Professional Documents
Culture Documents
We will start at 2-3 minutes after the scheduled time to accommodate those still connecting.
Questions? Feel free to type them in the instant message window at any time. Note that any questions you
post will be public. You have the option to post questions anonymously. After the webinar, you can ask
questions at https://aka.ms/AzureSentinelCommunity.
This webinar is being recorded. We’ll post the recordings to our community forums at
https://aka.ms/SecurityWebinars.
Teams Live Event currently doesn’t support audio capability for the audience. Closed captions are available
during the webinar and with the recordings.
2 4
1 3 5
3
Introduction to pricing
Azure Sentinel pricing model - Based on volume of data ingested
Server based
SIEM costs
Cost Effective
SOC operations
No infrastructure and
maintenance costs.
SOAR TI
SIEM solution
licensing
Infrastructure Engineering
Cost of physical
infrastructure for servers,
storage, network,
backups, availability,
patch management
Azure Sentinel pricing model - Based on volume of data ingested
Cost Effective
No infrastructure and
maintenance costs.
Free ingestion of Office 365
audit logs and Azure Activity
logs.
Billable
services
Log Analytics Azure Sentinel Retention UEBA Notebooks Automation- Azure Functions
Logic Apps
Azure Sentinel pricing model - Based on volume of data ingested
Key billable
components
Log Analytics Azure Sentinel Retention UEBA Notebooks Automation- Azure Functions
(Azure Monitor) Logic Apps
Non-billable and billable data sources
Free to ingest:
▪ Azure Activity logs
▪ Office 365 Audit logs (Exchange Online, SharePoint Online and
Teams activity)
Billable:
Microsoft Defender for Endpoint raw logs
Microsoft Cloud App Security raw logs
Azure AD sign in and audit logs
Azure Information Protection (AIP) logs
Azure Sentinel costs and billing | Microsoft Docs
User Entity Behavior Analytics
• Require
Automation costs
Offers and benefits
Azure Defender for servers allowance
Qualifying tables
SecurityAlert
SecurityBaseline
SecurityBaselineSummary
SecurityDetection
SecurityEvent
WindowsFirewall
MaliciousIPCommunication
SysmonEvent
ProtectionStatus
Update*
when the Update Management solution is not running on the workspace or
solution targeting is enabled UpdateSummary*
Azure Sentinel benefit for Microsoft 365 E5 customers
Data Connector Table names
SigninLogs
AuditLogs
AAD (audit and sign-in AADNonInteractiveUserSignInLogs
logs) AADServicePrincipalSignInLogs
AADManagedIdentitySignInLogs
AADProvisioningLogs
MCAS (Shadow IT McasShadowItReporting
Discovery logs)
• A standard 3,500 seat of M365 E5
deployment can see estimated AIP (Logs) InformationProtectionLogs_CL
savings of up to $1,500 per month DeviceEvents
DeviceFileEvents
DeviceImageLoadEvents
• Valid until November 1st 2021 DeviceInfo
M365 Advanced Hunting DeviceLogonEvents
Data (MDE Logs)
DeviceNetworkEvents
DeviceNetworkInfo
DeviceProcessEvents
DeviceRegistryEvents
Azure Sentinel benefit for Microsoft 365 E5 customers-Qualifying sources
Scenario examples
Cost estimation resources
Pricing example 1 – New customer
A customer plans to use Azure Sentinel and expects to ingest 100 GB/day and retain the data for 12 months in Log Analytics. (Estimate based
on East US Azure region)
100 GB/day X ($0.1) X 30 = $300 x 12 = $3,600 5000 GB/day $3500 65% $8050 30%
Less 90 days free -> $2,737 Azure Sentinel - 100 GB/day @ $100/day
Log Analytics – 100 GB/day @ $196/day
Total per month -> $15,637
$100/day + $196/day = $296/day
Per month -> $11,617
Approximately 25% cheaper over PAYG ✓
Pricing example 1 – New customer-Azure Sentinel pricing calculator
