 7 years. Searching archived logs is done using asynchronous search jobs which incur a cost for the data scanned. Archived logs can also be restored to enable full interactive analytics query capabilities. Please refer to the Azure Monitor pricing pricing for the related retention and query charges.

Search Jobs

Search jobs are asynchronous queries that fetch records and make the results available in a search table created at the time of search and available within your workspace for further analytics. The search job uses parallel processing for executing the search job across long time horizons and spanning extremely large datasets. Search jobs can be run on any type of log and are ideally adapted for searching logs in Log Data Archive and Basic Logs. Search jobs will be charged by the amount of data scanned to complete the search.

Feature Price
Search Jobs $- per GB of data scanned

Log Data Restore

Bring historical log data into the current hot cache for high performing queries and analytics. Simply specify a target table and a specific time range for the data you wish to restore, and in a few minutes the target log data is available within the workspace with full KQL support for high performance queries. Log Data Restore is ideally adapted for restoring historical logs stored in Log Data Archive.

Feature Price
Log Data Restore $- per GB per day

Data ingested into Microsoft Sentinel exceeding the selected daily commitment tier is charged at the effective tier prices listed above.

A minimum charge of 2TB for 12-hours applies to every restore; pro-rated hourly

Microsoft Sentinel solution for SAP® applications

The Microsoft Sentinel solution for SAP® applications can monitor, detect and respond to sophisticated threats throughout the business logic and application layers for SAP systems hosted on Azure, GCP, AWS, or on-premises. It collects application logs from across the entire SAP system and then sends those logs to an Azure Monitor Log Analytics workspace in Microsoft Sentinel for continuous threat monitoring.

The Microsoft Sentinel solution for SAP® applications will be billed as an add-on charge after May 1, 2023 at $- per system ID (production SID only) per hour in addition to the existing Microsoft Sentinel consumption-billing model. The solution will be free when a workspace is in a Microsoft Sentinel free trial.

Please see offer page for more details.

Feature Price
Solution for SAP Applications $- per SID hour

Free trial

Try Microsoft Sentinel free for the first 31 days. Microsoft Sentinel can be enabled at no additional cost on an Azure Monitor Log Analytics workspace, subject to the limits stated below.

  • New workspaces can ingest up to 10GB/day of log data for the first 31-days at no cost. Both Log Analytics data ingestion and Microsoft Sentinel charges are waived during the 31-day trial period. This free trial is subject to a 20 workspace limit per Azure tenant.

Usage beyond these limits will be charged per pricing listed on this page. Charges related to additional capabilities for automation and bring your own machine learning are still applicable during the free trial.

Microsoft Sentinel benefit for Microsoft 365 E5, A5, F5 and G5 customers

Microsoft 365 E5, A5, F5 and G5 and Microsoft 365 E5, A5, F5 and G5 Security customers can receive a data grant of up to 5MB per user/day to ingest Microsoft 365 data. The data sources included in this offer include:

  • Azure Active Directory (Azure AD) sign-in and audit logs
  • Microsoft Defender for Cloud Apps shadow IT discovery logs
  • Microsoft Information Protection logs
  • Microsoft 365 advanced hunting data

For more information, please visit: Microsoft 365 E5 benefit offer with Microsoft Sentinel | Microsoft Azure

Microsoft Sentinel benefit for Microsoft Defender for Server P2 customers

Azure Monitor Log Analytics and Microsoft Sentinel Customers with Defender for Server Plan 2 enabled, get 500 MB per VM per day of free data ingestion. The allowance is specifically for the security data types that are directly collected by Defender for Cloud.

Defender for Cloud billing is closely tied to the billing for Azure Monitor Log Analytics. Since the Microsoft Sentinel bill includes the Azure Monitor Log Analytics for the specific tier, the benefit applies to the entire Microsoft Sentinel bill.

For more information on the benefit, please visit: Defender for Server P2 benefit with Microsoft Sentinel. To learn more please see blog.

Microsoft Sentinel free data sources

In addition, following Microsoft 365 data sources are always free for all Microsoft Sentinel users as an ongoing Microsoft Sentinel benefit:

  • Azure Activity Logs
  • Office 365 Audit Logs (all SharePoint activity and Exchange admin activity)
  • Alerts from Microsoft Defender for Cloud, Microsoft 365 Defender, Microsoft Defender for Office 365, Microsoft Defender for Identity, Microsoft Defender for Endpoint and Microsoft Defender for Cloud Apps
  • For more information on Microsoft Sentinel free data sources please see plan costs for Microsoft Sentinel.

Automation and bring your own machine learning

Microsoft Sentinel integrates with many other Azure services providing enhanced capabilities for Security Information and Event Management (SIEM) and Security Orchestration and Automation and Response (SOAR). Some of these services may have additional charges:

Azure pricing and purchasing options

Connect with us directly

Get a walkthrough of Azure pricing. Understand pricing for your cloud solution, learn about cost optimization and request a custom proposal.

Talk to a sales specialist

See ways to purchase

Purchase Azure services through the Azure website, a Microsoft representative, or an Azure partner.

Explore your options

Additional resources

Microsoft Sentinel

Learn more about Microsoft Sentinel features and capabilities.

Pricing calculator

Estimate your expected monthly costs for using any combination of Azure products.

SLA

Review the Service Level Agreement for Microsoft Sentinel.

Documentation

Review technical tutorials, videos, and more Microsoft Sentinel resources.

  • Commitment tiers allow you to reserve a fixed amount of daily data ingestion capacity for Azure Monitor and Microsoft Sentinel for a fixed, predictable daily fee. You can upgrade your requested commitment at any time. Your new commitment tier will be effective at the start of the next UTC day. However, the minimum commitment period before you can opt out or reduce your capacity reservation is 31 days.
  • Commitment tiers are applicable at a workspace level and cannot be grouped across workspaces or subscriptions.
  • Any Azure services that you use in addition to Microsoft Sentinel are charged per their applicable pricing. For example – Log Analytics, Logic Apps, Machine Learning, Solutions etc.
  • There are no additional charges for Microsoft Sentinel features that are in preview (indicated by a “Preview” tag) beyond associated data ingestion and retention costs. Pricing for features that are in preview will be announced in the future and a notice will be provided prior to the end of the preview. Should you choose to continue using preview features after the notice period, you will be billed at the applicable rates.
  • Not all data types are suitable for Basic logs. While Basic logs provide a reduced-price option to bring in infrequently used, low security value data; they are limited in querying capabilities, don’t provide schedules alerts support, and are retained for 8-days. They are best used for ad-hoc querying, investigations and search scenarios. Customers can ingest Custom Logs, Container Logs, and AppTraces as Basic logs in a Log Analytics Workspace.

Talk to a sales specialist for a walk-through of Azure pricing. Understand pricing for your cloud solution.

Get free cloud services and a $200 credit to explore Azure for 30 days.

Added to estimate. Press 'v' to view on calculator
Can we help you?