- Home
- Azure pricing
- Microsoft Sentinel pricing
- Request a pricing quote
- Try Azure for free
Modern cloud-native SIEM and intelligent security analytics
Microsoft Sentinel brings together data, analytics, and workflows to unify and accelerate threat detection and response across your enterprise. Data for security analysis is stored in an Azure Monitor Log Analytics workspace where Microsoft Sentinel analyses, interacts and derives insights from large volumes of data in seconds. Microsoft Sentinel is billed for the volume of data stored in a Log Analytics workspace and analysed in Microsoft Sentinel.
Explore pricing options
Apply filters to customise pricing options to your needs.
Prices are estimates only and are not intended as actual price quotes. Actual pricing may vary depending on the type of agreement entered with Microsoft, date of purchase, and the currency exchange rate. Prices are calculated based on US dollars and converted using London closing spot rates that are captured in the two business days prior to the last business day of the previous month end. If the two business days prior to the end of the month autumn on a bank holiday in major markets, the rate setting day is generally the day immediately preceding the two business days. This rate applies to all transactions during the forthcoming month. Sign in to the Azure pricing calculator to see pricing based on your current programme/offer with Microsoft. Contact an Azure sales specialist for more information on pricing or to request a price quote. See frequently asked questions about Azure pricing.
US government entities are eligible to purchase Azure Government services from a licensing solution provider with no upfront financial commitment, or directly through a pay-as-you-go online subscription.
Learn more
Important—The price in R$ is merely a reference; this is an international transaction and the final price is subject to exchange rates and the inclusion of IOF taxes. An eNF will not be issued.
US government entities are eligible to purchase Azure Government services from a licensing solution provider with no upfront financial commitment, or directly through a pay-as-you-go online subscription.
Learn more
Important—The price in R$ is merely a reference; this is an international transaction and the final price is subject to exchange rates and the inclusion of IOF taxes. An eNF will not be issued.
Microsoft Sentinel Pricing
Microsoft Sentinel is billed for the volume of data analyzed in Microsoft Sentinel and stored in Azure Monitor Log Analytics workspace. Data can be ingested as three different types of logs: Analytics Logs, Basic Logs and Auxiliary Logs (preview).
Analytics Logs
Analytics logs in Microsoft Sentinel support all data types offering full analytics, alerts and no query limits. Analytics logs include high value security data that reflect the status, usage, security posture and performance of your environment. Analytics Logs are best monitored proactively, with scheduled alerts and analytics, enabling security detections. There are two ways to pay for the Microsoft Sentinel Service: Pay-As-You-Go and Commitment Tiers.
Pay-As-You-Go
With Pay-As-You-Go pricing, you are billed per gigabyte (GB) for the volume of data ingested for security analysis in Microsoft Sentinel and stored in the Azure Monitor Log Analytics workspace. Data volume is measured by the volume of data that will be stored in GB (10^9 bytes).
Commitment tiers
With Commitment tiers you are billed a fixed fee based on the selected tier, enabling a predictable total cost for Microsoft Sentinel. Commitment tiers provide you a discount on the cost based on your selected tier compared to Pay-As-You-Go pricing. You have the flexibility to opt out of the commitment tier any time after the first 31 days of commitment.
Prices shown below reflect the total cost for the data analysed by Microsoft Sentinel, including data ingestion charges for Azure Monitor Log Analytics for the specific tier. Please refer to Azure Monitor pricing for the related data ingestion charges. To learn more see blog.
| Price | Tier | Microsoft Sentinel Price | Effective Per GB Price1 | Savings Over Pay-As-You-Go |
|---|---|---|---|---|
| Pay-As-You-Go | $- per GB | $- per GB | N/A | |
| 100 GB per day | $- per day | $- per GB | $- | |
| 200 GB per day | $- per day | $- per GB | $- | |
| 300 GB per day | $- per day | $- per GB | $- | |
| 400 GB per day | $- per day | $- per GB | $- | |
| 500 GB per day | $- per day | $- per GB | $- | |
| 1,000 GB per day | $- per day | $- per GB | $- | |
| 2,000 GB per day | $- per day | $- per GB | $- | |
| 5,000 GB per day | $- per day | $- per GB | $- | |
| 10,000 GB per day | $- per day | $- per GB | $- | |
| 25,000 GB per day | $- per day | $- per GB | $- | |
| 50,000 GB per day | $- per day | $- per GB | $- |
1Data ingested into Microsoft Sentinel exceeding the selected daily commitment tier is charged at the effective tier prices listed above. Data size is measured in GB (10^9 bytes). Details of its calculation are available for Log Analytics and Application Insights.