A customer plans to use Azure Sentinel and expects to ingest 100 GB/day and retain the data in Log Analytics for 12 months. (Estimate based
on East US Azure region)
Pricing example 2 – Existing customer
Scenario cost calculation
Azure Sentinel Log Analytics
Commitment Tier
Price/day* Savings vs PAYG Price/day* Savings vs PAYG
100 GB/day $100 50% $196 15%
200 GB/day $180 55% $368 20%
300 GB/day $260 57% $540 22%
400 GB/day $333 58% $704 23%
500 GB/day $400 60% $865 25%
1000 GB/day $780 61% $1700 26%
2000 GB/day $1480 63% $3320 28%
5000 GB/day $3500 65% $8050 30%
Azure Sentinel Log Analytics
Commitment Tier
Price/day* Savings vs PAYG Price/day* Savings vs PAYG
100 GB/day $100 50% $196 15%
200 GB/day $180 55% $368 20%
300 GB/day $260 57% $540 22%
400 GB/day $333 58% $704 23%
500 GB/day $400 60% $865 25%
1000 GB/day $780 61% $1700 26%
2000 GB/day $1480 63% $3320 28%
5000 GB/day $3500 65% $8050 30%
Azure Sentinel Log Analytics
Commitment Tier
Price/day* Savings vs PAYG Price/day* Savings vs PAYG
100 GB/day $100 50% $196 15%
200 GB/day $180 55% $368 20%
300 GB/day $260 57% $540 22%
400 GB/day $333 58% $704 23%
÷ 1000 GB/day
500 GB/day $400 60% $865 25%
1000 GB/day $780 61% $1700 26%
2000 GB/day $1480 63% $3320 28%
5000 GB/day $3500 65% $8050 30%
Azure Sentinel Log Analytics
Commitment Tier
Price/day* Savings vs PAYG Price/day* Savings vs PAYG
100 GB/day $100 50% $196 15%
200 GB/day $180 55% $368 20%
300 GB/day $260 57% $540 22%
400 GB/day $333 58% $704 23%
500 GB/day $400 60% $865 25%
1000 GB/day $780 61% $1700 26%
2000 GB/day $1480 63% $3320 28%
5000 GB/day $3500 65% $8050 30%
Azure Sentinel Log Analytics
Commitment Tier
Price/day* Savings vs PAYG Price/day* Savings vs PAYG
100 GB/day $100 50% $196 15%
200 GB/day $180 55% $368 20%
300 GB/day $260 57% $540 22%
400 GB/day $333 58% $704 23%
÷ 1000 GB/day
500 GB/day $400 60% $865 25%
1000 GB/day $780 61% $1700 26%
2000 GB/day $1480 63% $3320 28%
5000 GB/day $3500 65% $8050 30%
Azure Sentinel Log Analytics
Commitment Tier
Price/day* Savings vs PAYG Price/day* Savings vs PAYG
100 GB/day $100 50% $196 15%
200 GB/day $180 55% $368 20%
300 GB/day $260 57% $540 22%
400 GB/day $333 58% $704 23%
500 GB/day $400 60% $865 25%
1000 GB/day $780 61% $1700 26%
2000 GB/day $1480 63% $3320 28%
5000 GB/day $3500 65% $8050 30%
No Billable items Data/d Unit Cost Days Total
Ingestion
1 Azure Sentinel ingestion(1TB/d tier) 1 $780.00 30 $23,400.00
2 Log Analytics Ingestion(1TB/d tier) 1 $1,700.00 30 $51,000.00
3 Azure Sentinel Ingestion-Overage (200GB/d) 200 $156.00 30 $4,680.00
4 LogAnalytics Ingestion-Overage (200GB/d) 200 $340.00 30 $10,200.00
5 UEBA
SecurityEvents (100 GB/d) 10 $23.00 30 $690.00
AzureActivity (20 GB/d) 2 $4.60 30 $138.00
6 Retention (GBs) 36,500 $0.10 1 $2,666.00
7 Automation ~ 100 incidents/d, 6 playbooks/incident, 20 actions per plabook 1 $1.74 30 $52.20
3 Log Analytics data allowance for Azure Defender for 1,000 nodes 1 -$10,970.00
4 Free units per month (GB) 5 -2.3 1 -11.5
MONTHLY ESTIMATE $66,044.70
Automation estimate = (Incidents/month) * (playbooks/incident) * (actions/playbook) * (cost/action)
100
6
20 $0.00015
• Important!
Documentation webinar
bandwidth costs
Cost management resources
Documentation:
Azure Sentinel costs and billing
Manage usage and costs with Azure Monitor Logs
Azure Sentinel E5 benefit
Azure Defender 500MB allowance
Azure Sentinel Commitment Tiers
Playbook:
Ingestion Cost Alert Playbook
Ingestion Anomaly Alert Playbook (new – in Github)
Workbook:
Workspace Usage Report (built-in)
Azure Sentinel Cost Summary (new – in Github)
Thank You
Thank You for Joining Us!