- Home
- Azure pricing
- Azure Sentinel pricing
- Request a pricing quote
- Try Azure for free
Modern cloud-native SIEM and intelligent security analytics
Azure Sentinel provides intelligent security analytics across your enterprise. The data for this analysis is stored in an Azure Monitor Log Analytics workspace. Azure Sentinel is billed based on the volume of data ingested for analysis in Azure Sentinel and stored in the Azure Monitor Log Analytics workspace. Azure Sentinel offers a flexible and predictable pricing model. There are two ways to pay for the Azure Sentinel service: Capacity Reservations and Pay-As-You-Go.
Explore pricing options
Apply filters to customize pricing options to your needs.
Prices are estimates only and are not intended as actual price quotes. Actual pricing may vary depending on the type of agreement entered with Microsoft and the currency exchange rate. Prices are calculated based on US dollars and converted using Thomson Reuters benchmark rates refreshed on the first day of each calendar month. Sign in to the Azure pricing calculator to see pricing based on your current programme/offer with Microsoft. Contact an Azure sales specialist for more information on pricing or to request a price quote. See frequently asked questions about Azure pricing.
US government entities are eligible to purchase Azure Government services from a licensing solution provider with no upfront financial commitment or directly through a pay-as-you-go online subscription.
Learn More
Important—The price in R$ is merely a reference; this is an international transaction and the final price is subject to exchange rates and the inclusion of IOF taxes. An eNF will not be issued.
US government entities are eligible to purchase Azure Government services from a licensing solution provider with no upfront financial commitment or directly through a pay-as-you-go online subscription.
Learn More
Important—The price in R$ is merely a reference; this is an international transaction and the final price is subject to exchange rates and the inclusion of IOF taxes. An eNF will not be issued.
Microsoft Sentinel Pricing
Microsoft Sentinel is billed for the volume of data analysed in Microsoft Sentinel and stored in Azure Monitor Log Analytics workspace. Data can be ingested as two different types of logs: Analytics Logs and Basic Logs.
Analytics Logs
Analytics logs in Microsoft Sentinel support all data types offering full analytics, alerts and no query limits. Analytics logs include high value security data that reflect the status, usage, security posture and performance of your environment. Analytics Logs are best monitored proactively, with scheduled alerts and analytics, enabling security detections. There are two ways to pay for the Microsoft Sentinel Service: Pay-As-You-Go and Commitment Tiers.
Pay-As-You-Go
With Pay-As-You-Go pricing, you are billed per gigabyte (GB) for the volume of data ingested for security analysis in Microsoft Sentinel and stored in the Azure Monitor Log Analytics workspace. Data volume is measured by the volume of data that will be stored in GB (10^9 bytes).
Commitment Tiers
With Commitment tiers you are billed a fixed fee based on the selected tier, enabling a predictable total cost for Microsoft Sentinel. Commitment tiers provide you a discount on the cost based on your selected tier compared to Pay-As-You-Go pricing. You have the flexibility to opt out of the commitment tier any time after the first 31 days of commitment.
Prices shown below reflect total cost for the analytics enabled by Microsoft Sentinel, including data ingestion charges for log analytics. Prices are calculated assuming the same commitment tiers are selected for Microsoft Sentinel and Azure Monitor Log Analytics. Customers have the flexibility to select different pricing tiers for Microsoft Sentinel and Azure Monitor Log Analytics based on their specific needs.
| Price | Tier | Microsoft Sentinel Price | Log Analytics Price | Total Price | Effective Per GB Price1 | Savings Over Pay-As-You-Go |
|---|---|---|---|---|---|---|
| Pay-As-You-Go | $- per GB-ingested | $- per GB | $- per GB | $- per GB | N/A | |
| 100 GB per day | $- per day | $- per day | $- per day | $- per GB | $- | |
| 200 GB per day | $- per day | $- per day | $- per day | $- per GB | $- | |
| 300 GB per day | $- per day | $- per day | $- per day | $- per GB | $- | |
| 400 GB per day | $- per day | $- per day | $- per day | $- per GB | $- | |
| 500 GB per day | $- per day | $- per day | $- per day | $- per GB | $- | |
| 1,000 GB per day | $- per day | $- per day | $- per day | $- per GB | $- | |
| 2,000 GB per day | $- per day | $- per day | $- per day | $- per GB | $- | |
| 5,000 GB per day | $- per day | $- per day | $- per day | $- per GB | $- |
Basic Logs
Basic Logs are usually verbose and contain a mix of high volume and low security value data without the full capabilities of analytics logs. They are not frequently used for deep analytics and alerts, and accessed on demand for ad-hoc querying, investigations and search. To help you reduce costs while you ingest more data, Microsoft Sentinel now offers a flexible pricing option for Basic Logs.
