Edit

Share via


Manage and monitor costs for Microsoft Sentinel

After you've started using Microsoft Sentinel resources, use Cost Management features to set budgets and monitor costs. You can also review forecasted costs and identify spending trends to identify areas where you might want to act. With the data lake, you can also view your usage directly in the Microsoft Defender portal.

Costs for Microsoft Sentinel are only a portion of the monthly costs in your Azure bill. Although this article explains how to manage and monitor costs for Microsoft Sentinel, you're billed for all Azure services and resources your Azure subscription uses, including Partner services.

Important

Microsoft Sentinel is generally available in the Microsoft Defender portal, including for customers without Microsoft Defender XDR or an E5 license.

Starting in July 2026, all customers using Microsoft Sentinel in the Azure portal will be redirected to the Defender portal and will use Microsoft Sentinel in the Defender portal only. Starting in July 2025, many new customers are automatically onboarded and redirected to the Defender portal.

If you're still using Microsoft Sentinel in the Azure portal, we recommend that you start planning your transition to the Defender portal to ensure a smooth transition and take full advantage of the unified security operations experience offered by Microsoft Defender. For more information, see It’s Time to Move: Retiring Microsoft Sentinel’s Azure portal for greater security.

Prerequisites

To view cost data and perform cost analysis in Cost Management, you must have a supported Azure account type, with at least read access.

While cost analysis in Cost Management supports most Azure account types, not all are supported. To view the full list of supported account types, see Understand Cost Management data.

For information about assigning access to Microsoft Cost Management data, see Assign access to data.

Manage and monitor costs for the analytics tier

As you use Azure resources with Microsoft Sentinel, you incur costs. Azure resource usage unit costs vary by time intervals such as seconds, minutes, hours, and days, or by unit usage, like bytes and megabytes.

View costs by using cost analysis

As soon as Microsoft Sentinel starts to ingest billable data, it incurs costs. View these costs by using cost analysis in the Azure portal. For more information, see Start using cost analysis.

When you use cost analysis, you view Microsoft Sentinel costs in graphs and tables for different time intervals. Some examples are by day, current and prior month, and year. You also view costs against budgets and forecasted costs. Switching to longer views over time can help you identify spending trends. And you see where overspending might have occurred. If you created budgets, you can also easily see where they're exceeded.

The Microsoft Cost Management + Billing hub provides useful functionality. After you open Cost Management + Billing in the Azure portal, select Cost Management in the left navigation and then select the scope or set of resources to investigate, such as an Azure subscription or resource group.

The Cost Analysis screen shows detailed views of your Azure usage and costs, with the option to apply various controls and filters.

For example, to see charts of your daily costs for a certain time frame:

  1. Select the drop-down caret in the View field and select Accumulated costs or Daily costs.

  2. Select the drop-down caret in the date field and select a date range.

  3. Select the drop-down caret next to Granularity and select Daily.

    The costs shown in the following image are for illustrative purposes only. They're not intended to reflect actual costs.

    Screenshot of a cost management + billing cost analysis screen.

You could also apply further controls. For example, to view only the costs associated with Microsoft Sentinel, select Add filter, select Service name, and then select the service names Sentinel, Log Analytics, and Azure Monitor.

Microsoft Sentinel analytics tier data ingestion volumes appear under Security Insights in some portal Usage Charts.

The Microsoft Sentinel classic pricing tiers don't include Log Analytics charges, so you might see those charges billed separately. Microsoft Sentinel simplified pricing combines the two costs into one set of tiers. To learn more about Microsoft Sentinel's simplified pricing tiers, see Simplified pricing tiers.

For more information on reducing costs, see Create budgets and Reduce costs in Microsoft Sentinel.

Run queries to understand your analytics tier data ingestion

Microsoft Sentinel uses an extensive query language to analyze, interact with, and derive insights from huge volumes of operational data in seconds. Here are some Kusto queries you can use to understand your data ingestion volume.

Run the following query to show data ingestion volume by solution:

Usage
| where StartTime >= startofday(ago(31d)) and EndTime < startofday(now())
| where IsBillable == true
| summarize BillableDataGB = sum(Quantity) / 1000. by bin(StartTime, 1d), Solution
| extend Solution = iff(Solution == "SecurityInsights", "AzureSentinel", Solution)
| render columnchart

Run the following query to show data ingestion volume by data type:

Usage
| where StartTime >= startofday(ago(31d)) and EndTime < startofday(now())
| where IsBillable == true
| summarize BillableDataGB = sum(Quantity) / 1000. by bin(StartTime, 1d), DataType
| render columnchart

Run the following query to show data ingestion volume by both solution and data type:

Usage
| where TimeGenerated > ago(32d)
| where StartTime >= startofday(ago(31d)) and EndTime < startofday(now())
| where IsBillable == true
| summarize BillableDataGB = sum(Quantity) / 1000. by Solution, DataType
| extend Solution = iff(Solution == "SecurityInsights", "AzureSentinel", Solution)
| sort by Solution asc, DataType asc

See more information on the following items used in the preceding examples, in the Kusto documentation:

For more information on KQL, see Kusto Query Language (KQL) overview.

Other resources:

Deploy a workbook to visualize data ingestion into the analytics tier

The Workspace Usage Report workbook provides your workspace's data consumption, cost, and usage statistics. The workbook gives the workspace's data ingestion status and amount of free and billable data. You can use the workbook logic to monitor data ingestion and costs, and to build custom views and rule-based alerts.

