Microsoft Sentinel Licensing Optimisation: Cut Costs Without Cutting Coverage

Why Sentinel Costs Exceed Expectations

Microsoft Sentinel's pricing model differs fundamentally from the per-user subscription model that governs the rest of the M365 licensing stack. Sentinel charges per gigabyte of data ingested per day into the Analytics tier — not per user, not per seat, and not per alert. This creates an inherently unpredictable cost profile in environments where data volumes are not actively managed.

The most common source of budget overrun is the gap between pilot-phase data volumes and production-phase data volumes. During initial deployment, organisations typically connect only the free Microsoft data sources: Azure Activity Logs, M365 Audit Logs, and alerts from Defender products. These generate modest volumes and make Sentinel appear cost-effective. When the SOC team begins connecting production data sources — Windows Security Events, Syslog, network appliance logs, third-party security tool telemetry — data volumes increase by three to eight times, and the billing shock follows.

A second common issue is retention misconfiguration. Sentinel includes 90 days of interactive retention for the Analytics tier at no additional cost. Data retained beyond 90 days in the Analytics tier incurs charges at approximately $0.12 per GB per month. Organisations that have not configured retention policies allow hot Analytics-tier data to accumulate well beyond the operational query window, paying Analytics-tier rates for data that no one queries after the first 30 to 60 days.

The Sentinel Data Tier Architecture

Sentinel's cost optimisation framework starts with understanding the three data tiers and which data belongs in each one.

Analytics Tier

The Analytics tier is the primary operational tier. Data in this tier is fully queryable using KQL, supports all workbooks, alerts, and SOAR playbooks, and is the only tier where real-time detection rules run. Analytics tier pricing runs from $2.46 per GB per day pay-as-you-go down to commitment tier rates starting at 50 GB per day (promotional pricing through June 2026) with savings up to 52 percent. Only data that is actively used for detection, investigation, or operational response belongs in the Analytics tier.

Basic Logs Tier

The Basic Logs tier was significantly enhanced in 2025 and 2026. Basic Logs now supports 30 days of interactive retention (up from 8 days) and full KQL support on single-table queries with lookup to Analytics tables. Pricing is lower than Analytics tier and is charged as a flat rate per GB ingested. Basic Logs is best suited for high-volume, low-detection-value data: verbose diagnostic logs, DNS query logs, network flow records at scale, and application telemetry that is valuable for investigation but does not drive real-time detection. Routing appropriate data to Basic Logs versus Analytics tier can reduce Sentinel spend by 15 to 30 percent for high-volume deployments.

Archive Tier

Archive tier provides long-term retention at approximately $0.02 per GB per month — the lowest cost storage tier in the Sentinel framework. Data in Archive is not interactively queryable but can be searched through a Search Job and restored to the Analytics tier for full KQL access. Archive tier supports retention up to seven years, making it the correct destination for compliance-driven log retention requirements where data must be preserved but is queried only during investigations or regulatory requests. Organisations with regulatory retention requirements of more than 90 days for specific log types should route those logs to Archive rather than extending Analytics retention.

Commitment Tier Optimisation

The single highest-impact Sentinel cost optimisation for organisations ingesting more than 50 GB per day is commitment tier selection. Commitment tiers provide predictable pricing in exchange for a daily minimum ingestion commitment, with savings of up to 52 percent versus pay-as-you-go. The 50 GB commitment tier, introduced in public preview in October 2025 and available with promotional pricing through June 2026, gives smaller Sentinel deployments access to commitment economics previously only available to organisations above the 100 GB per day threshold.

Commitment tiers can be upgraded at any time and downgraded after 31 days, which provides meaningful flexibility for organisations whose data volumes are growing. The right approach is to set the commitment tier at 80 to 90 percent of your average 90-day daily ingestion volume, maintaining a buffer for volume spikes that will be priced at the overage rate rather than triggering a tier upgrade commitment. Monitoring daily ingestion through the Sentinel Cost Management workbook and adjusting the commitment tier quarterly prevents both overpayment through excess commitment and underpayment shock from persistent pay-as-you-go overages.

Free Data Sources: Maximise the Grant

M365 E5 customers receive a 5 MB per user per day Microsoft 365 data grant for Sentinel ingestion — effectively free ingestion for a defined volume of Microsoft 365 telemetry. For a 3,000-user E5 deployment, this represents 15 GB per day of free M365 data. The grant covers Microsoft 365 Audit Logs, Azure Activity Logs, and alerts and incidents from Microsoft Defender products.

Maximising the grant means ensuring every qualifying free data source is connected and configured before adding any chargeable sources. The free data sources provide meaningful detection coverage for Microsoft-ecosystem threats (identity attacks, email phishing, cloud app misuse) and form the foundation of most Sentinel deployments. Connecting these sources costs nothing and provides immediate detection value across Entra ID, Exchange Online, SharePoint, Teams, and Defender products.

Beyond the M365 grant, several additional data sources carry no Sentinel ingestion charge: Microsoft Defender XDR incidents and alerts, Azure Policy Activity, Microsoft Entra audit and sign-in logs at standard verbosity, and Microsoft Defender for Cloud alerts. Structuring the Sentinel data architecture to route these sources correctly before adding paid sources is a basic but frequently overlooked optimisation.