| Analytics Logs | Basic Logs | |
|---|---|---|
| Data Types | All | Customised Logs2, Container Logs and AppTraces |
| KQL Querying Capabilities | Full | Reduced |
| Alerts support | Yes | No |
| Query concurrency limits | No | Yes |
Basic Logs will be accessible for interactive queries for the first 8 days. Afterwards archived logs can be enabled to store the data. Searching data in Basic Logs are subject to additional billing. Prices below are not inclusive of Log Analytics Basic Logs. Please refer to the Azure Monitor pricing for the related data ingestion charges.
| Feature | Price |
|---|---|
| Basic Logs analysis | $- per GB of data ingested |
| Basic Logs search queries | $- per GB of data scanned |
Log Data Retention
Once Microsoft Sentinel is enabled on your Azure Monitor Log Analytics workspace, every GB of data ingested into the workspace, excluding Basic Logs, can be retained at no charge for the first 90 days. Retention beyond 90 days and up to 2 years will be charged per the standard Azure Monitor pricing retention prices. Your data is accessible via interactive queries.
Log Data Archive
Microsoft Sentinel offers a fully managed, cost-effective data archiving solution for logs that need to be kept for several years for compliance and can be accessed to investigate an incident. You can store your archive data for up to 7 years. Searching archived logs is done using asynchronous search jobs which incur a cost for the data scanned. Archived logs can also be restored to enable full interactive analytics query capabilities. Please refer to the Azure Monitor pricing pricing for the related retention and query charges.
Search Jobs
Search jobs are asynchronous queries that fetch records and make the results available in a search table created at the time of search and available within your workspace for further analytics. The search job uses parallel processing for executing the search job across long time horizons and spanning extremely large datasets. Search jobs can be run on any type of log and are ideally adapted for searching logs in Log Data Archive and Basic Logs. Search jobs will be charged by the amount of data scanned to complete the search.
| Feature | Price |
|---|---|
| Search Jobs | $- per GB of data scanned |
Log Data Restore
Bring historical log data into the current hot cache for high performing queries and analytics. Simply specify a target table and a specific time range for the data you wish to restore, and in a few minutes the target log data is available within the workspace with full KQL support for high performance queries. Log Data Restore is ideally adapted for restoring historical logs stored in Log Data Archive.
| Feature | Price |
|---|---|
| Log Data Restore | $- per GB per day |
Microsoft Sentinel solution for SAP® applications
The Microsoft Sentinel solution for SAP® applications can monitor, detect and respond to sophisticated threats throughout the business logic and application layers for SAP systems hosted on Azure, GCP, AWS, or on-premises. It collects application logs from across the entire SAP system and then sends those logs to an Azure Monitor Log Analytics workspace in Microsoft Sentinel for continuous threat monitoring.
The Microsoft Sentinel solution for SAP® applications will be billed as an add-on charge from May 1, 2023 at $- per system ID (production SID only) per hour in addition to the existing Microsoft Sentinel consumption-billing model. The solution will be free when a workspace is in a Microsoft Sentinel free trial.
Please see offer page for more details.
| Feature | Price |
|---|---|
| SAP Threat Protection | $- per SID hour |
Free Trial
Try Microsoft Sentinel free for the first 31 days. Microsoft Sentinel can be enabled at no additional cost on an Azure Monitor Log Analytics workspace, subject to the limits stated below.
- New workspaces can ingest up to 10GB/day of log data for the first 31-days at no cost. Both Log Analytics data ingestion and Azure Sentinel charges are waived during the 31-day trial period.
- Existing workspaces can enable Microsoft Sentinel at no additional cost. Only the Microsoft Sentinel charges are waived during the 31-day trial period.
