Independent reference. Not affiliated with any vendor mentioned on this site.
Vendor / Microsoft Sentinel

Microsoft Sentinel pricing in 2026: PAYG, commitment tiers, and real costs

Independent Sentinel pricing reference. Pay-as-you-go and commitment tier rates, free Microsoft 365 data sources, Basic Logs, archive, and data lake pricing, and head-to-head comparisons against Splunk Cloud at every common volume. Rates re-verified against the Azure retail price list, June 2026.

PAYG rate
$4.30/GB
Simplified tier, East US
Best commit tier
$2.05/GB
50,000 GB/day, 52% off PAYG
Basic Logs
$1.00/GB
Plus $0.005/GB search
Archive tier
$0.02/GB/mo
Long-term retention

Commitment tier pricing in full

Microsoft publishes commitment tiers from 100 GB per day up to 50,000 GB per day, plus a promotional 50 GB per day tier in public preview (sign-up window runs to 31 December 2026, with pricing locked until 31 March 2027). The savings compound: every step up reduces the effective per-GB rate. The break-even from PAYG is roughly 38 GB per day for the 50 GB commit and 69 GB per day for the 100 GB commit. All rates East US; workspaces created since July 2023 use the simplified single-meter pricing shown here rather than separate Log Analytics and Sentinel charges.

Commitment tierDaily costEffective rateSaving vs PAYG
Pay-as-you-go-$4.30/GB0%
50 GB/day (promo)$161.25/day$3.23/GB25%
100 GB/day$296/day$2.96/GB31%
200 GB/day$548/day$2.74/GB36%
300 GB/day$800/day$2.67/GB38%
400 GB/day$1,037/day$2.59/GB40%
500 GB/day$1,265/day$2.53/GB41%
1,000 GB/day$2,480/day$2.48/GB42%
5,000 GB/day$11,550/day$2.31/GB46%
50,000 GB/day$102,600/day$2.05/GB52%

The free data sources that change the maths

Sentinel ingests certain Microsoft data sources free, regardless of commitment tier. For Microsoft 365 organisations on E5 licensing, free ingest can account for 30-50 percent of total log volume.

Microsoft 365 audit logs
With E5/A5/G5; otherwise paid
Azure Activity Logs
Free across all subscriptions
Office Activity logs
Free with E5 or G5
Microsoft Defender for Cloud alerts
Free across tiers
Microsoft Defender XDR alerts
Free with Defender XDR
Azure AD sign-in / audit logs
First 10 GB/day free per workspace

Third-party log sources (firewalls, SaaS apps, custom apps) always count towards paid ingest. Custom transform rules at the data collection rule (DCR) layer let you drop unwanted fields before billing.

Sentinel cost scenarios

ScenarioProfileLicenceTotal TCONotes
Startup5 GB/day, PAYG, 90-day retention$7.8K/yr$20K-$33KFree 31-day trial covers initial deployment
Mid-market50 GB/day, 50 GB commit (promo), 365-day retention$59K/yr$200K-$300KPromotional 50 GB tier beats PAYG from ~38 GB/day
Enterprise200 GB/day, 200 GB commit, 365-day retention$200K/yr$640K-$960KCommitment tier locks 36 percent savings
Microsoft-first enterprise500 GB/day inclusive of free M365 logs~$115K/yr effective$390K-$550KFree M365 data drives effective rate well below PAYG
Large enterprise1 TB/day, 1,000 GB commit, 365-day retention$905K/yr$2.4M-$3.2MMicrosoft Copilot for Security adds 15-25 percent

Sentinel cost optimisation

Use Basic Logs for high-volume sources

Network firewall logs, NetFlow, and IIS logs ingest at $1.00 per GB instead of $4.30. Detection rules cannot fire from Basic Logs, so keep primary security telemetry in standard tier.

Apply DCR transformations early

Data Collection Rule transforms strip unused fields before they hit the billing meter. Cutting 20-30 percent of bytes per record is normal.

Right-size your commitment tier

Move up tiers as volume grows. Move down at term renewal if it dropped. Microsoft true-ups quarterly, not catastrophically.

