Microsoft Sentinel brings together data, analytics, and workflows to unify and accelerate threat detection and response across your enterprise. Data for security analysis is stored in an Azure Monitor Log Analytics workspace where Microsoft Sentinel analyzes, interacts and derives insights from large volumes of data in seconds. Microsoft Sentinel is billed for the volume of data stored in a Log Analytics workspace and analyzed in Microsoft Sentinel.
Microsoft Sentinel Pricing
Microsoft Sentinel is billed for the volume of data analyzed in Microsoft Sentinel and stored in Azure Monitor Log Analytics workspace. Data can be ingested as two different types of logs: Analytics Logs and Basic Logs.
Analytics logs in Microsoft Sentinel support all data types offering full analytics, alerts and no query limits. Analytics logs include high value security data that reflect the status, usage, security posture and performance of your environment. Analytics Logs are best monitored proactively, with scheduled alerts and analytics, enabling security detections. There are two ways to pay for the Microsoft Sentinel Service: Pay-As-You-Go and Commitment Tiers.
With Pay-As-You-Go pricing, you are billed per gigabyte (GB) for the volume of data ingested for security analysis in Microsoft Sentinel and stored in the Azure Monitor Log Analytics workspace. Data volume is measured by the volume of data that will be stored in GB (10^9 bytes).
With Commitment tiers you are billed a fixed fee based on the selected tier, enabling a predictable total cost for Microsoft Sentinel. Commitment tiers provide you a discount on the cost based on your selected tier compared to Pay-As-You-Go pricing. You have the flexibility to opt out of the commitment tier any time after the first 31 days of commitment.
Prices shown below reflect total cost for the analytics enabled by Microsoft Sentinel, including data ingestion charges for log analytics. Prices are calculated assuming the same commitment tiers are selected for Microsoft Sentinel and Azure Monitor Log Analytics. Customers have the flexibility to select different pricing tiers for Microsoft Sentinel and Azure Monitor Log Analytics based on their specific needs.
|Tier||Microsoft Sentinel Price||Log Analytics Price||Total Price||Effective Per GB Price1||Savings Over Pay-As-You-Go|
|Pay-As-You-Go||￥ 20.35 per GB||￥ 23.4 per GB||￥ 43.75 per GB||￥ 43.75 per GB||N/A|
|100 GB per day||￥ 10.17 per GB||￥ 19.94 per GB||￥ 30.11 per GB||￥ 30.11 per GB||31%|
|200 GB per day||￥ 9.16 per GB||￥ 18.72 per GB||￥ 27.88 per GB||￥ 27.88 per GB||36%|
|300 GB per day||￥ 8.82 per GB||￥ 18.31 per GB||￥ 27.13 per GB||￥ 27.13 per GB||38%|
|400 GB per day||￥ 8.48 per GB||￥ 17.9 per GB||￥ 26.38 per GB||￥ 26.38 per GB||40%|
|500 GB per day||￥ 8.14 per GB||￥ 17.6 per GB||￥ 25.74 per GB||￥ 25.74 per GB||41%|
|1,000 GB per day||￥ 7.94 per GB||￥ 17.3 per GB||￥ 25.24 per GB||￥ 25.24 per GB||42%|
|2,000 GB per day||￥ 7.53 per GB||￥ 16.89 per GB||￥ 24.42 per GB||￥ 24.42 per GB||44%|
|5,000 GB per day||￥ 7.12 per GB||￥ 16.38 per GB||￥ 23.5 per GB||￥ 23.5 per GB||46%|
Basic Logs are usually verbose and contain a mix of high volume and low security value data without the full capabilities of analytics logs. They are not frequently used for deep analytics and alerts, and accessed on demand for ad-hoc querying, investigations and search. To help you reduce costs while you ingest more data, Microsoft Sentinel now offers a flexible pricing option for Basic Logs.
|Analytics Logs||Basic Logs|
|Data Types||All||Custom Logs2, Container Logs, and AppTraces|
|KQL Querying Capabilities||Full||Reduced|
|Query concurrency limits||No||Yes|
Basic Logs will be accessible for interactive queries for the first 8 days. Afterwards archived logs can be enabled to store the data. Searching data in Basic Logs are subject to additional billing. Prices below are not inclusive of Log Analytics Basic Logs. Please refer to the Azure Monitor pricing for the related data ingestion charges.
|Basic Logs analysis||￥5.088 per GB of data ingested|
Log Data Retention
Once Microsoft Sentinel is enabled on your Azure Monitor Log Analytics workspace, every GB of data ingested into the workspace, excluding Basic Logs, can be retained at no charge for the first 90 days. Retention beyond 90 days and up to 2 years will be charged per the standard Azure Monitor pricing retention prices. Your data is accessible via interactive queries.
Log Data Archive
Microsoft Sentinel offers a fully managed, cost-effective data archiving solution for logs that need to be kept for several years for compliance and can be accessed to investigate an incident. You can store your archive data for up to 7 years. Searching archived logs is done using asynchronous search jobs which incur a cost for the data scanned. Archived logs can also be restored to enable full interactive analytics query capabilities. Please refer to the Azure Monitor pricing pricing for the related retention and query charges.
Microsoft Sentinel solution for SAP® applications
The Microsoft Sentinel solution for SAP® applications can monitor, detect and respond to sophisticated threats throughout the business logic and application layers for SAP systems hosted on Azure, GCP, AWS, or on-premises. It collects application logs from across the entire SAP system and then sends those logs to an Azure Monitor Log Analytics workspace in Microsoft Sentinel for continuous threat monitoring.
The Microsoft Sentinel solution for SAP® applications will be billed as an add-on charge from May 1, 2023 at ¥ 21.57 per system ID (production SID only) per hour in addition to the existing Microsoft Sentinel consumption-billing model. The solution will be free when a workspace is in a Microsoft Sentinel free trial.
Please see offer page for more details.
|SAP Threat Protection||￥ 21.57 per SID hour|
Try Microsoft Sentinel free for the first 31 days. Microsoft Sentinel can be enabled at no additional cost on an Azure Monitor Log Analytics workspace, subject to the limits stated below.
- New workspaces can ingest up to 10GB/day of log data for the first 31-days at no cost. Both Log Analytics data ingestion and Microsoft Sentinel charges are waived during the 31-day trial period. This free trial is subject to a 20 workspace limit per Azure tenant.
- Existing workspaces can enable Microsoft Sentinel at no additional cost. Only the Microsoft Sentinel charges are waived during the 31-day trial period.
Usage beyond these limits will be charged per pricing listed on this page. Charges related to additional capabilities for automation and bring your own machine learning are still applicable during the free trial.