Welcome to the Azure Sentinel webinar

We will start at 2-3 minutes after the scheduled time to accommodate those still connecting.

Questions? Feel free to type them in the instant message window at any time. Note that any questions you
post will be public. You have the option to post questions anonymously. After the webinar, you can ask
questions at https://aka.ms/AzureSentinelCommunity.

This webinar is being recorded. We’ll post the recordings to our community forums at
https://aka.ms/SecurityWebinars.
Teams Live Event currently doesn’t support audio capability for the audience. Closed captions are available
during the webinar and with the recordings.

Please give us your feedback on this webinar at https://aka.ms/SecurityCommunityWebinarFeedback.

Join our Community: https://aka.ms/SecurityCommunity

Agenda

Offers and Cost management

benefits resources

2 4

1 3 5

Introduction to Pricing scenario Tips and

pricing examples recommendations

3
Introduction to pricing
Azure Sentinel pricing model - Based on volume of data ingested

Server based
SIEM costs
Cost Effective
SOC operations
No infrastructure and
maintenance costs.
SOAR TI

SIEM solution
licensing

OS & Virtualization Platform

Licensing

Infrastructure Engineering

Cost of physical
infrastructure for servers,
storage, network,
backups, availability,
patch management
Azure Sentinel pricing model - Based on volume of data ingested

Cost Effective

No infrastructure and
maintenance costs.
Free ingestion of Office 365
audit logs and Azure Activity
logs.

Pay As You Go for data ingested.

Azure Sentinel pricing model - Based on volume of data ingested

Cost Effective Predictable Billing Flexible Commitment

No infrastructure and maintenance Commitment Tiers Upgrade to new Commitment

costs. Tier anytime
Save up to 65% on Azure Sentinel
Free ingestion of Office 365 ingestion compared Downgrade after first 31 days
audit logs and Azure Activity to Pay As You Go
logs. No annual commitment or
inflexible contracts
Pay as you go for data ingested.

Billable
services
Log Analytics Azure Sentinel Retention UEBA Notebooks Automation- Azure Functions
Logic Apps
Azure Sentinel pricing model - Based on volume of data ingested

Cost Effective Predictable Billing Flexible Commitment

No infrastructure and maintenance Commitment Tiers Upgrade to new Commitment

costs. Tier anytime
Save up to 65% on Azure Sentinel
Free ingestion of Office 365 ingestion compared Downgrade every 31 days-
audit logs and Azure Activity to Pay As You Go no annual commitment or
logs. inflexible contracts
Pay as you go for data ingested.

Key billable
components
Log Analytics Azure Sentinel Retention UEBA Notebooks Automation- Azure Functions
(Azure Monitor) Logic Apps
 Non-billable and billable data sources
Free to ingest:
▪ Azure Activity logs
▪ Office 365 Audit logs (Exchange Online, SharePoint Online and
Teams activity)

Billable:
Microsoft Defender for Endpoint raw logs
Microsoft Cloud App Security raw logs
Azure AD sign in and audit logs
Azure Information Protection (AIP) logs
Azure Sentinel costs and billing | Microsoft Docs
User Entity Behavior Analytics

Approximately 10% of the cost of logs selected for UEBA​

Azure Sentinel Notebooks

• Require
Automation costs
Offers and benefits
Azure Defender for servers allowance
Qualifying tables
SecurityAlert
SecurityBaseline
SecurityBaselineSummary
SecurityDetection
SecurityEvent
WindowsFirewall
MaliciousIPCommunication
SysmonEvent
ProtectionStatus
Update*
when the Update Management solution is not running on the workspace or
solution targeting is enabled UpdateSummary*
Azure Sentinel benefit for Microsoft 365 E5 customers
Data Connector Table names
SigninLogs
AuditLogs
AAD (audit and sign-in AADNonInteractiveUserSignInLogs
logs) AADServicePrincipalSignInLogs
AADManagedIdentitySignInLogs
AADProvisioningLogs
MCAS (Shadow IT McasShadowItReporting
Discovery logs)
• A standard 3,500 seat of M365 E5
deployment can see estimated AIP (Logs) InformationProtectionLogs_CL
savings of up to $1,500 per month DeviceEvents
DeviceFileEvents
DeviceImageLoadEvents
• Valid until November 1st 2021 DeviceInfo
M365 Advanced Hunting DeviceLogonEvents
Data (MDE Logs)
DeviceNetworkEvents
DeviceNetworkInfo
DeviceProcessEvents
DeviceRegistryEvents
Azure Sentinel benefit for Microsoft 365 E5 customers-Qualifying sources
Scenario examples
Cost estimation resources
Pricing example 1 – New customer
A customer plans to use Azure Sentinel and expects to ingest 100 GB/day and retain the data for 12 months in Log Analytics. (Estimate based
on East US Azure region)

