Microsoft Sentinel is the cloud native SIEM that runs on top of Log Analytics and bills on the data it ingests. The volume grows with every connector enabled, every data source onboarded, and every verbose log routed in for completeness rather than detection value. The result is one of the most volatile lines in the Azure profile. There is also a data grant that comes with M365 E5 that many organizations never claim. Most enterprises ingest far more into Sentinel than their detection rules ever evaluate, and they leave the E5 grant on the table. Sentinel is where security teams buy peace of mind by the gigabyte and finance discovers the bill after the fact.
Sentinel layers a per gigabyte analytics charge on top of the underlying Log Analytics ingestion. The data flows into a workspace, incurs the Log Analytics ingestion charge, and then incurs the Sentinel analytics charge on the security data. The combined meter is the dominant cost, and it responds to the same data discipline that governs the broader observability estate plus a security specific data grant.
Sentinel charges per gigabyte of security data ingested into the workspace on top of the Log Analytics rate. The volume is driven by the connectors enabled and the verbosity of the sources behind them. Firewall logs, network telemetry, and verbose endpoint data dominate most Sentinel workspaces. The meter is set by configuration choices the security team makes for completeness, not by a procurement decision.
Organizations with qualifying M365 E5 and related security subscriptions receive a per user daily data grant that offsets Sentinel ingestion for specific Microsoft data sources. The grant is real and recurring, and many organizations never claim it because the entitlement lives in the licensing team while the Sentinel configuration lives in the security operations team. The two rarely meet.
Sentinel produces a recurring pattern of overspend. The dominant one is ingesting high volume sources for coverage that no analytics rule evaluates. The second is leaving the M365 E5 data grant unclaimed. The third is paying the pay as you go combined rate when the volume justifies a commitment tier.
Security teams onboard high volume sources for the comfort of full coverage even when no detection rule, hunting query, or investigation ever touches the data. The meter charges for all of it. Routing low value sources to the basic logs tier or filtering them at the connector preserves the coverage at a fraction of the cost.
The M365 E5 data grant offsets Sentinel ingestion for qualifying Microsoft sources, yet it sits unclaimed because no one reconciled the licensing entitlement against the Sentinel configuration. The grant is recurring. Every month it goes unclaimed is a month of ingestion paid that the entitlement already covered.
A Sentinel workspace ingesting a high and predictable daily volume bills at the pay as you go rate when a commitment tier would discount the combined Log Analytics and Sentinel charge. The right tier depends on the steady state volume after the data audit and the E5 grant are applied.
The Sentinel bill responds to three levers in sequence. A detection value audit removes the data that never feeds a rule. The E5 data grant offsets the qualifying Microsoft sources. The commitment tier then discounts the remaining predictable volume. Sequencing matters because committing before the audit and the grant locks in spend the optimization would have removed.
The cleanest saving is ingesting only the data that contributes to detection, hunting, or investigation. A detection value audit maps every connector and source against the analytics rules and queries that consume it. Sources that feed nothing are filtered, routed to cheaper tiers, or removed. The exercise frequently cuts the analytics ingestion by a third or more without weakening the security posture, because the removed data was never evaluated.
The right sized workspace then feeds the EA renewal and the Azure commitment, where the predictable Sentinel volume draws down at the contracted rate.
The M365 E5 data grant is reconciled against the Sentinel configuration so the qualifying Microsoft sources draw against the entitlement rather than the meter. The remaining predictable ingestion then qualifies for a commitment tier that discounts the combined Log Analytics and Sentinel rate against a daily volume commitment.
The commitment is sized against the post audit, post grant steady state so the discount applies to real volume rather than the inflated starting point.
Sentinel is consumption, so it negotiates inside the Azure commitment. The leverage sits in the commitment tier sizing, the E5 grant reconciliation that ties the M365 estate to the security operations spend, and the governance language that keeps the ingestion meter under control through the term.
The commitment tier discounts the combined ingestion rate against a daily volume commitment. Sizing it requires the post audit and post grant steady state rather than the inflated current volume. A buyer who commits to the cleaned volume captures the discount and avoids overcommitting to data the audit removed and the grant offset. The tier sits inside the Azure consumption commitment and draws down at the contracted rate.
The renewal is the moment to connect the M365 E5 entitlement to the Sentinel configuration so the data grant is claimed and the security operations spend reflects the licensing the organization already pays for. The reconciliation surfaces the unclaimed grant and frames the Sentinel commitment inside the broader M365 and Azure posture. The saving recurs and it compounds across the term, and it is invisible until the licensing and security teams are brought into the same analysis.
The Sentinel engagement is a detection value audit, an M365 E5 data grant reconciliation, a commitment tier sizing, and the governance framework that holds the ingestion meter through the term. The output is a SIEM line priced at the detection value it delivers rather than the data it accumulates.
We map every connector and data source feeding Sentinel against the analytics rules, hunting queries, and investigations that consume it. We identify the high volume sources ingested for completeness that no detection ever evaluates and design the filtering and tiering that removes the cost without weakening coverage. The output is a materially smaller ingestion volume and a workspace configured for detection rather than collection.
We reconcile the M365 E5 data grant against the Sentinel configuration so the qualifying sources offset the meter, size the commitment tier against the cleaned volume, and install the governance that keeps the ingestion from regrowing. We bring the optimized position to the renewal so the commitment reflects reality. The output is a SIEM line that prices defensibly and stays under control across the term.
The Sentinel diagnostic audits the ingestion against the detection rules, claims the M365 E5 data grant, sizes the commitment tier to the cleaned volume, and installs the governance that holds the meter through the term. The result is a SIEM line priced at the detection value it delivers rather than the gigabytes it quietly accumulates.