Microsoft Sentinel: The Licensing Architecture
Microsoft Sentinel is a cloud-native SIEM (Security Information and Event Management) and SOAR (Security Orchestration, Automation, and Response) platform built on Azure Log Analytics. Its licensing model has three fundamental components that operate independently: ingestion pricing (what you pay to bring data into Sentinel), retention pricing (what you pay to store data beyond the standard 90-day window), and specific feature add-ons (UEBA, data connector fees for specific sources).
The complexity of Sentinel licensing comes from the fact that not all ingestion is priced the same. Different log types route to different storage tiers with very different cost profiles — and the routing decisions you make at deployment determine 60–70% of your ongoing Sentinel cost. Getting these routing decisions right is the single most commercially significant technical decision in a Sentinel deployment.
Sentinel vs Log Analytics: Sentinel is deployed on top of an Azure Log Analytics Workspace. You pay for the Log Analytics workspace (ingestion and retention) and then Sentinel adds its security analytics, detection rules, and SOAR capabilities on top. In commercial terms, when people talk about "Sentinel pricing," they are almost always referring to the combined Log Analytics + Sentinel charges — not Sentinel in isolation. This distinction matters for cost modelling.
PAYG vs Commitment Tiers
Sentinel offers two pricing models for ingestion:
| Commitment Tier | GB/Day Minimum | Approx. Effective Rate (GB) | Saving vs PAYG | Best For |
|---|---|---|---|---|
| PAYG | No minimum | ~£2.15/GB | Baseline | Pilots, very small deployments (<5 GB/day) |
| 100 GB/day | 100 GB | ~£1.40/GB | ~35% | Small to medium enterprise (100–300 users) |
| 200 GB/day | 200 GB | ~£1.25/GB | ~42% | Mid-size enterprise (300–800 users) |
| 300 GB/day | 300 GB | ~£1.15/GB | ~47% | Large enterprise (800–1,500 users) |
| 500 GB/day | 500 GB | ~£1.05/GB | ~51% | Enterprise (1,500–4,000 users) |
| 1,000 GB/day | 1,000 GB | ~£0.95/GB | ~56% | Large enterprise (4,000–8,000 users) |
| 2,000 GB/day | 2,000 GB | ~£0.85/GB | ~60% | Very large enterprise (8,000+ users) |
| 5,000+ GB/day | 5,000 GB | ~£0.70–0.80/GB | ~63–67% | Enterprise at scale (20,000+ users) |
Commitment tiers are billed daily. If you commit to the 100 GB/day tier and ingest 150 GB on a given day, the first 100 GB is charged at the commitment rate (~£1.40/GB) and the remaining 50 GB is charged at the standard PAYG rate (~£2.15/GB) — unless you have selected a higher commitment tier. This overage dynamic means tier selection must be based on typical ingestion volume, not peak volume.
The practical rule: select your commitment tier at approximately 80% of your average daily ingestion volume. This absorbs typical day-to-day variability without paying for committed capacity you do not use.
Building a Sentinel cost model for your EA? We have modelled Sentinel pricing for 200+ enterprise deployments across all major commitment tiers and log architectures.
Get a Cost Model Review →Free Data Sources: What You Are Not Paying For
One of Sentinel's most significant cost advantages over traditional SIEM platforms is its extensive list of free data connectors. These sources are ingested at zero incremental cost and can constitute 30–50% of total ingestion volume in a typical enterprise deployment:
Always Free (Zero Ingestion Cost)
- Microsoft Defender XDR (MDE, MDO, MDI, MDCA): All Defender XDR incident and alert data is free in Sentinel
- Microsoft Entra ID (sign-in logs, audit logs) for M365 E5 customers: 5 MB/user/day free ingestion
- Microsoft Defender for Cloud security alerts and recommendations
- Microsoft Purview DLP alerts
- Microsoft 365 audit logs (for E5 customers)
- Azure Activity logs
- Threat Intelligence Platform (MDTI) indicators
The M365 E5 Free Ingestion Benefit
This is one of the most underutilised cost offsets in Sentinel deployments. M365 E5 customers receive 5 MB of free Sentinel data ingestion per licensed user per day. For a 2,000-user E5 deployment, this equals 10 GB/day free — approximately £7,665/month at PAYG rates, or around £92,000/year.
The free allocation covers: Entra ID sign-in logs and audit logs, Microsoft 365 audit logs, Defender for Office 365 alerts, Microsoft Defender XDR data (already free), and a broader category of "Microsoft Security" data types. The exact scope has expanded with each Microsoft product cycle — verify your current entitlement in the Azure portal under "Workspace Settings → Commitment Tier."