Usage beyond these limits will be charged per pricing listed on this page. Charges related to additional capabilities for automation and bring your own machine learning are still applicable during the free trial.
Microsoft Sentinel benefit for Microsoft 365 E5, A5, F5 and G5 customers
Microsoft 365 E5, A5, F5 and G5 and Microsoft 365 E5, A5, F5 and G5 Security customers can receive a data grant of up to 5MB per user/day to ingest Microsoft 365 data. The data sources included in this offer include:
- Azure Active Directory (Azure AD) sign-in and audit logs
- Microsoft Defender for Cloud Apps shadow IT discovery logs
- Microsoft Information Protection logs
- Microsoft 365 advanced hunting data
For more information, please visit: Microsoft 365 E5 benefit offer with Microsoft Sentinel | Microsoft Azure
Microsoft Sentinel free data sources
In addition, following Microsoft 365 data sources are always free for all Microsoft Sentinel users as an ongoing Microsoft Sentinel benefit:
- Azure Activity Logs
- Office 365 Audit Logs (all SharePoint activity and Exchange admin activity)
- Alerts from Microsoft Defender for Cloud, Microsoft 365 Defender, Microsoft Defender for Office 365, Microsoft Defender for Identity, Microsoft Defender for Endpoint and Microsoft Defender for Cloud Apps
- For more information on Microsoft Sentinel free data sources please see plan costs for Microsoft Sentinel.
Automation and Bring your own Machine Learning
Microsoft Sentinel integrates with many other Azure services providing enhanced capabilities for Security Information and Event Management (SIEM) and Security Orchestration and Automation and Response (SOAR). Some of these services may have additional charges:
- You can use Azure Logic Apps to automate your security responses. Please refer to Azure Logic Apps pricing page for related costs.
- You can bring in your own machine learning models for customised analysis. Please refer to Azure Machine Learning Studio and Azure Databricks pricing to understand the related costs.
Azure pricing and purchasing options
Connect with us directly
Get a walkthrough of Azure pricing. Understand pricing for your cloud solution, learn about cost optimisation and request a custom proposal.
Talk to a sales specialist
See ways to purchase
Purchase Azure services through the Azure website, a Microsoft representative or an Azure partner.
Explore your options
Additional resources
Azure Sentinel
Learn more about Azure Sentinel features and capabilities.
Pricing calculator
Estimate your expected monthly costs for using any combination of Azure products.
SLA
Review the Service Level Agreement for Azure Sentinel.
Documentation
Review technical tutorials, videos and more Azure Sentinel resources.
Frequently asked questions
Frequently asked questions about Azure pricing
-
Commitment tiers allow you to reserve a fixed amount of daily data ingestion capacity for Azure Monitor and Microsoft Sentinel for a fixed, predictable daily fee. You can upgrade your requested commitment at any time. Your new commitment tier will be effective at the start of the next UTC day. However, the minimum commitment period before you can opt out or reduce your capacity reservation is 31 days.
-
Commitment tiers are applicable at a workspace level and cannot be grouped across workspaces or subscriptions.
-
Any Azure services that you use in addition to Azure Sentinel are charged per their applicable pricing. For example – Log Analytics, Logic Apps, Machine Learning, etc.
-
There are no additional charges for Microsoft Sentinel features that are in preview (indicated by a “Preview” tag) beyond associated data ingestion and retention costs. Pricing for features that are in preview will be announced in the future and a notice will be provided prior to the end of the preview. Should you choose to continue using preview features after the notice period, you will be billed at the applicable rates.
-
Not all data types are suitable for Basic logs. While Basic logs provide a reduced-price option to bring in infrequently used, low security value data; they are limited in querying capabilities, don’t provide schedules alerts support, and are retained for 8-days. They are best used for ad-hoc querying, investigations and search scenarios. Customers can ingest Custom Logs, Container Logs, and AppTraces as Basic logs in a Log Analytics Workspace.
Talk to a sales specialist for a walk-through of Azure pricing. Understand pricing for your cloud solution.
Request a pricing quote
Get free cloud services and a $200 credit to explore Azure for 30 days.
Try Azure for free
Added to estimate. Press 'v' to view on calculator View on calculator
Can we help you?
