Last updated on 30. November 2022
I already made some posts how to implement and connect data sources to Microsoft Sentinel. The other side is that you have to pay per gigabyte (GB). Now you might think that a lot of data sources are free to use but this is only true in some cases and also depends on your licensing. I am going to show you how the prices are calculated and how you can save money.
Table of content
General
Like I already mentioned some of the billing depends on your licensing. I start showing you how the costs can be calculated.
Pricing is based on ingestion through Log Analytic workspace and Microsoft Sentinel. At time of writing (20. November 2022) this will be for Analytic Logs (Basic Logs are not in scope of this post) 2.30$ for Log Analytic and 2.00$ for Microsoft Sentinel per GB. Furthermore, your data retention of Log Analytic workspace can be set to 90 days at no additional cost. If you want to keep the data longer than 90 days, you have to pay per month per GB 0.10$.
To set the retention to 90 days, navigate from Microsoft Sentinel to Settings and click on Workspace settings:
From there go to Usage and estimated costs, then click on Data Retention and adjust the slider to 90 days and click OK:
Done. Now let us do a short calculation, if we just take billable data in account and have 78GB per day data volume:
| Cost | Cost for 78GB for 30 days | Calculation | |
| Log Analytic ingestion | $2.30 GB/day | $5382 | 78GB * 30days * $2.30 |
| Sentinel ingestion | $2.00 GB/day | $4680 | 78GB * 30days * $2.00 |
| Retention 4 months | $0.10 GB/month | $234 | 78GB * 30days * $0.10 |
| Sum | $10296 | $5382 + $4680 + $234 |
As you can see, I just took the official pricing into account. The first step to save money is to check, if we can move to a commitment tier in Microsoft Sentinel. To validate this, we check the official pricing page of Microsoft Sentinel pricing. The table shows that at the commitment tier for 100GB we pay $130 per day. This would be $3900 per 30 days. In our example above we could save with this offer $780 per month.
To activate the commitment tier, you have to navigate inside Microsoft Sentinel to Settings and then expand the 100GB/day blade and click on Apply
Another approach is to clearly define which data is needed in Microsoft Sentinel and which data you do not need. It is often the case that operational data is no requirement for Sentinel and is just for logging purposes or auditing. This amount of data can be saved, if this is logged in a separate Log Analytic workspace.
Licensing features
We looked at the pricing model and how we could save money, if we switched to a specific commitment tier. Now we check which enhancements higher licenses will bring.
The following licenses will benefit from a broader cost-free support and data ingestion:
- Microsoft 365 E5, A5, F5, G5
- Microsoft 365 E5, A5, F5, G5 Security
Included with this license is data ingestion of 5MB per user per day from Microsoft 365 for the following data sources:
- Azure Active Directory (Azure AD) sign-in and audit logs
- Microsoft Cloud App Security shadow IT discovery logs
- Microsoft Information Protection logs
- Microsoft 365 advanced hunting data
If you have the license for your users, you benefit from the data ingestion that will occur, if you connect the above-mentioned sources. For more information check Microsoft Sentinel benefit offer.
Next benefit you will gain through licensing is Defender for Server P2.
Imagine you want to protect your server workloads and integrate it with Microsoft Defender for Endpoint and for the complete view, you collect data with the Azure Monitoring Agent. If you use the Defender for Server P2 license, you can ingest up to 500MB per day for free of Log Analytics data. For more information of Defender for Server take a look at the Microsoft article Overview of Microsoft Defender for Servers.
Syslog
At syslog scope it is important to know which Linux server or appliance has crucial data in which facility and log severity.
To understand what we are talking about, we have to take a look what degrees of log severity exist:
| Name | Description |
| debug | unimportant messages – only for debug |
| info | informative – no importance |
| notice | informative messages that have greater meaning than info severity |
| warning | warnings and non-critical errors |
| err | errors that show up little disturbances |
| crit | critical errors which can lead to partial failures |
| alert | serious errors indicating significant malfunctions and failures |
| emerg | very severe errors that can indicate total system failure and severe kernel errors |
As you can see above, I would recommend starting with notice level to log this into Microsoft Sentinel. But this is just a general recommendation. If you have use cases which define that you have to log debug, you should do so. But this should not be done for every system/appliance. Furthermore, keep an eye on your cost workbook.
Log facility has to be defined in every case, because it depends on the application where data is written to. Following RFC 524 (source RFC5424) the following facility logs are existing:
For example, Apache uses local0 as facility and FTP uses FTP daemon facility. Try to start with more facility logs and/or a lower degree of severity and inspect the data carefully to adjust it to your needs.
Microsoft 365 Defender
If the connection with Microsoft 365 Defender is done, you might be asking yourself, if you can activate the events from the different Microsoft Defender products. Well, you can activate these events, but costs will be generated for all the devices which are connected. With this in mind, you only have the alerts, which will be generated for free and advanced hunting logs will cost you money. If you have a large environment, it is a clever idea to activate this as soon as possible to see the costs in your free trial. To check for which data types, you have to pay for, I put some KQL queries in the KQL part.
Check, if Microsoft 365 Defender is activated:
Overview of the possible events that can be activated:
Microsoft Defender for Endpoint:
Microsoft Defender for Office 365:
Microsoft Defender for Cloud Apps:
Microsoft Defender for Identity:
Microsoft Defender Alert Evidence:
KQL
Here are some KQL queries you might find useful.
Check which data types have to be paid:
Usage
| distinct DataType, IsBillable
| sort by DataType ascColumn chart of the last 31 days (source Microsoft Manage and monitor costs for Microsoft Sentinel):
Usage
| where StartTime >= startofday(ago(31d)) and EndTime < startofday(now())
| where IsBillable == true
| summarize BillableDataGB = sum(Quantity) / 1000. by bin(StartTime, 1d), DataType
| render columnchartConclusion
As you can see there are some ways to reduce the costs, but the most impacting factor is you. Only when you understand the full environment and keep optimizing, you can keep the costs low. I will regularly update KQLs on my GitHub.
If you have any topics you would like to read about which is M365 or Azure relevant, contact or connect with me on LinkedIn, Twitter and Mastodon! See you ๐
Hello Andreas,
and thank you for posting your knowledge. Do you think keeping the data for 90 days is enough?
Kind regards
Daniel
Hi Daniel,
thanks for your question. In most cases are 90 days sufficient but to keep the cost in mind if you extend the retention, I put the 4-month cost in costs table. It would be cheaper if you use archives for the logs, if you don’t need to make active queries on them. Otherwise, the restore of these data would get more expensive than just storing them in the Analytic Log.
Best regards
Andreas