Pay-As-You-Go Commitment Tiers

Ingestion cost Commitment Tier
Azure Sentinel Log Analytics
Price/day* Savings vs PAYG Price/day* Savings vs PAYG
Azure Sentinel* Log Analytics *
Price/GB Price/GB 100 GB/day $100 50% $196 15%
200 GB/day $180 55% $368 20%
$2 $2.3
300 GB/day $260 57% $540 22%
400 GB/day $333 58% $704 23%
100 GB/day X ($2/GB + $2.3/GB) = $430/day 500 GB/day $400 60% $865 25%
1000 GB/day $780 61% $1700 26%
Retention cost
2000 GB/day $1480 63% $3320 28%

100 GB/day X ($0.1) X 30 = $300 x 12 = $3,600 5000 GB/day $3500 65% $8050 30%

Less 90 days free -> $2,737 Azure Sentinel - 100 GB/day @ $100/day
Log Analytics – 100 GB/day @ $196/day
Total per month -> $15,637
$100/day + $196/day = $296/day
Per month -> $11,617
Approximately 25% cheaper over PAYG ✓
Pricing example 1 – New customer-Azure Sentinel pricing calculator
A customer plans to use Azure Sentinel and expects to ingest 100 GB/day and retain the data in Log Analytics for 12 months. (Estimate based
on East US Azure region)
Pricing example 2 – Existing customer
Scenario cost calculation
 Azure Sentinel Log Analytics
Commitment Tier
Price/day* Savings vs PAYG Price/day* Savings vs PAYG
100 GB/day $100 50% $196 15%
200 GB/day $180 55% $368 20%
300 GB/day $260 57% $540 22%
400 GB/day $333 58% $704 23%
500 GB/day $400 60% $865 25%
1000 GB/day $780 61% $1700 26%
2000 GB/day $1480 63% $3320 28%
5000 GB/day $3500 65% $8050 30%
 Azure Sentinel Log Analytics
Commitment Tier
Price/day* Savings vs PAYG Price/day* Savings vs PAYG
100 GB/day $100 50% $196 15%
200 GB/day $180 55% $368 20%
300 GB/day $260 57% $540 22%
400 GB/day $333 58% $704 23%
500 GB/day $400 60% $865 25%
1000 GB/day $780 61% $1700 26%
2000 GB/day $1480 63% $3320 28%
5000 GB/day $3500 65% $8050 30%
 Azure Sentinel Log Analytics
Commitment Tier
Price/day* Savings vs PAYG Price/day* Savings vs PAYG
100 GB/day $100 50% $196 15%
200 GB/day $180 55% $368 20%
300 GB/day $260 57% $540 22%
400 GB/day $333 58% $704 23%
÷ 1000 GB/day
500 GB/day $400 60% $865 25%
1000 GB/day $780 61% $1700 26%
2000 GB/day $1480 63% $3320 28%
5000 GB/day $3500 65% $8050 30%
 Azure Sentinel Log Analytics
Commitment Tier
Price/day* Savings vs PAYG Price/day* Savings vs PAYG
100 GB/day $100 50% $196 15%
200 GB/day $180 55% $368 20%
300 GB/day $260 57% $540 22%
400 GB/day $333 58% $704 23%
500 GB/day $400 60% $865 25%
1000 GB/day $780 61% $1700 26%
2000 GB/day $1480 63% $3320 28%
5000 GB/day $3500 65% $8050 30%
 Azure Sentinel Log Analytics
Commitment Tier
Price/day* Savings vs PAYG Price/day* Savings vs PAYG
100 GB/day $100 50% $196 15%
200 GB/day $180 55% $368 20%
300 GB/day $260 57% $540 22%
400 GB/day $333 58% $704 23%
÷ 1000 GB/day
500 GB/day $400 60% $865 25%
1000 GB/day $780 61% $1700 26%
2000 GB/day $1480 63% $3320 28%
5000 GB/day $3500 65% $8050 30%
 Azure Sentinel Log Analytics
Commitment Tier
Price/day* Savings vs PAYG Price/day* Savings vs PAYG
100 GB/day $100 50% $196 15%
200 GB/day $180 55% $368 20%
300 GB/day $260 57% $540 22%
400 GB/day $333 58% $704 23%
500 GB/day $400 60% $865 25%
1000 GB/day $780 61% $1700 26%
2000 GB/day $1480 63% $3320 28%
5000 GB/day $3500 65% $8050 30%
No Billable items Data/d Unit Cost Days Total
Ingestion
1 Azure Sentinel ingestion(1TB/d tier) 1 $780.00 30 $23,400.00
2 Log Analytics Ingestion(1TB/d tier) 1 $1,700.00 30 $51,000.00
3 Azure Sentinel Ingestion-Overage (200GB/d) 200 $156.00 30 $4,680.00
4 LogAnalytics Ingestion-Overage (200GB/d) 200 $340.00 30 $10,200.00
5 UEBA
SecurityEvents (100 GB/d) 10 $23.00 30 $690.00
AzureActivity (20 GB/d) 2 $4.60 30 $138.00
6 Retention (GBs) 36,500 $0.10 1 $2,666.00
7 Automation ~ 100 incidents/d, 6 playbooks/incident, 20 actions per plabook 1 $1.74 30 $52.20

