Microsoft Sentinel charges $2.46 per GB ingested at pay-as-you-go in West US 2 and similar regions, $5.13 per GB in higher-cost regions such as Switzerland North. Commitment tiers reduce per-GB cost: 100 GB per day lists at $123 per day ($1.23 per GB), 500 GB per day at $585 per day ($1.17 per GB), 1 TB per day at $1,150 per day ($1.15 per GB), 5 TB per day at $5,500 per day ($1.10 per GB). Auxiliary logs price at $0.50 per GB. Defender XDR raw data ingestion is included at zero ingestion cost. The 2026 budget question is rarely the per-GB rate. It is which logs land in which tier.
This is the 2026 cost reference for Microsoft Sentinel: list pricing across pay-as-you-go and commitment tiers, the four log tiers and what each costs, solutions and connector costs, the included-data exemptions that materially shift the math, and the cost control patterns that hold SOC budgets against linear data growth. Built from Microsoft's Sentinel pricing page (May 2026), the Sentinel commitment tier documentation, and advisor-led Sentinel commercial reviews during 2024 to 2026.
2026 Sentinel price list snapshot
Sentinel is sold under the Log Analytics workspace billing meter with a Sentinel-specific add-on charge. The pay-as-you-go meter combines a Log Analytics ingestion fee ($2.30 per GB in West US 2 baseline) plus a Sentinel analysis fee ($0.16 per GB), totalling $2.46 per GB. The Sentinel surcharge does not apply to Auxiliary logs or to Basic logs ingested.
| Tier | List rate | Per-GB equivalent | Annual cost |
|---|---|---|---|
| Pay-as-you-go | $2.46 per GB | $2.46 | Variable |
| Commitment 100 GB per day | $123 per day | $1.23 | $44,895 |
| Commitment 200 GB per day | $243 per day | $1.215 | $88,695 |
| Commitment 300 GB per day | $358 per day | $1.193 | $130,670 |
| Commitment 500 GB per day | $585 per day | $1.17 | $213,525 |
| Commitment 1,000 GB per day | $1,150 per day | $1.15 | $419,750 |
| Commitment 2,000 GB per day | $2,260 per day | $1.13 | $824,900 |
| Commitment 5,000 GB per day | $5,500 per day | $1.10 | $2,007,500 |
| Commitment 10,000 GB per day | $10,750 per day | $1.075 | $3,923,750 |
| Commitment 25,000 GB per day | $26,500 per day | $1.06 | $9,672,500 |
| Commitment 50,000 GB per day | $52,500 per day | $1.05 | $19,162,500 |
Commitment tiers are billed in advance for the daily reservation regardless of actual ingestion. Overage above the commitment is billed at the equivalent per-GB rate for that tier. A 1 TB per day commitment that ingests 1.3 TB on a Monday pays the daily $1,150 plus 300 GB x $1.15 = $345 overage for that day. The reservation can be increased or stopped on 31-day notice.
The four log tiers
Sentinel offers four data tiers, each with different ingestion cost, retention, and query capability. The right tier per log type is the single most important budget control in Sentinel.
| Tier | Ingestion cost | Query cost | Default retention | Use case |
|---|---|---|---|---|
| Analytics logs (interactive) | $2.46 per GB (pay-as-you-go) | Included | 90 days included, additional at $0.10 per GB per month | Detection, hunting, dashboarding, alert rules |
| Basic logs | $1.00 per GB | $0.005 per GB scanned | 30 days included | High-volume, low-detection-value (firewall flow, NetFlow) |
| Auxiliary logs | $0.50 per GB | $0.005 per GB scanned (KQL Simple) | 30 days included, archive to 12 years | Forensic retention, compliance archive, low query frequency |
| Archive (cold storage) | $0.025 per GB per month | $0.10 per GB scanned (Search Job) or $0.007 per GB per day restored | Up to 7 years | Long-term retention beyond Analytics 90 days |
The single largest savings opportunity is moving low-detection-value logs from Analytics to Basic or Auxiliary. Firewall flow logs at 200 GB per day land at $179,580 per year in Analytics. Moved to Auxiliary they land at $36,500 per year plus query fees, a 80 percent reduction. The tradeoff is query speed: Auxiliary supports a limited KQL subset and queries scan-cost. For logs that hit detection rules every minute the loss is significant. For logs that exist to be queryable in an incident weeks later the loss is irrelevant.
Defender XDR data ingestion at zero cost
Sentinel customers using Defender for Endpoint, Defender for Office 365, Defender for Identity, Defender for Cloud Apps, and Microsoft 365 Defender raw data can ingest those data streams into Sentinel at zero ingestion cost when the source product is licensed. The included streams are M365 Defender raw alerts and security events, Defender for Endpoint raw events, Defender for Office 365 events, Defender for Identity events, and Defender for Cloud Apps. Storage and retention beyond 90 days incur the standard Analytics tier rates.
For an estate with 25,000 Microsoft 365 E5 seats the Defender data flow into Sentinel can exceed 800 GB per day. That volume routinely consumes the equivalent of a $1.95M per year Sentinel ingestion bill at pay-as-you-go. Under the included-data exemption it costs $0 in ingestion. The trap is misconfiguring the connector and ingesting the data as standard Analytics. The included-data exemption is automatic when the connector is configured against the licensed Defender source, but custom log forwarders that re-emit Defender data lose the exemption.
The connector configuration trap: Sentinel Defender XDR connectors must be configured through the Microsoft Sentinel Content Hub solution for the Defender exemption to apply. Custom Logstash, Fluentd, or Event Hub forwarders that re-emit Defender data hit the standard Analytics ingestion rate. Verify in the Sentinel pricing page that Defender data registers as included before signing the commitment.