Data Ingestion Reduction Strategies

Reducing the volume of chargeable data ingested into the Analytics tier — without removing detection coverage — is the second major optimisation lever after commitment tier selection.

Log Filtering at the Source

Windows Security Events are among the most common chargeable Sentinel data sources and among the highest-volume. The default Windows Security Event log collection policy transmits all events including low-value, high-frequency categories (logon/logoff events for system accounts, scheduled task execution, verbose process creation at scale). Defining a targeted collection policy that captures security-relevant events (account management, privilege use, object access for sensitive resources) while excluding noise categories can reduce Windows Security Event volume by 40 to 60 percent without removing meaningful detection signal.

Syslog Filtering

Syslog sources — Linux hosts, network appliances, firewalls — generate extremely high volumes of informational and debug-level messages that carry no security value. Configuring Syslog collection to capture only warning, error, and critical severity levels from relevant facilities (auth, kern, daemon) while discarding informational messages reduces Syslog ingestion volume by 50 to 80 percent for most environments. Firewall deny logs filtered to exclude known-good traffic patterns (internal DHCP, DNS, NTP) further reduce ingestion without removing attack-relevant signal.

Data Collection Rules for Azure Monitor

Azure Monitor Data Collection Rules (DCRs) allow organisations to filter and transform log data before ingestion into Sentinel, which avoids ingestion charges for data that would be filtered or discarded in Sentinel queries. Applying DCR-level filtering to high-volume diagnostic sources — AKS pod logs, App Service logs, SQL diagnostic telemetry — removes ingestion cost for data with no security detection value while preserving operational visibility in Log Analytics.

Workspace Consolidation

Organisations running multiple Sentinel workspaces — a common pattern in large enterprises with regional compliance requirements or departmental SOC teams — often pay more than necessary due to sub-optimal commitment tier placement. Each workspace must individually meet its commitment tier threshold for optimal pricing. Consolidating workspaces to fewer high-volume deployments improves commitment tier efficiency and reduces operational overhead. The compliance and data sovereignty considerations must be evaluated before consolidation, but for organisations with multiple workspaces in the same region without regulatory separation requirements, consolidation typically reduces total Sentinel cost by 10 to 20 percent.

Retention Optimisation

Retention configuration has a material impact on Sentinel cost, particularly for organisations with regulatory requirements to retain logs beyond the 90-day Analytics tier default. The optimal retention strategy routes data to the lowest-cost tier appropriate to its operational and compliance access requirements.

For operational security data — endpoint telemetry, authentication logs, network flow records — 30 to 90 days of Analytics retention is typically sufficient. Security investigations rarely require raw log access beyond 60 days for incident response, and 90 days covers most regulatory investigation timelines. Extending Analytics retention beyond 90 days to 180 days at $0.12 per GB per month adds meaningful cost for high-volume data types without proportional operational value.

For compliance retention — audit logs, communication records, eDiscovery-relevant data — the Archive tier at $0.02 per GB per month provides the correct cost-to-access profile. Data is preserved at minimal cost, searchable via Search Jobs for compliance investigations, and restorable to Analytics for full query access when required. Seven-year archive retention for compliance data through Sentinel's Archive tier is significantly cheaper than extended Analytics retention or third-party log management platforms.

The E5 Data Grant: Making It Count

For organisations on M365 E5 or the new E7 Frontier Suite, the 5 MB per user per day Sentinel data grant represents meaningful cost avoidance. A 5,000-user E5 deployment generates a 25 GB per day free ingestion allowance. At pay-as-you-go pricing ($2.46 per GB per day), this equates to $61.50 per day or $22,447 per year in avoided Sentinel charges — and at commitment tier rates, the effective value is even higher since the free grant reduces the chargeable volume that determines commitment tier sizing.

Organisations on E5 that have not connected their Microsoft data sources to Sentinel are leaving the data grant unrealised while still paying E5 licensing costs. Connecting all qualifying free sources should be the first action in any Sentinel optimisation engagement, regardless of whether chargeable source optimisation follows immediately.

Six Sentinel Optimisation Actions to Take Now

1. Audit your current daily ingestion volume by data source. Use the Sentinel Cost Management workbook to identify the top five data sources by volume and cost. Most organisations find that two or three sources account for 60 to 70 percent of total ingestion cost.

2. Move to a commitment tier if you are on pay-as-you-go above 50 GB per day. The 50 GB commitment tier promotional pricing (available through June 2026) is the most accessible entry point to commitment economics. Savings of 25 to 52 percent versus pay-as-you-go are available immediately.

3. Evaluate your Windows Security Event collection policy. Default collection is over-inclusive for most environments. Targeted collection reduces volume by 40 to 60 percent. Use the Common or Minimal collection profile as a starting point and add specific event IDs for your detection use cases.

4. Classify data sources by detection value and route appropriately. High-detection-value sources (authentication events, process creation, network connection logs for critical assets) belong in Analytics. Verbose diagnostic logs, informational Syslog, and compliance archives belong in Basic Logs or Archive.

5. Review retention configuration for all Analytics tier tables. Identify tables with retention set beyond 90 days and evaluate whether the extended retention serves operational needs. Transition compliance-retention data to Archive tier.

6. Validate your E5 data grant connection. Confirm all qualifying Microsoft 365 and Defender free data sources are connected and routing to the correct workspace to maximise grant utilisation before adding chargeable sources.