After being in Preview since February 2019, Microsoft just announced the General Availability and pricing for Azure Sentinel today! As a Gold Microsoft Partner with competencies in Azure Cloud Platform, DevOps, Security, and Enterprise Mobility, we’re excited to announce that we are adding co-managed SIEM and SOAR to our Secqur Aether services starting on day one!
Pay-As-You-Go Pricing for Azure Sentinel
For those of you familiar with Azure pricing, running the same service in different datacenters can have a different price. On top of that, purchasing reserved capacity can provide up to a 60% discount on certain workloads. For now, let’s take a look at the initial Pay-as-you-go pricing for Azure Sentinel in the US.
To use Azure Sentinel, the total ingestion cost is the Log Analytics ingestion fee + Azure Sentinel analysis fees per GB.
|Region||Sentinel Price per GB||Log Analytics Price per GB||Total Ingestion Cost per GB||Retention per GB|
|US East 2||$2.00||$2.76||$4.76||$0.12|
|US North Central||$2.40||$2.76||$5.16||$0.12|
|US South Central||$2.40||$2.76||$5.16||$0.12|
|US West Central||$2.40||$2.76||$5.16||$0.12|
|US West 2||$2.00||$2.30||$4.30||$0.10|
|US Government VA||$2.50||$2.88||$5.38||$0.13|
Data has to be ingested into a Log Analytics Workspace before you can perform analytics with Azure Sentinel. Ingesting data is fairly simple–only a few clicks for certain workloads–but it does have a price per GB associated with it. Retention fees are only charged for data retained past the free period as described below.
Free Units for Log Analytics and Azure Sentinel
Pricing for Log Analytics also varies per datacenter and you’re granted a limited amount of free log ingestion per tenant each month.
|Feature||Free Units Included|
|Log Analytics Data Ingestion||5 GB per month per customer|
|Log Analytics Data Retention||31 Days (Or 90 Days if Azure Sentinel is enabled on the workspace)|
Data retention pricing is listed above and is only charged if you choose to keep your logs longer than the free period allocated to the workspace. Going back to Azure Sentinel, the following logs can be ingested to the service for free as well:
|Azure Sentinel Data Source||Free Units Included|
|Azure Activity Logs||Unlimited|
|Office 365 Audit Logs||Unlimited|
|Microsoft Threat Protection Logs||Unlimited|
What services are included with Microsoft Threat Protection logs?
A lot. In a nutshell, all your security services from Microsoft 365 E5 plus Azure Security Center data if you purchased that on top of your Log Analytics account. (Security Center is roughly $15/mo/server.)
- User Data:
- Cloud Apps:
Deploying the full Microsoft Threat Protection stack provides an end-to-end defense-in-depth security solution. In many cases, it doesn’t require any infrastructure either. The ability to layer Azure Sentinel on top of this stack for free provides enterprise-grade monitoring and visibility to companies of any size.
Pricing for Add-on Services to Azure Sentinel
There are many other services that are typically deployed alongside Azure Sentinel, such as Application Insights, Logic Apps, Azure Monitor, etc. Each of those services has additional pricing that is separate for Azure Sentinel. Azure Security Center also relies on the Log Analytics agent, which has its own pricing model too. For more information, take a look the Microsoft pricing pages:
- Azure Monitor Pricing Details including Log Analytics and Application Insights
- Azure Security Center Pricing
- Databricks Pricing
- Logic Apps Pricing
- Machine Learning Studio Pricing
- Sentinel Pricing Details
Azure Sentinel Capacity Reservations
Let’s talk about pre-buying Azure Sentinel reservation capacity. If you’re going to rip out Splunk, Logrhythm, Qradar, or Arcsight and replace it with Azure Sentinel, then you probably have a ton of logs that you need to process. Let’s take a look at some of the discounts that are available in the East US datacenter if we pre-buy Azure Sentinel Capacity:
|100 GB per day||$100 per day||50%|
|200 GB per day||$180 per day||55%|
|300 GB per day||$260 per day||57%|
|400 GB per day||$333.33 per day||58%|
|500 GB per day||$400 per day||60%|
|More than 500 GB per day||$400 per day + $80 per day for each additional 100GB increment||60%|
Competing solutions such as Logrhythm can start at $40,000/yr for a single server. Azure Sentinel can provide a cloud-native SIEM solution for multiple servers at a lower price point. It’s easier to deploy. There’s no infrastructure to maintain. From SMB to Enterprise customers, Azure Sentinel provides a compelling solution for SIEM and SOAR services.
Closing Thoughts on Pricing for Azure Sentinel
If you’re an SMB/SME client that doesn’t currently have a SIEM solution today, how can you know what to expect to pay? Many of our smaller clients that are running Azure Security Center with Microsoft Defender ATP, Log Analytics and Azure Sentinel never exceed $25/mo per server, especially if the server is not web-facing. Still worried about what your actual cost might be? Submit the form at the bottom of the page and we’ll configure 5 servers with Azure Sentinel and provide 30 days of logging for free to help you forecast the cost of Azure Sentinel in your environment if you sign up before the end of 2019.
Larger organizations will likely already have a SIEM solution in place and can use current log ingress rates to estimate Azure Sentinel pricing. For Azure Government tenants, Sentinel is currently only available in the Virginia US GCC datacenter. There are currently no DoD datacenters that support Azure Sentinel.
Co-managed SIEM and SOAR with Azure Sentinel
Our managed security orchestration and automation response platform, Secqur Æther, incorporated Azure Sentinel into the service back in May. We’re excited to have Sentinel officially in GA and I’m personally looking forward to seeing the community grow around workbooks and automation response. If you’re interested in cloud-native SIEM, check out our other blogs on cloud security automation or sign up for a free PoC below.