Solutions and connector costs
Sentinel ships hundreds of content packages through the Content Hub: connectors, parsers, analytics rules, workbooks, hunting queries, and playbooks. Most content is free. A growing set of Microsoft and third-party solutions are commercial and incur per-package or per-volume fees beyond ingestion.
The Microsoft Sentinel for SAP solution lists at $2.00 per active SAP-licensed user per month. For a 5,000-user SAP estate the solution costs $120,000 per year on top of the ingestion charges for SAP audit logs (typically 50 to 150 GB per day). Third-party solutions, such as the Recorded Future, Anomali, and CrowdStrike integrations, can range from $30,000 to $250,000 per year depending on data volume.
Playbook execution runs on Azure Logic Apps Consumption or Standard plan. Consumption is $0.000025 per action with 4,000 free actions per Logic App per month. A high-volume SOC running 200,000 playbook actions per month lists at $5 per month for Logic Apps execution, immaterial against ingestion costs but worth noting at scale.
Four cost-control patterns
The four operational moves that deliver 30 to 50 percent of Sentinel cost recovery without losing detection capability.
Pattern one: filter at source. The cheapest GB is the one that never enters Sentinel. Configure verbose audit, firewall, and IIS logging to drop non-security events at the agent level. The Microsoft Monitoring Agent and the new Azure Monitor Agent both support data collection rules with filter transformations. A typical firewall stream reduces 35 to 55 percent in volume when authentication-success and routine-flow events are dropped at the agent.
Pattern two: tier per table. Map every Sentinel table to a tier. Tables that drive analytic rules go to Analytics. Tables that exist purely for forensic retention go to Auxiliary or Archive. Tables that bridge both (firewall flow, DNS query) typically split: 14-day Analytics for hunting plus full Auxiliary for forensics. The split saves 50 to 70 percent of the relevant table's ingestion bill.
Pattern three: right-size the commitment. Measure 90-day average and 95th-percentile daily ingestion. Select the commitment tier that is 10 to 15 percent below the 95th percentile. Pay overage on the highest-volume days. For a 1.2 TB per day average estate the right tier is typically 1 TB per day commitment with 200 GB overage daily, not the 2 TB tier. The math: $1,150 daily + ($200 x $1.15) = $1,380 per day in commitment plus overage, against $2,260 per day at the 2 TB commitment tier.
Pattern four: archive aggressively. Move data older than 14 to 30 days into Archive at $0.025 per GB per month. The fully indexed Search Job pricing of $0.10 per GB scanned makes incident-driven access affordable when needed. A 12-month forensic retention of 200 GB per day costs $1,500 per month in Archive plus on-demand scan fees, against $9,000 per month at the Analytics-tier extended retention rate.
Sentinel versus Splunk benchmark
Sentinel is most often evaluated against Splunk Cloud, Splunk Enterprise on Azure, and Elastic Security. The relevant cost benchmark for a 1 TB per day enterprise SOC in 2026.
| Platform | 1 TB/day annual list | Hosting | Included in M365 E5 |
|---|---|---|---|
| Microsoft Sentinel 1 TB commitment | $419,750 | Azure included | Defender data ingestion free |
| Splunk Cloud (ingestion, 1 TB) | $1.4M to $2.1M (workload pricing) | Splunk-hosted included | No |
| Splunk Enterprise on Azure (license + infra) | $1.1M license + $400K infra | Customer-hosted | No |
| Elastic Security on Elastic Cloud | $320K to $480K (resource-based) | Elastic Cloud or self-hosted | No |
The Sentinel list price plus tier-optimised log placement and the Defender data exemption lands a typical mature enterprise SOC at $600K to $1.2M per year all-in for 1 to 1.5 TB per day. The same volume in Splunk Cloud typically runs $2M to $3.5M. The savings are real but require deliberate engineering discipline. Sentinel costs scale linearly with raw GB ingested and Splunk costs scale with workload commitments, so the per-GB advantage only holds when ingestion is actively managed. A Sentinel deployment that mirrors a Splunk indexing pattern (everything to Analytics) can match or exceed Splunk on cost.
2026 negotiation levers
Sentinel pricing is published. List moves rarely. The negotiation levers are not the per-GB rate but the surrounding commercial structure.
First, Azure Consumption Commitment placement. Sentinel spend counts toward Microsoft Azure Consumption Commitment (MACC) when invoiced under the Azure subscription, which means the spend offsets the MACC commitment and benefits from any MACC-tier Azure discounts. Customers on a $10M MACC who route Sentinel through the same subscription effectively recover the MACC-tier discount on Sentinel ingestion.
Second, multi-year commitments. Sentinel commitment tiers are not termed in the standard product. A negotiated multi-year price-protect locks the daily rate against Microsoft list-price escalation. Typical Microsoft list escalation on Azure services has been 3 to 7 percent per year. A three-year price-protect on a $1M annual Sentinel bill saves $60K to $140K cumulative.
Third, Defender bundle math. Sentinel and Defender are often negotiated together. An EA renewal that includes Microsoft 365 E5 plus a defined Sentinel commit gives Microsoft more incentive to discount the Defender attach than to discount Sentinel. The negotiation play is to anchor on Defender XDR list price and the Defender for Cloud Apps and Defender for Identity standalone rates, not on Sentinel.
For the broader security commercial framework see Microsoft Security Licensing, Defender XDR pricing, Entra ID pricing 2026, the Microsoft vendor hub, and our cloud contract negotiation service.