Microsoft Sentinel Pricing 2026: Pay-As-You-Go, Commitment Tiers, and Real Costs
Microsoft Sentinel is the fastest-growing cloud SIEM and often the cheapest option for Microsoft-centric environments. But its pricing structure -- layered on top of Azure Log Analytics -- can be confusing. This guide cuts through the complexity with real numbers and honest analysis.
Sentinel Pricing at a Glance
Microsoft Sentinel's pricing is built on Azure Log Analytics, which means you pay for two things: data ingestion into the Log Analytics workspace, and Sentinel's security analytics layer on top. In practice, the Sentinel charge is the dominant cost, and Microsoft bundles them together in their commitment tier pricing. The key to controlling Sentinel costs is understanding the three ingestion tiers (Analytics, Basic Logs, and Archive) and which data belongs in each.
The single biggest cost advantage Sentinel has over competitors is free ingestion for Microsoft data sources. If your organisation runs Microsoft 365 E5, Azure Active Directory P2, and Microsoft Defender products, the sign-in logs, audit logs, security alerts, and activity data from these sources are ingested at no additional charge. For a 1,000-employee Microsoft shop, this free ingestion can represent 30-50% of total log volume, dramatically reducing the effective per-GB cost.
However, the "free data" advantage has limits. Third-party firewall logs, Linux syslog, custom application logs, and cloud infrastructure logs from AWS or GCP are all charged at full rates. Organisations with heterogeneous environments find that free Microsoft data covers only a fraction of their total SIEM needs. The honest assessment: Sentinel is the clear pricing winner for Microsoft-dominated environments and competitive but not dominant for mixed environments.
Commitment Tier Pricing Breakdown
Commitment tiers lock in a daily ingestion volume at a discounted rate. Any volume above the commitment is charged at PAYG rates. Tiers auto-renew daily and can be changed at any time.
| Tier | Daily Cost | Effective $/GB | Savings vs PAYG | Monthly Cost |
|---|---|---|---|---|
| Pay-As-You-Go | No minimum | $5.20 | Baseline | $5.20/GB |
| 100 GB/day | $296/day | $2.96 | 43% | $8,880/mo |
| 200 GB/day | $572/day | $2.86 | 45% | $17,160/mo |
| 300 GB/day | $828/day | $2.76 | 47% | $24,840/mo |
| 400 GB/day | $1,064/day | $2.66 | 49% | $31,920/mo |
| 500 GB/day | $1,230/day | $2.46 | 53% | $36,900/mo |
The commitment tier decision is straightforward: if you consistently ingest 100+ GB/day, the commitment tier pays for itself within the first month. The 43% savings at the 100 GB/day tier means you save approximately $224/day or $6,720/month compared to PAYG. Even if your actual volume fluctuates between 80-120 GB/day, the commitment tier is still cheaper because the excess (over 100 GB/day) is charged at PAYG rates while the base 100 GB enjoys the discounted rate.
Promotional: 50 GB/day tier. Microsoft launched a promotional 50 GB/day commitment tier in October 2025, available through June 2026. This tier is aimed at mid-market organisations that ingest more than PAYG makes sense for but less than the standard 100 GB/day minimum commitment. If your daily volume sits in the 40-80 GB/day range, check the Azure portal for availability -- this tier may not be visible in all regions or documentation.
A common mistake is over-committing. If you commit to 200 GB/day but consistently ingest only 120 GB/day, you are paying for 80 GB/day of unused capacity. The unused volume is not refunded or rolled over. The safest approach is to commit at your minimum consistent daily volume and let spikes be handled at PAYG rates. Monitor your ingestion patterns for 30-60 days before committing, and review your tier quarterly.
The Free Data Advantage and Its Limits
Free Ingestion Sources
- Azure Activity Logs
- Azure AD Sign-in and Audit Logs (with P1/P2)
- Microsoft 365 Audit Logs (with E5/A5/G5)
- Microsoft Defender for Endpoint alerts
- Microsoft Defender for Cloud alerts
- Microsoft Defender for Identity alerts
- Microsoft Cloud App Security alerts
- Office 365 Management Activity data
Always Paid Sources
- Third-party firewall logs (Palo Alto, Fortinet, etc.)
- Linux syslog and audit logs
- AWS CloudTrail and VPC Flow Logs
- GCP audit and flow logs
- Custom application logs (via CEF/Syslog/API)
- Network device logs (switches, routers)
- DNS query logs (from non-Microsoft DNS)
- Endpoint telemetry from non-Microsoft EDR
The free data advantage is substantial but often overestimated. In a typical 500-employee Microsoft-dominant environment, free Microsoft sources might generate 15-25 GB/day out of a total 50-80 GB/day of security-relevant logs. That means 25-40% of your ingestion is free -- meaningful, but you are still paying full rates on the majority of your data.