Many organisations are not claiming their E5 free ingestion: The benefit requires correct workspace configuration and linking. It is not automatic. An audit of Sentinel billing in E5 environments frequently reveals organisations paying for data they are entitled to receive free. Check your workspace configuration against current Microsoft documentation before assuming you are capturing the full benefit.
The Log Tier Architecture: The Most Important Cost Decision
Microsoft Sentinel (via Log Analytics) supports four distinct log tiers with very different cost profiles. Routing decisions — which log types go to which tier — are the primary lever for managing long-term Sentinel costs:
| Log Tier | Ingestion Cost | Retention | Query Cost | Best For |
|---|---|---|---|---|
| Analytics | Full price (commitment or PAYG) | 90 days included, then £0.012/GB/month | Included | High-value security logs needed for active detection and hunting |
| Basic Logs | ~£0.44/GB (80% reduction vs Analytics) | 8 days included | ~£0.63/GB queried | High-volume verbose logs needed for investigation, not continuous analysis |
| Auxiliary Logs | ~£0.10/GB (95% reduction vs Analytics) | 30 days included | ~£0.90/GB queried | Very high-volume noisy logs, primarily for compliance archiving |
| Archive | £0 (moved from Analytics/Basic) | Up to 12 years at ~£0.003/GB/month | ~£0.63/GB (restore first) | Long-term retention for compliance, rarely queried |
The routing principle: put only the logs you query continuously in the Analytics tier. Windows Security Events, Azure Diagnostic Logs, verbose application logs, and network firewall logs are the four most common sources of excessive Analytics-tier ingestion. A correctly architected Sentinel deployment routes these sources to Basic or Auxiliary tiers and queries them only when needed for investigations.
Windows Security Event Cost Optimisation
Windows Security Events are the single largest cost driver in most on-premises-heavy Sentinel deployments. The default Windows Security Events connector sends everything to the Analytics tier. A DCR (Data Collection Rule) that filters Windows events at collection — retaining only the events needed for active detection (Event IDs 4624, 4625, 4648, 4672, 4688, 4698, 4720, 4726, 4740, 4776 and their equivalents) and routing verbose categories to Basic Logs — reduces Windows Security Event ingestion by 40–65% with no meaningful reduction in detection coverage.
Network/Firewall Log Strategy
Firewall and network flow logs are a classic Auxiliary or Basic Logs candidate. They are essential for post-incident investigation and threat hunting but are rarely queried in continuous analytics rules. Routing these to Basic Logs typically reduces their per-GB cost by 80% with a marginal increase in query cost for the investigations where they are actually used.
Is Your Sentinel Architecture Cost-Optimised?
Incorrect log tier routing is the most common cause of Sentinel cost overruns. We review Sentinel deployment architectures and identify 30–50% cost reduction opportunities in most enterprise environments.
Request a Sentinel Cost Review → Download the Security GuideUEBA Licensing
Sentinel's User and Entity Behaviour Analytics (UEBA) feature is licensed separately from core ingestion. UEBA analyses user and entity activity patterns to detect insider threats, compromised accounts, and lateral movement that signature-based rules miss.
UEBA pricing is approximately £1.97–£2.20 per active user per month at standard rates, with EA negotiation available. "Active" means users who have generated activity data in Sentinel — in practice, this is your entire licensed user population once M365 and Entra data is connected.
UEBA economics: for a 2,000-user organisation at £2.00/user/month, UEBA adds £48,000/year. The ROI case is legitimate for regulated industries with significant insider threat exposure (financial services, defence, healthcare) or environments that have had identity-related incidents. For organisations where the primary threat vector is external phishing and external attack, UEBA may be a lower priority than investing the same budget in commitment tier improvements or E5 Security.
Key commercial note: if your organisation holds M365 E5, you receive some UEBA-equivalent capabilities through Entra Identity Protection and Defender XDR behavioural analytics at no incremental cost. Evaluate how much incremental capability Sentinel UEBA adds over your existing E5 entitlements before committing.
Sentinel and the E5 Bundle Economics
Microsoft's commercial positioning increasingly frames Sentinel as a native component of the E5 Security and E5 Compliance investment. The commercial reality requires precision:
- M365 E5 does not include Sentinel ingestion at no cost — it includes only the 5 MB/user/day free ingestion benefit described above
- M365 E5 does include the Defender XDR components whose data is free to ingest into Sentinel
- M365 E5 Security does not include any Sentinel ingestion entitlement — only the Defender product data free ingestion
The realistic E5 + Sentinel cost model for a 2,000-user organisation:
- M365 E5 Security add-on: ~£10/user/month × 2,000 = £240,000/year (if not already on E5)
- Sentinel ingestion after free sources and E5 benefit: approximately £80,000–£140,000/year depending on log architecture
- UEBA (optional): £48,000/year
- Total: £368,000–£428,000/year for full E5 + Sentinel + UEBA
This is a material investment that requires a genuine threat model justification. Organisations with sophisticated security operations teams who can operationalise Sentinel's detection and hunting capabilities will realise the value. Organisations buying Sentinel primarily for compliance box-ticking should model whether a simpler SIEM-lite approach meets their actual requirement at lower cost.