Basic Logs
Basic Logs are usually verbose and contain a mix of high volume and low security value data without the full capabilities of analytics logs. They are not frequently used for deep analytics and alerts, and accessed on demand for ad-hoc querying, investigations and search.
| Tier | Price |
|---|---|
| Pay-As-You-Go | $- per GB2 |
2Price is inclusive of Log Analytics Basic Logs. Please refer to the Azure Monitor pricing for related query charges.
Auxiliary Logs (Preview)
Auxiliary Logs in Microsoft Sentinel are high volume, low fidelity logs (Example: Network logs, Firewall logs) crucial for security investigations, hunting, or additional attack context. Auxiliary Logs is in preview, and billing is not yet enabled. We will notify users before billing starts and publish a blog on Microsoft Techcommunity with additional billing details. For current users advance notice will be provided before billing starts.
| Tier | Price |
|---|---|
| Pay-As-You-Go | $- per GB3 |
3Price is inclusive of Log Analytics Auxiliary Logs. Please refer to the Azure Monitor pricing for related query charges.
Microsoft Sentinel offers flexible data ingestion options to meet your business needs.
| Analytics Logs | Auxiliary Logs | Basic Logs | |
|---|---|---|---|
| Data Types | All | Custom logs | Custom logs, Container Logs, AppTraces and other data types |
| KQL Querying Capabilities | Full | Full KQL on a single table and lookup to Analytics Logs table | Full KQL on a single table and lookup to Analytics Logs table |
| Alerts support | Yes | No | No |
| Interactive query | 31 days interactive query, option to extend to 2 years | 30 days interactive query | 30 days interactive query |
| Query concurrency limits | No | Yes | Yes |
| Retention | Up to 2 years, with long-term retention up to 12 years. | Up to 12 years with long-term retention. | Up to 12 years with-long term retention. |
Long-term Retention
Once Microsoft Sentinel is enabled on your Azure Monitor Log Analytics workspace, every GB of data ingested into the workspace can be retained at no charge for the first:
- 90 days if ingested as Analytics Logs. Retention beyond 90 days and up to 2 years will be charged per the standard Azure Monitor retention prices.
- 30 days if ingested as Basic Logs and Auxiliary Logs.
Data can be retained up to 12 years beyond these no-charge periods for compliance purposes and can be accessed for incident investigation. Data in long-term retention can be searched using asynchronous search jobs which incur a cost for the data scanned. Long-term retention data can also be restored to enable full interactive analytics query capabilities. Please refer to the Azure Monitor pricing page for the related retention and query charges.
Search Jobs
Search jobs are asynchronous queries that fetch records and make the results available in a search table created at the time of search and available within your workspace for further analytics. The search job uses parallel processing for executing the search job across long time horizons and spanning extremely large datasets. Search jobs can be run on any type of log and will be charged by the amount of data scanned to complete the search. For more information see Azure Monitor pricing page.
| Feature | Price |
|---|---|
| Search Jobs | $- per GB of data scanned |
Log Data Restore
Bring historical log data into the current hot cache for high performing queries and analytics. Simply specify a target table and a specific time range for the data you wish to restore, and in a few minutes the target log data is available within the workspace with full KQL support for high performance queries. Log Data Restore is ideally adapted for restoring historical logs stored in Log Data Archive.
| Feature | Price |
|---|---|
| Log Data Restore | $- per GB per day |
Microsoft Sentinel solution for SAP® applications
The Microsoft Sentinel solution for SAP® applications can monitor, detect and respond to sophisticated threats throughout the business logic and application layers for SAP systems hosted on Azure, GCP, AWS, or on-premises. It collects application logs from across the entire SAP system and then sends those logs to an Azure Monitor Log Analytics workspace in Microsoft Sentinel for continuous threat monitoring.
The Microsoft Sentinel solution for SAP® applications will be billed as an add-on charge after May 1, 2023 at $- per system ID (production SID only) per hour in addition to the existing Microsoft Sentinel data consumption-based billing model. The solution will be free when a workspace is in a Microsoft Sentinel free trial.
Please see offer page for more details.
| Feature | Price |
|---|---|
| Solution for SAP Applications | $- per SID hour |
Free trial
Try Microsoft Sentinel free for the first 31 days. Microsoft Sentinel can be enabled at no additional cost on an Azure Monitor Log Analytics workspace, subject to the limits stated below.
- New workspaces can ingest up to 10 GB/day of log data for the first 31-days at no cost. Both Log Analytics data ingestion and Microsoft Sentinel charges are waived during the 31-day trial period. This free trial is subject to a 20 workspace limit per Azure tenant.
Usage beyond these limits will be charged per pricing listed on this page. Charges related to additional capabilities for automation and bring your own machine learning are still applicable during the free trial.
