Pricing for Azure Sentinel is GA 1

Pricing for Azure Sentinel is GA

After being in Preview since February 2019, Microsoft just announced the General Availability and pricing for Azure Sentinel today! As a Gold Microsoft Partner with competencies in Azure Cloud Platform, DevOps, Security, and Enterprise Mobility, we’re excited to announce that we are adding co-managed SIEM and SOAR to our Secqur Aether services starting on day one!

Pay-As-You-Go Pricing for Azure Sentinel

For those of you familiar with Azure pricing, running the same service in different datacenters can have a different price. On top of that, purchasing reserved capacity can provide up to a 60% discount on certain workloads. For now, let’s take a look at the initial Pay-as-you-go pricing for Azure Sentinel in the US.

To use Azure Sentinel, the total ingestion cost is the Log Analytics ingestion fee + Azure Sentinel analysis fees per GB.

Region Sentinel Price per GB Log Analytics Price per GB Total Ingestion Cost per GB Retention per GB
US East $2.00 $2.30 $4.30 $0.10
US East 2 $2.00 $2.76 $4.76 $0.12
US Central $2.46 $2.76 $5.22 $0.12
US North Central $2.40 $2.76 $5.16 $0.12
US South Central $2.40 $2.76 $5.16 $0.12
US West Central $2.40 $2.76 $5.16 $0.12
US West $2.60 $2.99 $5.59 $0.13
US West 2 $2.00 $2.30 $4.30 $0.10
US Government VA $2.50 $2.88 $5.38 $0.13

Data has to be ingested into a Log Analytics Workspace before you can perform analytics with Azure Sentinel. Ingesting data is fairly simple–only a few clicks for certain workloads–but it does have a price per GB associated with it. Retention fees are only charged for data retained past the free period as described below.

Free Units for Log Analytics and Azure Sentinel

Pricing for Log Analytics also varies per datacenter and you’re granted a limited amount of free log ingestion per tenant each month.

Feature Free Units Included
Log Analytics Data Ingestion 5 GB per month per customer
Log Analytics Data Retention 31 Days (Or 90 Days if Azure Sentinel is enabled on the workspace)

Data retention pricing is listed above and is only charged if you choose to keep your logs longer than the free period allocated to the workspace. Going back to Azure Sentinel, the following logs can be ingested to the service for free as well:

Azure Sentinel Data Source Free Units Included
Azure Activity Logs Unlimited
Office 365 Audit Logs Unlimited
Microsoft Threat Protection Logs Unlimited

What services are included with Microsoft Threat Protection logs?

A lot. In a nutshell, all your security services from Microsoft 365 E5 plus Azure Security Center data if you purchased that on top of your Log Analytics account. (Security Center is roughly $15/mo/server.)

 

Diagram of Microsoft Threat Protection.

 

Deploying the full Microsoft Threat Protection stack provides an end-to-end defense-in-depth security solution. In many cases, it doesn’t require any infrastructure either. The ability to layer Azure Sentinel on top of this stack for free provides enterprise-grade monitoring and visibility to companies of any size.

Pricing for Add-on Services to Azure Sentinel

There are many other services that are typically deployed alongside Azure Sentinel, such as Application Insights, Logic Apps, Azure Monitor, etc. Each of those services has additional pricing that is separate for Azure Sentinel. Azure Security Center also relies on the Log Analytics agent, which has its own pricing model too. For more information, take a look the Microsoft pricing pages:

Azure Sentinel Capacity Reservations

 

Diagram of Azure Capacity Reservations.

 

Let’s talk about pre-buying Azure Sentinel reservation capacity. If you’re going to rip out Splunk, Logrhythm, Qradar, or Arcsight and replace it with Azure Sentinel, then you probably have a ton of logs that you need to process. Let’s take a look at some of the discounts that are available in the East US datacenter if we pre-buy Azure Sentinel Capacity:

Capacity Price Discount
100 GB per day $100 per day 50%
200 GB per day $180 per day 55%
300 GB per day $260 per day 57%
400 GB per day $333.33 per day 58%
500 GB per day $400 per day 60%
More than 500 GB per day $400 per day + $80 per day for each additional 100GB increment 60%

Competing solutions such as Logrhythm can start at $40,000/yr for a single server. Azure Sentinel can provide a cloud-native SIEM solution for multiple servers at a lower price point. It’s easier to deploy. There’s no infrastructure to maintain. From SMB to Enterprise customers, Azure Sentinel provides a compelling solution for SIEM and SOAR services.

Closing Thoughts on Pricing for Azure Sentinel

If you’re an SMB/SME client that doesn’t currently have a SIEM solution today, how can you know what to expect to pay? Many of our smaller clients that are running Azure Security Center with Microsoft Defender ATP, Log Analytics and Azure Sentinel never exceed $25/mo per server, especially if the server is not web-facing. Still worried about what your actual cost might be? Submit the form at the bottom of the page and we’ll configure 5 servers with Azure Sentinel and provide 30 days of logging for free to help you forecast the cost of Azure Sentinel in your environment if you sign up before the end of 2019.

Larger organizations will likely already have a SIEM solution in place and can use current log ingress rates to estimate Azure Sentinel pricing. For Azure Government tenants, Sentinel is currently only available in the Virginia US GCC datacenter. There are currently no DoD datacenters that support Azure Sentinel.

If you’re interested in learning about Microsoft’s Azure Arc, you can read more about it here.

Co-managed SIEM and SOAR with Azure Sentinel

Our managed security orchestration and automation response platform, Secqur Æther, incorporated Azure Sentinel into the service back in May. We’re excited to have Sentinel officially in GA and I’m personally looking forward to seeing the community grow around workbooks and automation response. If you’re interested in cloud-native SIEM, check out our other blogs on cloud security automation or sign up for a free PoC below.

2 Comments

  1. Nelson on February 6, 2020 at 3:51 pm

    Hi,

    We are looking at getting HiTrust certified and need a SIEM solution. We are considering Azure Sentinel as an option, and we’re looking at connecting on premises devices up. You mention you offer a service of configuring it, and I’d be interested in talking about your services.

    Thanks,
    Nelson

Leave a Comment