Microsoft Sentinel is the cloud native security information and event management platform, the rebrand of what many estates still call Azure Sentinel. It carries no per user license. The cost is a function of data: every gigabyte of logs ingested and analyzed, plus the retention that holds it. That model rewards discipline and punishes the default behavior of most deployments, which is to pipe every available log source into the workspace at full analytics rate and let retention run on. The bill scales with ingestion volume, arrives inside the Azure invoice, and grows silently as new connectors come online. Sentinel is where security spend is an ingestion decision, and where data tiering, commitment pricing, and retention policy move far more money than any feature negotiation.
Sentinel charges for data, not users. The two cost drivers are ingestion, the volume of logs analyzed, and retention, the period that data is held. Both are reachable by pricing levers most deployments never touch.
Ingestion is billed per gigabyte. The default is pay as you go, where every gigabyte costs the list rate. The commitment tiers reserve a daily volume at a materially lower rate per gigabyte, and any estate with steady, predictable ingestion above the tier threshold overpays every day it stays on pay as you go. The tier selection is the single largest ingestion lever.
Not every log needs full analytics treatment. The analytics tier supports the real time detection rules and hunting. The basic and auxiliary tiers ingest high volume, low value logs at a fraction of the analytics rate for the data that needs to be searchable but not continuously analyzed. Archive holds long retention data cheaply. Routing every source to analytics is the default that inflates the bill.
Sentinel produces three recurring exposures. The first is ingesting everything at full analytics rate. The second is staying on pay as you go when the volume justifies a commitment tier. The third is retaining data far longer and more expensively than the requirement needs.
The deployment connects every available source and routes all of it to the analytics tier. Verbose firewall, proxy, and informational logs that no detection rule ever queries get ingested at the full per gigabyte rate alongside the data that matters. The noise dominates the volume, the bill scales with it, and the basic and auxiliary tiers that exist for exactly this data sit unused.
The workspace runs on pay as you go long after the ingestion volume became steady and predictable. Every gigabyte bills at the list rate while a commitment tier would reserve the same volume far cheaper. Because the meter simply accrues inside the Azure invoice, the cheaper tier is never selected, and the estate pays the premium daily for a discount it qualifies for and never claims.
Data is held in the active analytics store far longer than the detection window requires, and longer than any compliance mandate specifies, at the active retention rate rather than the cheap archive rate. The retention setting is left at a conservative default and never tuned to the real requirement, so the workspace pays active prices for data that should have moved to archive or aged out entirely.
Sentinel responds to three levers. The ingestion review tiers the data and filters the noise. The commitment selection claims the volume discount. The retention policy moves data to the cheap store and ages out what no longer earns its place.
Every connected source is reviewed against the detection rules and hunting queries that actually use it. The high volume, low value logs move to the basic and auxiliary tiers, the noise that serves no rule is filtered at the source, and the free connectors are used where they exist. The analytics volume collapses to the data that earns the full rate, which is the largest recurring saving on the line.
The tiered ingestion then feeds the broader Azure commitment negotiated at the EA renewal.
Once the steady analytics volume is known, the commitment tier is selected to reserve it at the lower rate rather than paying the pay as you go premium every day.
The retention is tuned to the real detection and compliance window, with data moved to the cheap archive store beyond the active period and aged out when it no longer serves a purpose, so the workspace stops paying active prices for dormant data.
The Sentinel spend negotiates inside the broader Azure commitment, where the ingestion draws against the same commit and the security stack is priced as one position rather than a standalone meter.
Because Sentinel meters through Azure consumption, the tiered ingestion draws down the same Azure commitment as the rest of the estate. A buyer who models the steady analytics volume inside the total commit negotiates the consumption discount across the whole volume and sizes the commitment knowing the SIEM ingestion is part of it, rather than discovering the security meter after the commit level is set.
Sentinel, Defender for Cloud, and the Defender workloads describe one security operation, and they increasingly share data and unified management. A buyer who negotiates the ingestion volume, the commitment tier, and the Defender plans as a single position carries more leverage than pricing the SIEM meter alone. The Sentinel line is set inside the full security and Azure commitment.
The engagement is an ingestion and retention diagnostic, a commitment and tiering model, and the integration of the disciplined ingestion into the broader Azure and security negotiation. The output is a Sentinel meter sized to the data that earns its rate.
We profile every connected source against the detection rules and hunting that use it, identify the high volume noise and the data that belongs in basic, auxiliary, or archive, surface the free connectors in use elsewhere, and measure the steady analytics volume against the commitment tier thresholds. The output is a defensible picture of what to ingest, at what tier, and what to filter or archive.
We retier the ingestion, filter the noise, select the commitment tier for the steady volume, tune the retention to the real window, and fold the disciplined consumption into the broader Azure commit and security stack negotiation. We size the commitment knowing the SIEM meter is part of it. The output is a Sentinel line sized to data that earns its rate and defensible inside the Azure commitment.
The Sentinel diagnostic profiles every source against the rules that use it, retiers the high volume noise, claims the commitment discount on the steady volume, tunes the retention, and folds the disciplined ingestion into the Azure commit. The result is a SIEM meter sized to the data that earns its rate, not every log a connector can send.