NorthPeakCloud
Cost charts under analysis on a laptop

Guide · SIEM cost

Azure Sentinel cost optimisation (2026)

Microsoft Sentinel is priced on data ingestion, so Sentinel cost optimisation is really one discipline: put the right logs in the right tier, and stop paying analytics prices for data you will never query in anger. The big levers are commitment tiers instead of pay-as-you-go, the low-cost data lake tier for high-volume low-value logs, filtering at the collection rule before ingestion, claiming the Microsoft 365 E5 and Defender data grants you may already be entitled to, and getting retention out of the analytics tier. Worked in that order, most estates cut a large slice of their SIEM bill without losing a single detection.

Photo: Pixabay
Azure AI Foundry specialists
FinOps cost engineering
Fixed-price foundations
UK · US · Canada
Key takeaways
  • Sentinel cost is ingestion cost — the tier gap is enormous (indicatively ~$5.20/GB analytics vs ~$0.15/GB data lake at list), so tier placement is the whole game.
  • Commitment tiers beat pay-as-you-go once ingestion is steady — model all seven tiers against your actual GB/day before renewing anything.
  • The cheapest gigabyte is the one you never ingest: filter at the data collection rule, not in the SIEM.
  • Check your entitlements before optimising anything — M365 E5 includes a per-user daily data grant, and Defender for Servers P2 includes a per-server allowance.
  • Keep 90 days hot (included with Sentinel), then archive — long-term retention in the analytics tier is the classic silent overspend.

The one sentence that explains your Sentinel bill

Microsoft Sentinel charges by the gigabyte ingested, and the gap between its tiers is enormous — indicatively about $5.20/GB on the analytics tier at pay-as-you-go list price versus about $0.15/GB on the data-lake tier. Roughly thirty-five to one. Which means Sentinel cost optimisation is not really about spending less on security; it is about refusing to pay analytics prices for logs that never needed analytics in the first place.

(Prices here are indicative USD list prices for illustration — always check the current Azure pricing page for your region, and note that regional prices differ.)

Lever 1 — Commitment tiers: stop paying the walk-up rate

Pay-as-you-go is the airport sandwich of SIEM pricing. Sentinel's commitment tiers — seven of them, starting at 100 GB/day — discount heavily in exchange for a daily commitment, and the break-even maths is friendlier than most people assume: if your ingestion sits reliably a little below a tier's threshold, the tier can still win.

The mistake is doing this by feel. Pull your actual GB/day from the workspace usage tables, model all seven tiers against it, and re-check quarterly — ingestion drifts upward, and yesterday's correct tier quietly becomes today's overspend. This is exactly the job the open-source Sentinel cost calculator (MIT-licensed, by getofmeland) does well: it models every commitment tier against pay-as-you-go, compares the analytics and data-lake tiers side by side, prices from the live Azure Retail Prices API in your region and currency, and accounts for the licence grants below. Ten minutes with it beats an afternoon of spreadsheet archaeology.

Lever 2 — Tier placement: analytics for detections, the lake for everything else

Every table in your workspace should justify its tier. The question per table is simple: do real-time analytics rules run over this data? If yes, it earns the analytics tier. If it exists for occasional investigation, compliance or "we might need it" — verbose firewall logs, NetFlow, storage diagnostics, the noisier syslog facilities — it belongs in the data-lake tier at a fraction of the price.

The usual suspects to audit first: firewall and network flow logs, `AzureDiagnostics`, verbose `Syslog` facilities, and any `SecurityEvent` collection set to "All events" when your detections use a fraction of them.

Lever 3 — The cheapest gigabyte is the one you never ingest

Before data reaches any tier, it passes a data collection rule — and DCR transformations can drop what you do not need at the door: chatty event IDs nobody alerts on, health-probe noise, debug-level syslog, fields you never query. Filtering in the pipeline costs nothing; filtering in the SIEM costs $5.20 a gigabyte, forever.

The discipline: for each source, write down which detections actually consume it, then collect only what those detections need plus a deliberate investigation margin. "Collect everything, just in case" is not a security posture; it is a standing order to overpay.

