5.5 Cost Management and Optimization

90 minutes · Module 5

Cost Management and Optimization

By the end of this subsection, you will understand commitment tier pricing, be able to estimate ingestion costs, know which data sources are free, and have KQL queries for monitoring your own costs.

Sentinel cost management is a core operational skill. An unmonitored workspace can generate surprise bills that threaten the entire deployment. This subsection teaches you to predict, control, and monitor costs from day one.

Pricing model

Sentinel has two cost components:

1. Log Analytics ingestion — the cost of storing data in the workspace. This is the dominant cost. Priced per GB/day.

2. Sentinel analytics — the cost of running Sentinel features (rules, incidents, automation) on top of the workspace. Priced per GB/day of data analyzed.

Both components offer commitment tiers with volume discounts:

Daily volume	Pay-as-you-go	100 GB/day commitment	200 GB/day commitment
Log Analytics	~$2.76/GB	~$2.30/GB (17% savings)	~$2.07/GB (25% savings)
Sentinel analysis	~$2.76/GB	~$2.30/GB	~$2.07/GB
Combined	~$5.52/GB	~$4.60/GB	~$4.14/GB

Commitment tiers have a minimum — you pay for the commitment even if you ingest less

If you commit to 100 GB/day but only ingest 60 GB/day, you pay for 100 GB/day. Do not commit until you have 30+ days of actual ingestion data showing you consistently exceed the commitment threshold. Start on pay-as-you-go and switch after you have baseline data.

Free data sources

Several Microsoft data sources are included in Sentinel at no additional ingestion cost:

Azure Activity logs — Azure management plane events
Office 365 Audit logs (basic) — Exchange, SharePoint, Teams events via the Office 365 connector
Alerts from Microsoft products — SecurityAlert table data from Defender products
Microsoft Defender XDR incidents — SecurityIncident table data
Entra ID Identity Protection — risk events (with Entra ID P2)

M365 E5 Security data grant

Organizations with M365 E5 or E5 Security add-on licenses receive a free data grant for specific Microsoft 365 data types ingested into Sentinel. This covers a significant portion of the data from the M365 Defender connector. Check the Microsoft Sentinel pricing page for the current list of covered tables — it changes periodically.

Estimating daily ingestion

Before deploying, estimate what your workspace will cost. Use these rules of thumb:

Data source	Approximate daily volume (500-seat org)
M365 Defender connector (all tables)	5-15 GB/day
Entra ID sign-in + audit logs	1-3 GB/day
Firewall logs (Palo Alto, Fortinet)	5-50 GB/day (highly variable)
Windows Event Logs (servers)	1-5 GB/day per server
Azure Activity	0.1-0.5 GB/day
Syslog (Linux/network devices)	1-10 GB/day

Firewall logs are the cost wildcard

A busy Palo Alto firewall can generate 20-50 GB/day of traffic logs alone. Before connecting firewall data sources, use Data Collection Rules (DCRs) to filter the ingestion to security-relevant events only. Ingesting every permitted connection from a high-throughput firewall is the single most common cause of Sentinel cost overruns.

KQL for cost monitoring

Run these queries weekly to track your ingestion and catch anomalies:

Daily ingestion trend:

1
2
3
4
5
6
Usage
| where TimeGenerated > ago(30d)
| where IsBillable == true
| summarize DailyGB = round(sum(Quantity) / 1024, 2)
    by bin(TimeGenerated, 1d)
| sort by TimeGenerated asc

Expected Output

TimeGenerated	DailyGB
2026-03-18	8.4
2026-03-19	8.7
2026-03-20	14.2
2026-03-21	8.5

What to look for: A consistent baseline (~8.5 GB/day) with a spike on March 20 (14.2 GB). Investigate the spike — it could be a new data connector someone enabled, a DDoS event generating firewall logs, or a bulk import. The query below breaks down the spike by data type to find the source.

Ingestion by data type — finding the source of spikes:

1
2
3
4
5
6
7
Usage
| where TimeGenerated > ago(7d)
| where IsBillable == true
| summarize DailyGB = round(sum(Quantity) / 1024, 2)
    by DataType, bin(TimeGenerated, 1d)
| where DailyGB > 1
| sort by TimeGenerated desc, DailyGB desc

Expected Output

DataType	TimeGenerated	DailyGB
CommonSecurityLog	2026-03-20	5.8
DeviceProcessEvents	2026-03-20	2.1
SigninLogs	2026-03-20	1.2

What to look for: CommonSecurityLog jumped to 5.8 GB on March 20 — this is firewall/CEF data. A firewall policy change or a DDoS event could generate this spike. Contact your network team to confirm, and consider a Data Collection Rule to filter verbose traffic logs at ingestion time.

Data Collection Rules (DCRs) for filtering

DCRs are transformation pipelines that process data before it reaches your workspace. They can filter rows, drop columns, and transform data — reducing both ingestion cost and storage.

Example: Your Palo Alto firewall sends every connection event. A DCR can filter to only ingest denied connections, IDS/IPS alerts, and URL filtering events — dropping the permitted traffic that accounts for 80% of the volume.

DCRs are configured per data source. Detailed DCR construction is covered in Module 6 (Data Connectors & Ingestion Strategy).

Check your understanding

1. Your workspace ingests 60 GB/day. Should you commit to the 100 GB/day tier?

Yes — the per-GB price is lower

Yes — you will grow into it

No — you would pay for 100 GB/day but only use 60 GB. At pay-as-you-go rates, 60 GB costs less than the 100 GB commitment. Wait until your ingestion consistently exceeds 85-90 GB/day before committing.

Commitment tiers save money only when your actual ingestion meets or exceeds the commitment. At 60 GB/day, pay-as-you-go costs 60 × $5.52 = $331/day. The 100 GB commitment costs 100 × $4.60 = $460/day. You would pay $129/day more for the "discount."

2. Firewall logs are generating 30 GB/day — more than all other sources combined. What is the first cost optimization step?

Deploy a Data Collection Rule to filter the firewall data at ingestion — keep only denied connections, IDS alerts, and URL filtering events. Drop permitted traffic, which accounts for the bulk of the volume.

Disconnect the firewall

Move firewall logs to Basic tier

DCRs reduce volume before data reaches the workspace — you never pay for the filtered data. Moving to Basic tier still ingests all 30 GB (just at a lower per-GB rate). Disconnecting loses visibility. DCR filtering is the right first step, followed by Basic tier for the remaining volume if you do not build detection rules against it.

← 5.4 Log Types: Analytics vs Basic vs Archive 5.6 Enabling the M365 Defender Connector →