EA Negotiation Strategy for Sentinel
1. Negotiate Commitment Tier Pricing
Sentinel commitment tiers are published Azure pricing — but they are negotiable within an EA context, particularly when Sentinel is part of a larger Azure MACC commitment. Use your total Azure MACC volume as leverage to negotiate custom commitment tier rates below the published schedule. Reductions of 10–20% below published commitment tier rates are achievable for enterprise Azure commitments above £500K/year.
2. Azure MACC Coverage
Sentinel ingestion charges count toward Azure MACC (Monetary Azure Consumption Commitment) spend. If your organisation has an Azure MACC, Sentinel consumption draws down your committed Azure balance at MACC pricing rather than PAYG. This is a significant commercial consideration — an organisation with a £2M/year Azure MACC commitment should include Sentinel in the MACC draw-down plan. For more on MACC mechanics see our MACC negotiating leverage guide.
3. Ingestion Volume Commitment
For organisations with predictable log volumes, a longer-term commitment tier lock (12–36 months) can secure better per-GB rates than month-to-month tier selection. The trade-off is flexibility — if your log volumes decrease significantly (for example, due to cloud migration reducing on-premises log sources), a locked commitment tier may result in paying for capacity you no longer use. Negotiate explicit provisions allowing tier downgrade at quarterly intervals if ingestion volumes decrease by more than 20%.
4. Competitive Leverage
Sentinel competes directly with Splunk Enterprise Security, IBM QRadar, CrowdStrike Falcon LogScale, and Elastic SIEM. Microsoft's standard response is to emphasise native integration with Defender XDR and the free data sources — which is legitimate. The counter is that Splunk's SPL query language remains superior for advanced hunting in many analyst teams' experience, and that the locked-in Azure ecosystem has long-term commercial dependencies. Use genuine competitive evaluation as leverage, particularly if your security team has existing Splunk proficiency.
5. Data Connector Costs
Some Sentinel data connectors have ingestion fees beyond the standard per-GB rate. Third-party security product connectors (some SASE platforms, some EDR tools, certain ITSM integrations) may have Microsoft Sentinel-specific connector fees that are not part of the standard ingestion pricing. Audit which connectors your proposed architecture requires and verify whether any carry incremental licensing fees before finalising the deployment design.
Sentinel vs Third-Party SIEM: When to Choose Each
| Dimension | Microsoft Sentinel | Splunk Enterprise Security | CrowdStrike Falcon LogScale |
|---|---|---|---|
| Microsoft data integration | Native, deep, free sources | Good (via Microsoft add-ons) | Good but additional config |
| Query language | KQL (Kusto) — powerful, Microsoft-specific | SPL — industry standard, large talent pool | LogScale QL — fast, log-centric |
| Cost model | Consumption (GB/day) — variable | Consumption (GB/day) — generally higher | Consumption — typically competitive |
| SOAR capabilities | Native Logic Apps-based automation | SOAR add-on (SIEM Enterprise) | Limited native SOAR |
| Threat intelligence | MDTI included, large Microsoft TI network | ThreatConnect/ISAC integrations | Adversary intelligence via Falcon platform |
| Best for | Microsoft-heavy environments, cloud-native SOCs, Azure-first orgs | Mixed environments, advanced hunting, large analyst teams | Cloud-native endpoints, CrowdStrike EDR-centric orgs |
Related Security Licensing Guides
- Microsoft Security Licensing Guide — the complete enterprise security licensing overview
- Is Microsoft E5 Security Worth It? — E5 Security vs standalone security product costs
- Microsoft Defender XDR Licensing — the unified security platform cost guide
- Microsoft Sentinel Cost Optimisation — DCR governance, ingestion management, and cost reduction tactics
- Azure MACC Negotiating Leverage — how to use your Azure commitment as commercial leverage
- Microsoft EA Negotiation Complete Guide — the master negotiation framework
Planning a Sentinel Deployment or Renewal?
We have structured Sentinel commercial negotiations for enterprise organisations across financial services, healthcare, and professional services. Independent Sentinel cost modelling typically identifies 30–50% cost reduction vs unoptimised architectures.
Discuss Your Sentinel Strategy → See Client Results