TL;DR: Per-GB rate is only one variable when it comes to Sentinel pricing. The actual cost of running Sentinel depends on many other factors, including how much of the data entering the workspace actually drives a detection and which logs go into which tier. Realm Security helps you answer these questions and more, and reduce Sentinel bills without losing detection coverage. Get a free 30-day SIEM cost reduction demo.
Microsoft is one of the few major SIEM vendors that publishes full list pricing on its website. This is relatively unusual. Because SIEM pricing can be complex, most other vendors direct you to a sales conversation.
But though Microsoft’s pricing transparency removes the need for an initial sales call, understanding Sentinel’s total cost to your organization remains difficult. The numbers published on Microsoft’s website have to be multiplied by a GB/day figure, which is something that most teams can only estimate confidently after running a trial period.
Even then, the commitment-tier list price isn’t the total cost of running Sentinel. It’s the cost of ingesting up to a specific daily volume at that tier, and nothing else. It doesn’t include overage, retention add-ons beyond the default, and data lake tier charges for any data routed there.
Realm makes Sentinel pricing predictable and affordable. Learn more.
Microsoft Sentinel Pricing Explained (2026)
In 2026, Sentinel has two official pricing tiers: the analytics tier (for primary, high-performance, real-time detection) and the data lake tier (for cost-effective, long-term, “cold” storage for secondary security data).
Sentinel’s analytics tier is for analytics
Microsoft Sentinel’s analytics tier is priced per GB ingested and has two payment options:
- Pay-As-You-Go tier, which at the time of writing costs between $4.30/GB (East US — most affordable in the US) and $5.59/GB (West US — most expensive in the US).
- Commitment tier, which buys you a daily volume at a fixed rate, starting at $161.25/day (East US) – $209.625/day (West US) for the 50 GB promotional tier and scaling up to $102,600/day (East US) – $121,068/day (West US) at 50,000 GB.
At 100 GB/day, the math is about $156,950/year (East US) – $204,035/year (West US) on PAYG against about $108,040/year – $127,574.80/year on a commitment tier, a gap worth roughly $49,000/year (East US) – $77,000/year (West US) if the forecast is accurate.
Note: Pricing is different again for geographies outside the US.
Microsoft publishes commitment-tier savings as “up to 52%” over PAYG at the highest tiers.
Commitment tier commits the customer to a daily volume, whether or not they hit it (i.e., unused capacity below the commitment is not refunded), and ingestion that runs over the commitment bills as a separate line item at the same effective per-GB rate as the tier itself, not at the higher pay-as-you-go rate.
Still, as one practitioner notes: “those commitment tiers can add up fast.”
As of this writing, there’s a 31-day free trial that covers 10 GB/day.
Analytics tier default interactive retention is 90 days, extensible to 2 years. Retention beyond the default bills separately. Note: See Microsoft’s pricing calculator to see how much additional retention would cost.
Sentinel’s data lake tier is for storing long-term, lower-value data
Microsoft Sentinel’s data lake tier is best for high-volume logs like network, firewall, and proxy logs that need long-term retention for forensics and historical analysis.
Data in the data lake tier isn’t available for real-time analytics features or threat hunting, but you can access it through KQL queries and Jupyter notebooks.
KQL queries can be run directly against the lake or set up as one-time or scheduled jobs that promote data from the lake tier into the analytics tier when you need faster access. Jupyter notebooks let you run Python-based analysis, machine learning models, and visualizations against lake data, and these can also be scheduled to summarize data or promote it to the analytics tier on a regular basis.
Data lake tier applies uniform 6:1 compression across data sources (e.g., 600 GB of raw data is billed as 100 GB compressed).
Data lake tier rates are as follows, as of this writing:
- $0.05/GB ingestion.
- $0.10/GB processing.
- $0.026/GB/month storage.
- $0.005/GB query.
The data lake can hold up to 12 years of data.
Free Sentinel data ingestion sources and licensing credits
Microsoft Sentinel has several types of data ingestion that are free or subsidized, but many organizations don’t take advantage of them because they don’t know they exist.
For example, customers with Microsoft 365 E5 (and equivalent plans) get a data ingestion allowance in Microsoft Sentinel of up to 5 MB per user per day for specific Microsoft 365 data sources. This grant is automatically applied to billing and offsets ingestion costs for:
- Microsoft Entra ID sign-in and audit logs.
- Microsoft Defender for Cloud Apps shadow IT discovery logs.
- Microsoft Purview Information Protection logs.
- Microsoft 365 advanced hunting data.
According to Microsoft itself, organizations can save up to $2,200 per month by using the 5 MB per user per day data grant included with Microsoft 365 E5, which reduces billable data ingestion in Microsoft Sentinel.
Separately, some data sources are ingested at no cost for all Microsoft customers, regardless of licensing:
- Azure Activity Logs.
- Office 365 Audit Logs (including SharePoint activity and Exchange admin activity).
- Alerts from Microsoft Defender solutions (e.g., Defender for Endpoint, Identity, Office 365, Cloud Apps, and Defender XDR).
Similarly, with Microsoft Defender for Servers Plan 2, organizations receive a data ingestion allowance of 500 MB per server per day, pooled across all machines in a subscription.
