Microsoft Sentinel is the one piece of the security stack that is not licensed per user — it is metered on the volume of log data ingested, around $2.46 per GB pay-as-you-go before commitment discounts. Two 2025 changes reshaped the math: eligible Microsoft 365 E5 security logs now ingest free, and auxiliary or data-lake logs price an order of magnitude lower. Here is how the tiers work and how to size them so the SOC stops paying analytics rates for logs that belong in a cheaper tier.
Sentinel is priced on data ingestion, not per user. The analytics tier — the searchable, alert-able log store — runs about $2.46 per GB ingested on pay-as-you-go, and commitment tiers from 100 GB/day cut the effective rate 15–65% in exchange for a daily volume pledge. Two things changed the picture in 2025: eligible Microsoft 365 E5 security logs now ingest into Sentinel free, and a low-cost auxiliary / data-lake tier prices verbose, low-query logs at roughly $0.10–0.15 per GB. The result is that two SOCs ingesting the same total volume can pay wildly different bills depending on how they tier their sources — which is the lever most teams never touch.
The core point: Sentinel cost is a data-engineering problem, not a licensing one. The savings come from excluding free E5 logs, routing verbose logs to the cheap tier, and only committing daily volume you reliably ingest.
This is a sub-guide in our Microsoft security licensing pillar. It pairs with the Intune and EMS and Purview licensing guides, sits under our Microsoft vendor practice, and connects to the wider consumption picture in our Azure FinOps guide.
Four ingestion tiers, four very different rates. The table is the 2026 reference; treat the figures as benchmark references, not quotes — Microsoft list moves and regional pricing varies. The decisive point is the spread between the analytics rate and the auxiliary rate, which is more than 15-fold.
| Tier | Pricing basis | ~Effective rate | Use for |
|---|---|---|---|
| Analytics — pay-as-you-go | Per GB ingested | ~$2.46/GB | High-value detection logs |
| Analytics — commitment | Per day, tiered | 15–65% lower | Predictable daily volume |
| Auxiliary / data lake | Per GB (low) | ~$0.10–0.15/GB | Verbose, rarely-queried logs |
| Eligible E5 security logs | Free benefit | $0 | M365 audit / security data |
The most common over-spend is ingesting everything into the analytics tier — firewall, proxy, DNS and verbose network logs that are queried once a quarter — at $2.46/GB when the auxiliary tier would hold them at a tenth of the cost. The detection and correlation value lives in a fraction of the total volume.
We tier-map your log sources and model the commitment break-even — most clients cut Sentinel ingestion cost 20–40% with no loss of detection.
As soon as your daily analytics ingestion is predictable above the tier floor. Commitment tiers pledge a fixed daily GB volume at a discounted rate; overage above the tier bills at the same discounted rate, so the only risk is committing higher than you ingest. The chart shows the effective per-GB rate falling as the commitment tier rises — the SOC that reliably ingests 200 GB/day should never be on pay-as-you-go.
| Daily ingestion | Best tier | vs PAYG saving |
|---|---|---|
| Under 100 GB/day | Pay-as-you-go | — |
| 100–500 GB/day | Commitment 100 GB | 15–25% |
| 500–5,000 GB/day | Commitment 500 GB+ | 30–50% |
| 5,000+ GB/day | Commitment 5,000 GB+ | 50–65% |
The Sentinel sizing checklist, the free-E5-log exclusions, and the commitment break-even model in one research paper.
Eligible Microsoft 365 E5 (and equivalent) security and audit logs ingest into Sentinel at no ingestion cost — this covers a defined set of Microsoft 365, Entra ID and Defender data. What is not free: third-party sources (firewalls, network appliances, SaaS apps), most Azure platform logs, and custom logs. The practical move is to map every connector against the free-eligible list before sizing the commitment, because counting free logs into your committed volume is paying for data Microsoft already gives away. Across our engagements, accounting for free E5 logs alone cuts the effective committed volume materially.
"The fastest Sentinel saving is not a discount — it is deleting the analytics-tier ingestion of logs that are either free under E5 or belong in the data lake."
Sentinel runs on a Log Analytics workspace, so its consumption sits inside the same Azure cost surface as the rest of your platform — and the same FinOps disciplines apply: retention settings, archive tiers, and basic-versus-analytics log classification all move the bill. Because Sentinel is consumption-metered, it should be governed alongside Azure consumption, not treated as a fixed security licence. The retention and archive levers, and how Sentinel folds into Azure commitment sizing, are covered in our Azure FinOps guide and the broader Microsoft cost optimization pillar.
Sentinel sizing lives inside the Azure commitment — the playbook has the spend-band benchmarks, the commitment-tier model, and the renewal-timing calendar.
Continuously, but with a hard checkpoint before any Azure commitment or EA renewal. Because Sentinel is metered, its cost drifts upward as the SOC onboards sources — so a quarterly tier-and-retention review keeps it honest, and a pre-renewal review ensures the committed volume reflects free-E5 exclusions and data-lake routing rather than raw ingestion. For a mature SOC the re-tiering typically recovers 20–40% of Sentinel spend with no reduction in detection coverage, because the cut comes from how data is stored, not whether it is collected. Sizing that committed volume against the rest of the Azure estate is exactly where our cloud contract advisory team adds leverage ahead of a commitment.
For the full picture, read the Microsoft security licensing pillar, then the Intune and EMS and Purview sub-guides, and see the Microsoft EA optimization case study for how security-stack right-sizing folds into a full renewal.
$1.8B+ in documented client savings across 340+ engagements. Buyer-side only since 2016. Gartner recognised.
Weekly compliance intelligence for IT leaders.