How Sentinel Is Priced
Microsoft Sentinel is billed primarily on data ingestion into the analytics tier. Pay-as-you-go runs at roughly $4.30 per GB ingested, varying by region. That per-GB figure looks small until you multiply it by the volume a real enterprise SIEM consumes: a mid-size estate ingesting 100 GB a day is moving 3 TB a month, and at pay-as-you-go that is a five-figure monthly bill before any commitment discount. This is the defining trait of the consumption layer in the wider advanced Microsoft estate — a per-seat licence is predictable, an ingestion meter is not, and Sentinel is the purest example.
Because the cost is driven by volume, the entire economics of Sentinel come down to two questions: how much data you ingest, and at what tier rate. Both are controllable — but only if they are managed deliberately rather than left to default.
Commitment Tiers and the 50 GB Option
Microsoft's primary discount mechanism is the commitment tier: you reserve a daily ingestion volume in advance and pay a lower effective rate. Tiers run from 100 GB/day up to 50,000 GB/day, with savings of up to 52% versus pay-as-you-go — the 100 GB/day tier lands around $296 per day. Any ingestion above the committed volume is billed at the same discounted tier rate rather than reverting to full pay-as-you-go, so a well-sized commitment caps the downside as well as the run rate.
In October 2025 Microsoft added a 50 GB/day commitment tier, closing the gap for mid-size estates that ingest steadily between 50 and 100 GB a day but were previously forced onto full pay-as-you-go. Sign up between 1 October 2025 and 30 June 2026 and the promotional price holds until 31 March 2027 — a genuine window worth acting on.
The commitment-tier decision is the same predictable-versus-variable trade-off that governs every consumption meter in the estate, from Azure OpenAI provisioned throughput to Windows 365 capacity. Reserve to your steady-state floor, and let overage ride the discounted tier rate rather than the headline price.
| Pricing model | Effective rate | Best for |
|---|---|---|
| Pay-as-you-go | ~$4.30/GB | Low or unpredictable volume |
| 50 GB/day commitment | Discounted (promo to Mar 2027) | Steady 50–100 GB/day estates |
| 100 GB/day commitment | ~$296/day (−~30%+) | Mid-size SOCs |
| 1,000+ GB/day commitment | Up to −52% | Large enterprise SOCs |
Why Sentinel Costs Run Away
Sentinel bills overruns silently because nobody sees a per-seat line jump — the meter just climbs. The classic causes are ingesting verbose, low-value logs (raw firewall, proxy or DNS noise) straight into the premium analytics tier; duplicating data already captured by another connector; and leaving everything in the analytics tier when cheaper basic or auxiliary logs and the Sentinel data lake would serve. Hybrid estates make this worse: extending Sentinel across Azure Arc-managed servers multiplies the log sources, and each one is a new ingestion stream on the meter.
Identity telemetry is a frequent culprit too — high-volume sign-in and audit logs from the Entra ID estate can dominate ingestion if every event is routed to analytics rather than filtered to what detection rules actually query. The fix is not to stop collecting; it is to route each stream to the right tier.
Cutting Sentinel Ingestion Cost
The levers are all about volume and tiering. Filter at source with data-collection rules to drop noise before it is billed. Route high-volume, low-query data — the logs you keep for compliance but rarely search — to the basic or auxiliary logs tier and the Sentinel data lake, which cost a fraction of the analytics tier. Size a commitment tier to your steady-state ingestion to capture up to 52% off the remaining analytics volume. Together, ingestion filtering and tier routing typically cut Sentinel spend by a third or more without losing detection coverage — the same consumption-governance discipline that keeps Azure DevOps parallel jobs and Artifacts in check elsewhere in the estate.
Crucially, none of these levers trades away security. Filtering removes noise, not signal; tier routing keeps the data, just at the right price. A Sentinel deployment that is both well-filtered and well-tiered is usually a better SOC as well as a cheaper one.
Sizing the Commitment Well
Sentinel belongs in the Azure consumption conversation, where committed ingestion can be folded into the broader Azure commitment (MACC) that anchors a Microsoft negotiation. Size the commitment tier to your measured steady-state floor — never to peak, and never to an optimistic projection — and revisit it as data sources change. Before committing, run an ingestion audit to establish the real baseline and identify the noise that should never reach the analytics tier. That benchmark-led approach is set out in the Microsoft Enterprise Agreement Guide and supported by the data in the Microsoft vendor intelligence hub.
To pressure-test your Sentinel ingestion and commitment sizing against current benchmarks, request a confidential briefing — runaway SIEM ingestion is one of the largest and least-visible costs in the modern Microsoft estate, and one of the fastest to bring back under control.