This allowance applies to a defined set of security data types (such as SecurityEvent and related security tables), meaning it can significantly reduce billable ingestion in Microsoft Sentinel for server security logs, while other log types continue to be billed at standard rates.
How to Reduce Microsoft Sentinel SIEM Pricing And Cut Costs
If you’ve figured out what Sentinel SIEM pricing looks like for your organization and are taken slightly aback by the cost, know this: you can reduce Sentinel costs.
Here are three ways you can slash Sentinel SIEM pricing.
1. Drop the data you don’t need before it goes to Sentinel
Every byte of high-volume log data (such as firewall logs and sign-in activity) that reaches the analytics tier is billed at $4.30/GB – $5.59/GB PAYG (depending on your location) or the commitment-tier equivalent, even though a large portion of it is likely to be routine activity that no detections are actually using.
You could send this data to Sentinel’s data lake tier, but data routed there is still ingested, stored, and queried at Microsoft Sentinel rates, just lower ones.
A better option is to filter this data out, and Sentinel has its own filtering tools. The simplest cases are relatively quick to set up (depending on who’s using it, of course), but anything beyond basic filtering takes real engineering time, and the work can scale quickly as the logic gets more complex.
And engineering effort is just one part of the equation. The thing that prevents most teams from actually cutting irrelevant data? The fear of filtering something the SOC might need in the future.
How Realm Security cuts Sentinel data ingestion
Realm.Security sits in front of Microsoft Sentinel and routes data to multiple destinations simultaneously without reconfiguring the source integration. High-signal detection data goes into Sentinel whereas lower-value hunting, forensics, and compliance data can be sent to the Data Lake tier or another storage account in parallel.
Since filter and routing rules are generated by Realm's AI-native engine, the team reviews and approves rules rather than creating them from scratch.
Full raw and normalized logs also stream into Realm Security Data Haven, a purpose-built security data archive that sits adjacent to your detection layer. Data Haven costs like cold storage but behaves like a warm database when you need to pull data back, and because it plugs into the same Security Data Pipeline, there is no storage setup, routing rules, or manual tuning needed.
In practice, this tends to lead to roughly 200% more volume cut than manual filtering, with deployments usually live in 7 to 10 days.
Even when data is filtered out of Microsoft Sentinel, the full-fidelity logs are still preserved in a data archive like Realm Data Haven (more on this below), so you can access them later for forensic analysis, compliance, or long-term storage requirements.
2. Route the rest of your data to the tier it belongs in
As mentioned earlier, Microsoft Sentinel has two official tiers: analytics for real-time detection and data lake for long-term secondary storage.
Ideally, you want to match data to the tier that fits its value.
In other words, keep high-value detection data in the analytics tier, but route lower-value data to the data lake tier or a storage account where it remains accessible when an investigation needs it.
Beyond default mirroring and table-level data lake only ingestion, Sentinel offers split rules that route data between the analytics tier and the data lake tier based on KQL conditions. Data matching the rule goes to analytics (and is mirrored to the lake), and the rest goes to the data lake only.
Though split rules are easier to set up than they used to be, you still need to be comfortable with KQL and review them as your data sources and detection priorities change.
How Realm Security routes data
Realm Security Data Haven is a purpose-built security archive that sits next to your SIEM. While it costs like cold storage, it behaves more like a warm database when you need to pull data back.
Data Haven plugs into the Realm Security Data Pipeline, so only the high-signal alerts go into the SIEM. The full raw and normalized logs stream into Data Haven automatically, with no storage setup, routing rules, or manual tuning needed.
When an investigation needs historical data, analysts can use a guided resupply workflow to pull a narrowed dataset of specific IPs, users, or hostnames back into a Sentinel index in minutes.
Also, since logs are normalized to OCSF on ingestion, that makes resupply queries cleaner (no regex or proprietary query languages to deal with) and keeps the archive portable if you ever switch SIEMs.
3. Catch ingestion anomalies before they show up on the bill
A misconfigured host, an aggressive new logging policy, a firewall setting change, or an enabled debug mode can all add unexpected volume to the workspace. Microsoft Sentinel bills for what shows up at the meter, regardless of whether the team intended it.
Sentinel includes the Workspace Usage Report and Data Collection Health Monitoring workbook for ingestion visibility, while Microsoft Cost Management + Billing handles spend tracking through configurable budgets and threshold alerts.
These tools require configuration, and budget alerts run on a periodic check rather than in real time.
How Realm Security catches anomalies
Realm Security’s Fabric Monitoring builds an automatic baseline of normal flow on every feed (accounting for weekdays, weekends, and work hours) and tracks deviations from it without manual threshold configuration.
When persistent spikes happen, Realm Security catches them at the pipeline layer, where the data can be paused, filtered, or rerouted before Sentinel counts it toward your bill.
Cut Microsoft Sentinel Costs with a Security Data Pipeline
A security data pipeline like Realm Security sits in front of your SIEM and gives you control over what’s filtered, what’s archived, and what’s monitored before any of it gets billed.
Schedule a demo of Realm.Security, and we will walk you through how much you could cut from your next Microsoft Sentinel bill without giving up a single detection.