When meeting with customers, especially for the first time, the cost of Microsoft Sentinel always comes up. This blog is not about the ROI of Microsoft Sentinel, even though that is an important exercise for any organization looking to either move to Microsoft Sentinel or use it side-by-side with their existing SIEM (Security Information and Event Management).
Most of the information I will discuss comes directly from the Microsoft docs. But I just wanted to bring what is in the docs, other blogs, and my own spin. As I said, pricing always comes up in my discussions with customers. I now start any proof-of-concept with this discussion. I aim to give transparency and clarity to my customers.
The following diagram shows all the elements that feed the cost of Microsoft Sentinel that an organization must consider. I will explain each of these elements in the following paragraphs.
Log Analytics Workspace Ingestion
A Log Analytics workspace is the data store of Microsoft Sentinel. It can exist with or without Microsoft Sentinel. For example, Azure Monitor can set the diagnostic metric to a Log Analytics workspace for analysis. Thus, a separate cost is incurred for data being ingested into the Log Analytic workspace.
Think of it this way. If you have an on-premises SIEM, you must buy storage to support that SIEM. In this analogy, Log Analytics ingestion is how Microsoft charges for that storage.
Analytic and Basic Logs
By default, Log Analytics uses Analytic Tables. These logs provide longer retention, no cost log queries, alerting, and higher ingestion cost. Basic tables provide short retention (8 Days), the cost for limited log queries, and a reduced ingestion cost. For more information on the differences in the log type, check here.
As of this writing, Basic Logs are in preview. With that, the ease of Archiving, Searching, and Restoring is also in preview. From Log Analytics, on a table-by-table basis, you can set a table to move data to Archive. I bring this up in pricing because it does not cost to use Archive, but it does cost to search the Archive and Restore data if necessary.
The next cost consideration is data retention. By default, you get 30 days of retention with Log Analytics at no cost. If you enable Microsoft Sentinel on that Log Analytic workspace, you get 90 days of retention at no cost. But you will still have to manually change the retention settings in Log Analytics to reflect 90 days.
Log Analytic Commitment Tiers
Once you understand how much data you will be ingesting into Log Analytics for Microsoft Sentinel's analysis. You can utilize commitment tiers to save money on the cost of ingestion. At any time, you can scale up to a higher tier. But you can only scale down after 31 days.
For more information on all the pricing for Log Analytics, please review the Azure Monitor pricing page.
Microsoft Sentinel Ingestion
As with Log Analytics, Microsoft Sentinel is charged for the amount of data consumption. Just to be clear, the data is not being ingested anywhere else. It is still sitting in the Log Analytic workspace. This is not a double charge. It is charged to provide all the good stuff you can do with the data now that Microsoft Sentinel is looking at it.
To use another analogy, it is like an all-inclusive resort, sort of. You have paid for the flight (Log Analytic workspace ingestion), and now you are paying for the resort (Microsoft Sentinel). You don't have to pay for food, drinks, or entertainment. The sort of part of my comment would be excursions (Logic Apps, Azure Functions, and Azure Notebooks).
There are free connectors. More on that later. You get hundreds of included Analytic Rules, Hunting Queries, Playbooks, and Workbooks. You can create more at no cost. You are not charged for the incidents that are created from the rules.
Microsoft Sentinel Commitment Tiers
Like Log Analytic commitment tiers, you can adjust your expected ingestion to help contain cost.
Logic Apps Consumption and Standard
Microsoft Sentinel is not only a SIEM but also a SOAR (Security Orchestration, Automation, and Response). Automation for Microsoft Sentinel is accomplished with Automation Rules and Playbooks. The Automation Rules don't cost to run, but if they kick off a Playbook or you run a Playbook manually, you will incur a charge.
Playbooks are just Logic Apps triggered by an action like a new incident or alert. An analyst can also trigger the Logic Apps manually to perform such actions as enrichment or notification.
There are two ways to calculate charges: consumption and standard. Consumption is a charge per triggered Logic App. The first 4,000 executions are free. With Standard, you pay for compute hourly, which can be used throughout your single Azure tenant.
With Standard, your organization will need to determine the demand for Logic Apps, inside and outside of Microsoft Sentinel. Standard may be a better saving if the organization uses many Logic Apps.
If you plan on using Azure Functions to provide some type of automation. This would be another cost to consider. Azure Functions supporting Microsoft Sentinel are used, for example, triggering an Event Hub or Event Grid to import or export data.
Microsoft Sentinel Notebooks are Azure Notebooks, Azure's version of Jupyter Notebooks. This will cost extra if your organization utilizes Microsoft Sentinel Notebooks for deeper Machine Learning models or visualization on the logs.