Benefits and allowances

1 Microsoft 365 E5 benefit for 25,000 users 2,500 $2.00 1 -$5,000.00
36,000 $0.10 3 -$10,800.00
2 90-day free retention (GBs)
3 Log Analytics data allowance for Azure Defender for 1,000 nodes 1 -$10,970.00
4 Free units per month (GB) 5 -2.3 1 -11.5
MONTHLY ESTIMATE $66,044.70
No Billable items Data/d Unit Cost Days Total
Ingestion
1 Azure Sentinel ingestion(1TB/d tier) 1 $780.00 30 $23,400.00
2 Log Analytics Ingestion(1TB/d tier) 1 $1,700.00 30 $51,000.00
3 Azure Sentinel Ingestion-Overage (200GB/d) 200 $156.00 30 $4,680.00
4 LogAnalytics Ingestion-Overage (200GB/d) 200 $340.00 30 $10,200.00
5 UEBA
SecurityEvents (100 GB/d) 10 $23.00 30 $690.00
AzureActivity (20 GB/d) 2 $4.60 30 $138.00
6 Retention (GBs) 36,500 $0.10 1 $2,666.00
7 Automation ~ 100 incidents/d, 6 playbooks/incident, 20 actions per plabook 1 $1.74 30 $52.20

Benefits and allowances

1 Microsoft 365 E5 benefit for 25,000 users 2,500 $2.00 1 -$5,000.00

2 90-day free retention (GBs)

÷ 1000 GB/day)} ($1700 ÷ 1000 GB/day)}
36,000 $0.10 3 -$10,800.00

3 Log Analytics data allowance for Azure Defender for 1,000 nodes 1 -$10,970.00
4 Free units per month (GB) 5 -2.3 1 -11.5
MONTHLY ESTIMATE $66,044.70
Automation estimate = (Incidents/month) * (playbooks/incident) * (actions/playbook) * (cost/action)

100
6
20 $0.00015

Estimated monthly cost = (100*30) * 6 * 20 * $0.00015 = $54

Query to establish eligible data types and
quantity for Azure Defender allowance
Establish total size of eligible data
Sample invoice
Tips and recommendations
daily cap
security event filtering
$89K/month
~$33K/month
Long-term options summary

up to 75% savings on retention costs

• Important!

Documentation webinar
bandwidth costs
Cost management resources
 Documentation:
 Azure Sentinel costs and billing
 Manage usage and costs with Azure Monitor Logs
 Azure Sentinel E5 benefit
 Azure Defender 500MB allowance
 Azure Sentinel Commitment Tiers

 Playbook:
 Ingestion Cost Alert Playbook
 Ingestion Anomaly Alert Playbook (new – in Github)

 Workbook:
 Workspace Usage Report (built-in)
 Azure Sentinel Cost Summary (new – in Github)
Thank You
Thank You for Joining Us!

Recordings will be posted to our community forums at https://aka.ms/SecurityWebinars.

Teams Live Event currently doesn’t support audio capability for the audience. Closed captions are
available during the webinar and with the recordings.

You can ask additional questions at https://aka.ms/AzureSentinelCommunity.

Please give us your feedback on this webinar at

https://aka.ms/SecurityCommunityWebinarFeedback.

Join our Community: https://aka.ms/SecurityCommunity

For any questions or comments on our documentation (https://docs.microsoft.com)

contact directly at MSsecuritydocs@microsoft.com