Optimize your Microsoft Sentinel pricing

Introduction

That Microsoft Sentinel is based on Azure Log Analytics is no surprise for most people anymore. But I am a little bit surprised that many still don’t fully understand how Sentinel is priced, and that they’re aware that you still also need to pay for Log Analytics.

Wait, what?!

Yes, you read that correctly. When deploying Microsoft Sentinel you’re billed for every gigabyte you ingest into Sentinel on top of the costs you generate for ingesting that same gigabyte in the underlying Log Analytics Workspace.

Schematic to illustrate the additional Sentinel ingest fee on top of the already existing log analytics fee

How much does Sentinel cost?

This is hands-down the single most difficult question to answer when customers ask me this. But obviously very understandable that they do as part of the project.

  1. You’re billed for data ingestion (per GB / month) and there are several pricing tiers with their respective discounts available.
  2. Data retention is the last part of this equation. You get three months of data retention for free, once the Sentinel solution is enabled. For every additional month you want to retain your data longer, you’re billed accordingly (per GB / month extra retention) with a limit of 730 days.
Both Sentinel and Log Analytics each have their own pricing tier options

Calculate pricing tier threshold values

“Please tell me–How much is enough? “— Skyler White
Screenshot of the Excel sheet which can calculate tier thresholds for you based on your own prices

Get-AzSentinelPriceRecommendation.ps1

The next step is to determine the average daily ingest rate for your (Sentinel) workspaces to see where we can save some money.

  • Next, it will perform a KQL query against each workspace to determine the average daily data ingest based on the last month.
  • These results are then compared with a fixed table of thresholds (set at the beginning of the script) to determine what the optimal pricing tier is.
  • Lastly, it will check if the Sentinel solution is enabled on the workspace and will repeat the comparison but now with a different table with different threshold values.
  • All results will be gathered in an overview and will automatically be exported as a CSV at the end.
This particular example highlights a workspace generating a daily average of 165 GB of data ingest. Based on the rates for this environment its recommended to upgrade to a capacity reservation level for Log Analytics and Sentinel to 100 GB and 200 GB respectively.

ARM deployment

Most larger organizations leverage infrastructure-as-code principles to deploy their Azure resources based on ARM- or Bicep templates for example.

Microsoft documentation defines how to deploy the correct pricing “sku” for your Log Analytics workspace, but information about Sentinel’s “sku” is nowhere to be found!

Well let me help you with that. Luckily the sku can indeed be provided as part of the properties parameter inside the /solutions section of your template:

ARM template for Log Analytics with Microsoft Sentinel solution. Both with pay-per-GB pricing tier
ARM template for Log Analytics with Microsoft Sentinel with different capacity reservation pricing tiers

Dynamic SKU?

I hear you think “OK, that’s great and all. But what if I want a template to be used for multiple different workspaces each with a different SKU?”

dynamic variables where the contents are dependent on the outcome of an if statement

Conclusion

I hope by sharing my insights and experiences others will benefit by optimizing their cost strategy. I hope a lot of costs will be saved by doing so! I’ve seen some very nice examples in the field already. 💰💰💰

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store