Azure Notebooks use high-performing, machine learning configured compute to run the notebooks. This is a consumption charge for the use of that compute. Like a normal compute (Virtual Machines), shut it down if you are not running through a notebook.
Now that I have frightened you with costs, there is good news. There are savings and free logs to get started and see amazing insights from your data.
If your organization has E5 licensing for Microsoft 365, the organization receives a data grant of up to 5MB per user/day to ingest M365 Data. This data includes the following:
- Azure AD sign-in and Audit Logs
- Defender for Cloud Apps Shadow IT Discovery Logs
- Microsoft Information Protection Logs
- M365 Advanced Hunting Data
Microsoft Defender for Server P2 Benefit
Microsoft Defender for Server is part of Microsoft Defender for Cloud. When using P2 with monitored servers, the organization gets 500 MB/server/day for the following subset of security data types in the logs ingested by Log Analytics:
The following logs are always free to ingest into Log Analytics and Microsoft Sentinel:
- Azure Activity Logs
- Office 365 Audit Logs
- Defender for Cloud
- M365 Defender
- Defender for Office 365
- Defender for Identity
- Defender for Endpoints
- Defender for Cloud Apps
To assist with planning for Microsoft Sentinel costs, check out https://azure.microsoft.com/en-us/pricing/calculator/
You will need to choose Security and then Microsoft Sentinel to start using the calculator at the bottom of the page.
Usage and Cost Monitoring Workbooks
Once you have Microsoft Sentinel up and running, there are a few ways you can monitor your usage and cost by using workbooks.
Microsoft Sentinel Cost Workbook
You should first search for cost and save the Microsoft Sentinel Cost workbook to My workbooks. Then View saved workbook.
Remember that this is not your actual bill, just an estimate. Set the filters at the top of the page to better predict the pricing. This workbook will provide estimates for ingestion, retention, and Logic Apps.
Workspace Usage Report Workbook
The next workbook I suggest you add is the Workspace Usage Report. This workbook will allow you to dig into where your data is coming from to help you figure out what may need to be adjusted.
Usage Analytic Rules
Wouldn't it be nice to be notified when things might get out of hand from an ingesting or cost perspective? I am providing links to additional blogs to assist with alerting for cost and usage.
Capping and Alerting on Data Ingestion
Setting a daily cap for data ingestion and building an alert when that daily cap is reached. https://www.verboon.info/2022/05/how-to-analyze-microsoft-sentinel-daily-cap-alerts-aadnoninteractiveusersigninlogs/
Alerting on Daily Ingestion
Rod Trent's blog on alerting when Microsoft Sentinel daily ingestion reaches a threshold. https://azurecloudai.blog/2022/07/07/alert-when-microsoft-sentinel-daily-ingestion-reaches-a-threshold/
Alerting on Sentinel Enablement
Recently I had a customer who had a large spike in ingestion for Microsoft Sentinel. After investigating, we determined that someone enabled Microsoft Sentinel on a Log Analytic Workspace that was being used to gather Application metrics.
You will want to avoid this mistake. This mistake can be costly. Make sure you control who can perform this action. They must have at least contributor on the subscription that you will be enabling Microsoft Sentinel.
I have created a KQL query that will return when Security Insights (Microsoft Sentinel) is enabled or disabled on a Log Analytics Workspace. You will want to build a scheduled Analytic Rule out of this query.
//Detects if Microsoft Sentinel has been enabled or disabled on a Log Analytics Workspace.
| where OperationNameValue in ("MICROSOFT.SECURITYINSIGHTS/ONBOARDINGSTATES/WRITE", "MICROSOFT.SECURITYINSIGHTS/ONBOARDINGSTATES/DELETE")
| where ActivityStatusValue == "Success"
| where _ResourceId has "workspaces"
| extend Activity = case(OperationNameValue == "MICROSOFT.SECURITYINSIGHTS/ONBOARDINGSTATES/WRITE", strcat("Log Analytic Workspace Security Insights Added"), OperationNameValue == "MICROSOFT.SECURITYINSIGHTS/ONBOARDINGSTATES/DELETE", strcat("Log Analytic Workspace Security Insights Removed"), "unknown")
| extend ResourceGroup = tostring(parse_json(Properties).resourceGroup)
| extend x = tostring(parse_json(Properties).resource)
| parse x with ResourceName "/" *
| project TimeGenerated, OperationNameValue, Activity, ResourceGroup, ResourceName, Caller, CallerIpAddress
For more information on Microsoft Sentinel Pricing, check here.