Basic Logs at $1.64/GB offer a middle ground for data that needs to be retained but rarely searched. The trade-offs are significant: only 8 days of interactive retention (vs 90+ days for Analytics logs), no scheduled alert rules, and limited KQL functionality. Search queries cost $0.013/GB scanned, which adds up during incident investigations that scan months of archived Basic Logs data. The ideal use case is high-volume, low-signal data like verbose firewall accepts, DNS queries, and web proxy logs.
For long-term retention beyond 90 days, the archive tier at $0.02/GB/month is the most cost-effective option. Archived data can be restored to an active table for investigation, with restoration taking minutes to hours depending on volume. For compliance-driven retention (PCI-DSS requires 1 year, HIPAA up to 6 years), the archive tier makes Sentinel competitive with on-premise solutions that use cheap disk storage for long-term logs.
Real-World Sentinel Cost Scenarios
SMB (Microsoft Shop)
50% free ingestion from M365 E5
Mid-Market
Consider 100GB commitment tier
Mid-Market (Committed)
43% savings vs PAYG
Enterprise
47% savings, add staffing $390K
Large Enterprise
Blended rate with PAYG overage
These scenarios demonstrate Sentinel's cost competitiveness, particularly for Microsoft-dominant environments. The SMB scenario at $9,480 per year in licensing is remarkably affordable -- less than a single security analyst's salary. However, even at this scale, staffing costs ($130,000+ for one analyst) dwarf the platform cost. This is why managed SIEM services are often the most cost-effective option for small organisations. See our managed SIEM pricing guide.
At enterprise scale, the comparison with Splunk becomes compelling. A 300 GB/day Sentinel deployment at $298,080 per year compares to $360,000-$600,000 for equivalent Splunk Cloud licensing. Even adding Azure infrastructure costs for Log Analytics workspace storage, Sentinel maintains a 40-50% cost advantage. The trade-off is Splunk's deeper analytics capabilities and larger ecosystem -- a choice that depends on your team's expertise and use case complexity.
Microsoft Sentinel Pricing FAQ
How much does Microsoft Sentinel cost per GB?
Microsoft Sentinel charges $5.20 per GB on the pay-as-you-go tier. Commitment tiers offer significant discounts: 100 GB/day costs $296/day (effective $2.96/GB, a 43% saving), 200 GB/day costs $572/day ($2.86/GB), and 500 GB/day costs $1,230/day ($2.46/GB). Additionally, certain Microsoft data sources are ingested free of charge when you have the appropriate Microsoft 365 licenses, which can dramatically reduce your effective per-GB cost depending on your log source mix.
Is Microsoft Sentinel free with E5 licensing?
Microsoft Sentinel is not free with E5 licensing, but certain data types are ingested at no additional cost. With Microsoft 365 E5, A5, or G5 licenses, Azure Active Directory sign-in and audit logs, Office 365 audit logs, Microsoft Defender alerts, and certain Microsoft 365 activity data are ingested without Sentinel ingestion charges. However, you still pay Sentinel analysis charges for all data, and any third-party or custom log sources are charged at full ingestion rates. For Microsoft-heavy environments, this free ingestion can reduce total Sentinel costs by 30-50%.
How does Sentinel compare to Splunk on cost?
For a 50 GB/day deployment, Microsoft Sentinel typically costs $57,000-$95,000 per year in licensing compared to Splunk at $108,000-$180,000. This 40-60% cost advantage is even larger for Microsoft-centric environments where free data ingestion reduces the effective volume. However, Sentinel lacks Splunk's search language flexibility (SPL vs KQL) and ecosystem depth (2,800+ Splunkbase apps). For pure security monitoring, Sentinel delivers excellent value; for advanced analytics and cross-platform observability, Splunk may justify its premium.
What are Basic Logs in Microsoft Sentinel?
Basic Logs is a lower-cost ingestion tier at $1.64 per GB for data that you need to retain for compliance but rarely search. Basic Logs data has a reduced 8-day interactive retention period and limited query capabilities (no scheduled alerts, limited KQL functions). Search queries against Basic Logs incur a separate charge of $0.013 per GB scanned. This tier is ideal for high-volume, low-value logs like verbose firewall traffic, NetFlow data, or debug-level application logs where you need the data available for incident investigation but do not run continuous analytics.
How can I reduce Microsoft Sentinel costs?
The most effective Sentinel cost reduction strategies are: commit to a tier if you consistently ingest 100+ GB/day (43%+ savings over PAYG), use Basic Logs for high-volume low-value data ($1.64/GB vs $5.20/GB), configure Data Collection Rules to filter and transform data before ingestion, leverage free Microsoft 365 data sources fully, use the archive tier for long-term retention at $0.02/GB/month, and regularly review workspace data volumes to identify and remove unused data connectors. Implementing all of these can reduce costs by 40-60% compared to unconfigured PAYG deployment.
Compare Sentinel to All Major SIEMs
Use our free calculator to see Sentinel costs side-by-side with Splunk, QRadar, and Elastic for your specific log volume.
Open SIEM Calculator →