Lever 4 — Claim the data you have already paid for

Two entitlements routinely go unclaimed:

  • Microsoft 365 E5/A5/F5/G5 licences include a daily grant of M365 data ingestion into Sentinel per licensed user. Across a thousand-seat estate that is a meaningful slice of ingestion, free.
  • Defender for Servers Plan 2 includes a daily data allowance per protected server for eligible security data types.

Before optimising anything clever, check you are actually receiving what your licences include — it is the rare cost lever that requires no trade-off at all.

Lever 5 — Retention: hot for 90 days, then somewhere cheaper

Sentinel includes 90 days of retention in the analytics tier at no extra charge. The silent overspend is what happens after: compliance says "keep seven years", someone sets analytics-tier retention to 2,555 days, and the estate pays hot-tier prices for data that will be queried approximately never. Long-term retention belongs in archive or the data lake, restored on the rare day an investigation needs it. Set retention per table, not per workspace — your detections tables and your compliance ballast have different jobs.

Lever 6 — Watch it like a bill, because it is one

Ingestion drifts. A new log source, a diagnostic setting flipped to verbose, an agent misconfiguration — and your GB/day steps up without a decision ever being made. Two habits catch it: a monthly review of ingestion by table (the usage data is already in your workspace), and a cost anomaly alert so a spike surfaces in days rather than on the invoice. This is the same governance rhythm we run across Azure estates generally — SIEM is just the table where drift is most expensive.

Where this lands

Worked in order — tiers, placement, filtering, entitlements, retention, monitoring — these levers routinely take a serious bite out of a Sentinel bill without removing a single detection rule. The security team keeps every capability; the CFO stops funding logs nobody reads at thirty-five times the necessary price.

If you would rather have the modelling done for you — current ingestion profiled, all seven tiers compared, tier placement per table, entitlements verified — that is squarely AI Cost Control territory, fixed-price and with a gain-share option where our fee aligns to the savings. The audit tends to pay for itself out of the first mispriced table it finds.

Related: How to reduce Azure costs, Azure & AI cost management and Azure security consultancy.

Questions

Asked and answered.

How much does Microsoft Sentinel cost?+

Sentinel is priced per GB ingested per day. At indicative list prices the analytics tier runs at roughly $5.20/GB pay-as-you-go, falling significantly on commitment tiers (from 100 GB/day upwards), while the low-cost data lake tier is around $0.15/GB for high-volume logs you rarely query. A mid-market estate's bill is usually decided by which tables sit in which tier.

How do I reduce Azure Sentinel costs?+

In order of impact: move steady ingestion onto the right commitment tier; push high-volume, low-value logs (verbose firewall, storage and network telemetry) to the data-lake tier; filter noise out at the data collection rule before it is ingested; claim the M365 E5 and Defender for Servers data grants; and move long-term retention out of the analytics tier. Most estates combine at least three of these.

What is the Sentinel data lake tier?+

A low-cost ingestion tier (indicatively around $0.15/GB at list) for logs you need to keep and occasionally search — firewall logs, NetFlow, verbose diagnostics — but do not need real-time analytics rules running over. Detections stay on the analytics tier; the archive-grade bulk goes to the lake, at a fraction of the price.

Does Microsoft 365 E5 include Sentinel data?+

E5, A5, F5 and G5 licences include a daily grant of Microsoft 365 data ingestion into Sentinel per licensed user, and Defender for Servers Plan 2 includes a daily allowance per protected server. Many organisations pay full price for data these entitlements already cover — check the grants before optimising anything else.

Should I use a Sentinel commitment tier or pay-as-you-go?+

Commitment tiers discount steady ingestion, with break-even typically a little below each tier's threshold — if you reliably ingest near or above 100 GB/day, the first tier usually pays. Model all seven tiers against your real daily ingestion (an open-source calculator makes this a ten-minute job) rather than guessing at renewal time.

Get in touch

Let’s get you AI-ready.

Tell us what you’re trying to do with AI on Azure — a couple of sentences is plenty. You’ll get a reply within one working day with clear next steps. No obligation, UK, US and Canada welcome.