Archive after 90 days

Sentinel archive tier costs $0.02 per GB per month. For 365-day retention with 90-day hot, archive saves 80-90 percent on long-tail storage.

Watch UEBA and Notebooks add-ons

Microsoft Sentinel UEBA and the Notebooks integration pull from the same workspace data and have their own consumption metrics.

Microsoft Copilot for Security

SCU-based pricing. Powerful, but easy to overspend on. Cap SCUs at the workspace level and review monthly.

FAQ

Common questions

Is Microsoft Sentinel free?

Sentinel is not free as a platform but ships with substantial free data sources for organisations on Microsoft licensing. Microsoft 365 audit logs ingest free with E5, A5, or G5 licences. Azure Activity Logs are free everywhere. Defender for Cloud and Defender XDR alerts are free. The first 10 GB per day of Azure AD sign-in and audit logs is free per workspace. For Microsoft-heavy environments, the effective per-GB rate often runs 40-60 percent lower than the headline $4.30 because so much primary data ingests free.

How much does Microsoft Sentinel cost per GB in 2026?

Pay-as-you-go is $4.30 per GB ingested (East US, simplified pricing tier). Commitment tiers reduce that progressively: 100 GB per day costs $2.96 effective per GB (31 percent saving), 500 GB per day reaches $2.53 (41 percent saving), and tiers extend to 50,000 GB per day at $2.05 (52 percent saving). A promotional 50 GB per day tier (public preview, sign up by 31 December 2026) prices at $3.23 effective. PAYG is cheapest below roughly 38 GB per day; above that, the 50 GB then 100 GB tiers pay back. Commitment tiers can be raised any time and lowered after 31 days.

What is Sentinel Basic Logs and when should I use it?

Basic Logs is a cheaper ingest tier ($1.00/GB on the simplified Sentinel meter, East US) for high-volume sources where full-text search is not required. Searches against Basic Logs cost $0.005 per GB scanned. The model fits sources like network firewall logs, NetFlow, and IIS logs where volume is high and the value is mostly in archival or specific-query retrieval. Detection rules and Analytics rules cannot run against Basic Logs, so primary security telemetry stays in the standard tier.

How does Sentinel pricing compare to Splunk?

At 50 GB per day, Sentinel runs roughly $59K-$78K per year on licensing alone (50 GB promotional commit vs PAYG), against Splunk Cloud at approximately $135K for the equivalent. At 200 GB per day with commitment tiers, Sentinel sits around $200K against Splunk Cloud at $400K-plus. Sentinel's free Microsoft data widens the gap further for Microsoft 365 environments. Splunk wins on analyst experience and search depth; Sentinel wins on TCO for most mid-market and enterprise Microsoft-shop deployments.

What is the Microsoft Sentinel data lake tier and what does it cost?

The data lake tier, introduced alongside the Defender portal experience, is a low-cost retention and query layer for high-volume, low-value logs. Data lake ingestion is $0.05 per GB, storage is $0.026 per GB per month (billed on a 6:1 compression ratio, so 600 GB of raw data bills as 100 GB), and KQL queries against the lake cost $0.005 per GB of uncompressed data scanned (all East US rates). Once a workspace is onboarded, data lake meters replace the older archive, search, and auxiliary logs ingestion meters. It is Microsoft's answer to long-retention compliance use cases that previously pushed buyers towards Basic Logs plus archive.

Is Sentinel a true SIEM or just log analytics?

Sentinel is genuinely a SIEM. Built on Log Analytics workspaces, it adds Analytics rules, Workbooks, Hunting queries, Threat Intelligence integration, UEBA, automation playbooks via Logic Apps, and SOAR via Microsoft Sentinel Notebooks. The trade-off versus Splunk Enterprise Security is fewer pre-built risk-based detection content packs (though Microsoft and the community have closed much of the gap by 2026) and a steeper learning curve for KQL versus SPL.
Continue reading

Related cost references

Splunk pricing
Direct cost comparison
QRadar pricing
Per-EPS alternative
Pricing models explained
Per-GB vs alternatives
Cloud vs on-premise SIEM
Sentinel is cloud-only
SIEM cost by org size
When Sentinel wins
SIEM cost calculator
Run your own numbers

Updated 2 May 2026