Microsoft Sentinel benefit for Microsoft 365 E5, A5, F5 and G5 customers
Microsoft 365 E5, A5, F5 and G5 and Microsoft 365 E5, A5, F5 and G5 Security customers can receive a data grant of up to 5 MB per user/day to ingest Microsoft 365 data. The data sources included in this offer include:
- Azure Active Directory (Azure AD) sign-in and audit logs
- Microsoft Defender for Cloud Apps shadow IT discovery logs
- Microsoft Information Protection logs
- Microsoft 365 advanced hunting data
For more information, please visit: Microsoft 365 E5 benefit offer with Microsoft Sentinel | Microsoft Azure
Microsoft Sentinel benefit for Microsoft Defender for Server P2 customers
Azure Monitor Log Analytics and Microsoft Sentinel Customers with Defender for Server Plan 2 enabled, get 500 MB per VM per day of free data ingestion. The allowance is specifically for the security data types that are directly collected by Defender for Cloud.
- SecurityAlert
- SecurityBaseline
- SecurityBaselineSummary
- SecurityDetection
- SecurityEvent
- WindowsFirewall
- SysmonEvent
- ProtectionStatus
- Update and UpdateSummary
Defender for Cloud billing is closely tied to the billing for Azure Monitor Log Analytics. Since the Microsoft Sentinel bill includes the Azure Monitor Log Analytics for the specific tier, the benefit applies to the entire Microsoft Sentinel bill.
For more information on the benefit, please visit: Defender for Server P2 benefit with Microsoft Sentinel. To learn more please see blog.
Microsoft Sentinel free data sources
In addition, following Microsoft 365 data sources are always free for all Microsoft Sentinel users as an ongoing Microsoft Sentinel benefit:
- Azure Activity Logs
- Office 365 Audit Logs (all SharePoint activity and Exchange admin activity)
- Alerts from Microsoft Defender for Cloud, Microsoft 365 Defender, Microsoft Defender for Office 365, Microsoft Defender for Identity, Microsoft Defender for Endpoint and Microsoft Defender for Cloud Apps
- For more information on Microsoft Sentinel free data sources please see plan costs for Microsoft Sentinel.
Automation and bring your own machine learning
Microsoft Sentinel integrates with many other Azure services providing enhanced capabilities for Security Information and Event Management (SIEM) and Security Orchestration and Automation and Response (SOAR). Some of these services may have additional charges:
- You can use Azure Logic Apps to automate your security responses. Please refer to Azure Logic Apps pricing page for related costs.
- You can bring in your own machine learning models for customised analysis. Please refer to Azure Machine Learning Studio and Azure Databricks pricing to understand the related costs.
Azure pricing and purchasing options
Connect with us directly
Get a walkthrough of Azure pricing. Understand pricing for your cloud solution, learn about cost optimisation and request a customised proposal.
Talk to a sales specialist
See ways to purchase
Purchase Azure services through the Azure website, a Microsoft representative or an Azure partner.
Explore your options
Additional resources
Microsoft Sentinel
Learn more about Microsoft Sentinel features and capabilities.
Pricing calculator
Estimate your expected monthly costs for using any combination of Azure products.
SLA
Review the Service Level Agreement for Microsoft Sentinel.
Documentation
Review technical tutorials, videos, and more Microsoft Sentinel resources.
Frequently asked questions
Frequently asked questions about Azure pricing
-
Commitment tiers allow you to reserve a fixed amount of daily data ingestion capacity for Azure Monitor and Microsoft Sentinel for a fixed, predictable daily fee. You can upgrade your requested commitment at any time. Your new commitment tier will be effective at the start of the next UTC day. However, the minimum commitment period before you can opt out or reduce your capacity reservation is 31 days.
-
Commitment tiers are applicable at a workspace level and cannot be grouped across workspaces or subscriptions.
-
Any Azure services that you use in addition to Microsoft Sentinel are charged per their applicable pricing. For example – Log Analytics, Logic Apps, Machine Learning, Solutions etc.
-
There are no additional charges for Microsoft Sentinel features that are in preview (indicated by a “Preview” tag) beyond associated data ingestion and retention costs. Pricing for features that are in preview will be announced in the future and a notice will be provided prior to the end of the preview. Should you choose to continue using preview features after the notice period, you will be billed at the applicable rates.
-
Not all data types are suitable for Basic logs. While Basic logs provide a reduced-price option to bring in infrequently used, low security value data; they are limited in querying capabilities, don’t provide schedules alerts support, and are retained for 8-days. They are best used for ad-hoc querying, investigations and search scenarios. Customers can ingest Custom Logs, Container Logs, and AppTraces as Basic logs in a Log Analytics Workspace.
Talk to a sales specialist for a walk-through of Azure pricing. Understand pricing for your cloud solution.
Request a pricing quote
Get free cloud services and a $200 credit to explore Azure for 30 days.
Try Azure for free
Added to estimate. Press 'v' to view on calculator View on calculator
Can we help you?
