Browse all topics
All guidesGlossary
Microsoft Defender (Security)

Microsoft Sentinel cost optimisation

How to control Microsoft Sentinel costs — ingestion tuning, commitment tiers, retention, and data tiering.

Microsoft Sentinel can be expensive. Bills are driven by ingested data volume, storage, and retention period. For organisations at scale, even modest cost optimisation produces meaningful savings without compromising security visibility.

How Sentinel bills

Two main cost components:

Ingestion

Each GB of data ingested into the Log Analytics workspace backing Sentinel costs money. Pricing tiers:

  • Pay-as-you-go — per-GB. Highest unit cost.
  • Commitment tiers — pre-commit to N GB/day for discount. 100, 200, 300, 400, 500, 1000, 2000, 5000 GB/day tiers with progressively better unit pricing.

For tenants ingesting > 100 GB/day, commitment tiers save significantly. Choose the tier slightly below your sustained ingestion to maximise value while leaving headroom.

Retention

  • First 90 days included in ingestion cost.
  • Beyond 90 days charges separately per GB-month.
  • Up to 730 days (2 years) of retention supported.

For organisations needing very long retention, archive tier (much cheaper, slower to query) extends to 7+ years.

Free Microsoft 365 sources

The biggest cost optimisation: Microsoft sources are mostly free:

  • Microsoft 365 Defender — free.
  • Microsoft 365 audit logs — free.
  • Microsoft Entra ID sign-in and audit logs — free up to a daily limit.
  • Microsoft Defender for Cloud alerts — free.

The pricing model heavily favours Microsoft-source ingestion. For Microsoft 365-heavy estates, much of the security signal is free.

Cost-saving tactics

Filter before ingestion

For verbose sources (firewalls, network logs), filter at the source or in the ingestion pipeline:

  • Drop low-value records before they're ingested.
  • Sample high-volume noisy data (only ingest 10% of debug-level events).
  • Aggregate repeated events into summary records.

The cheapest data is data you don't ingest.

Use data-collection rules (DCRs)

Data Collection Rules in Log Analytics let you filter and transform data before storage:

  • KQL transformations applied at ingestion time.
  • Drop fields you don't need.
  • Split tables by content.
  • Send subsets to basic-logs tables for cheaper storage.

Basic vs analytics logs

Sentinel tables can be analytics (full features, higher cost) or basic (lower cost, limited queryability):

  • Analytics — full KQL, analytic rules, fast query.
  • Basic — restricted queries, ideal for high-volume low-investigation-frequency data.

Move high-volume / low-value data to basic; keep critical detection sources on analytics.

Auxiliary logs (newer tier)

Microsoft is rolling out auxiliary logs — even cheaper than basic, optimised for archival / occasional-query scenarios.

Retention tuning

  • Default 90 days included.
  • Extend to longer only for tables that need it.
  • Move older data to archive tier for long retention at lower cost.
  • Set up data-collection rules to route data to appropriate tier.

Workspace consolidation

For organisations with multiple Sentinel workspaces (per region or per business unit), consolidating reduces per-workspace overhead and enables tier-based pricing.

But trade off: distributed workspaces may better match data-residency requirements.

Monitoring and alerting

Set up alerts on ingestion volume:

  • Daily ingestion threshold — alert if it spikes 20% above baseline.
  • New tables with significant volume — investigate source.
  • Specific high-volume connectors — verify they're producing useful signal.

The Usage and estimated costs workbook shows real-time cost analysis.

Common surprises

  • A new firewall connected to Sentinel doubles ingestion.
  • Verbose debug logging turned on by an admin spikes the bill.
  • A misconfigured connector ingests massively without value.
  • Sudden growth in a specific table because of a policy change.

Catch these via monitoring; correct before they blow up the budget.

Cost vs coverage trade-offs

Some signals are essential at any cost; some are optional luxuries. Frame the cost-coverage decision:

  • Essential: Microsoft 365 Defender, Entra ID, Office 365 audit — fundamental security visibility.
  • Important: firewall logs from internet edge, key network gear.
  • Useful: detailed application logs, deep telemetry.
  • Optional: verbose debug logs, very granular network telemetry.

Don't ingest "optional" sources just because you can. Justify each source.

Operational discipline

  • Quarterly cost review — track trend, identify growth.
  • Per-source cost analysis — which sources are worth their cost.
  • Annual commitment-tier review — adjust as ingestion changes.
  • Retention review — extending retention is permanent commitment; verify justified.

For organisations running Sentinel seriously, cost optimisation is a real ongoing discipline. The savings are substantial when done well — and the security posture isn't compromised when optimisation is thoughtful.