This workbook also provides granular ingestion details. The workbook breaks down the data in your workspace by data table, and provides volumes per table and entry to help you better understand your ingestion patterns.

To enable the Workspace Usage Report workbook:

  1. In the Microsoft Sentinel left navigation, select Threat management > Workbooks.
  2. Enter workspace usage in the Search bar, and then select Workspace Usage Report.
  3. Select View template to use the workbook as is, or select Save to create an editable copy of the workbook. If you save a copy, select View saved workbook.
  4. In the workbook, select the Subscription and Workspace you want to view, and then set the TimeRange to the time frame you want to see. You can set the Show help toggle to Yes to display in-place explanations in the workbook.

Export cost data

You can also export your cost data to a storage account. Exporting cost data is helpful when you need or others to do more data analysis for costs. For example, a finance team can analyze the data using Excel or Power BI. You can export your costs on a daily, weekly, or monthly schedule and set a custom date range. Exporting cost data is the recommended way to retrieve cost datasets.

Create budgets

You can create budgets to track costs and create alerts that automatically notify stakeholders of spending anomalies and overspending risks. Alerts are based on spending compared to budget and cost thresholds. Budgets and alerts are created for Azure subscriptions and resource groups, so they're useful as part of an overall cost monitoring strategy.

You can create budgets with filters for specific resources or services in Azure if you want finer granularity in your monitoring. Filters help ensure that you don't accidentally create new resources that cost you more money. For more information about the filter options available when you create a budget, see Group and filter options.

Use a playbook for cost management alerts

To help you control your Analytics tier budget, you can create a cost management playbook. The playbook sends you an alert if your Microsoft Sentinel workspace exceeds a budget, which you define, within a given timeframe.

The Microsoft Sentinel GitHub community provides the Send-IngestionCostAlert cost management playbook on GitHub. This playbook is activated by a recurrence trigger, and gives you a high level of flexibility. You can control execution frequency, ingestion volume, and the message to trigger, based on your requirements.

Manage and monitor costs for the data lake tier

Once onboarded, usage of data lake tier capabilities is billed using new Microsoft Sentinel data lake meters. For more information on the new meters, see Data lake tier.

Microsoft Sentinel cost management in the Microsoft Defender portal

The new cost management experience, currently in preview and under Microsoft Sentinel > Cost management in the Microsoft Defender portal, helps you manage and monitor costs associated with your use of the data lake tier.

Important

You must have both the Billing Administrator and Security Administrator roles to access the Sentinel cost management pages.

Usage

The Usage page provides you with entry points to relevant cost tracking capabilities and a direct link to usage reports and settings, so you can navigate to the cost management action most relevant to you.

  • Usage reports - Visualizes your usage by capability over time. It can be found under Currently billed capabilities.
  • Cost management - Leads you to the Cost Management + Billing blade in the Azure portal to help track costs and create budgets. For more information on how to use Cost Management + Billing in the Azure portal, see Start using cost analysis.
  • Cost forecast - Leads you to a forecast report in the Cost Management + Billing blade in the Azure portal. For more information on how to use the forecast functionality, see View forecast costs.
  • Microsoft Sentinel settings - Opens the Microsoft Sentinel settings to show your relevant billing information, such as subscription and resource group selected for the data lake.

Screenshot of the Usage page in the Microsoft Sentienl cost management experience in the Microsoft Defender portal.

When you select one of the capabilities under Usage reports, you can view any of the following reports:

  • Cost driver report - Displays the top 10 cost drivers for the capability and a detailed list breaking down usage by cost drivers. This report is available for data lake ingestion, data lake storage, and data processing. The only usage captured for these reports is billable usage.

    Screenshot of the cost driver report for data lake ingestion.

  • General trend report - Displays a trend line of your billable usage for that capability. This report is currently available for data lake query and advanced data insights, and will be made available for the other capabilities over time.

    Screenshot of the general trend report for advanced data insights.

You can use a filter to adjust the default single month time window. A card shows your total usage for the filtered time. If enough historical data is available, the trend change compared to the previous period is displayed.

Notification

The Notification page lets you configure notification thresholds for each capability so you can receive email notifications when your usage reaches that threshold. Setting these thresholds helps you keep track of your usage and prevent unexpected charges. Currently, the email notifications go to the billing administrator that configured them.

To configure a notification threshold policy on a capability:

  1. Select Configuration beside the capability.

    Screenshot of the Notification page in cost management in the Microsoft Defender portal with the Configuration button highlighted.

  2. On the Create new policy side panel that appears, enter a value for your total threshold.

    Screenshot of the Create new policy side panel with the threshold text box highlighted.

  3. Enter an Alert percentage value to set the alert threshold for the total value you set previously then select Next.

    Screenshot of the Create new policy side panel with the alert threshold option highlighted.

  4. Review your settings then select Submit.

    Screenshot of the Create new policy side panel showing the Review and Submit page.

Using Azure Prepayment with Microsoft Sentinel

You can pay for Microsoft Sentinel charges with your Azure Prepayment credit. You can't use Azure Prepayment credit to pay non-Microsoft organizations for their products and services, or for products from Azure Marketplace.

Next steps