Sentinel Pricing Calculator

Microsoft Sentinel cost estimator for M365 Business Premium & Defender for Business

Required Data Connectors

This calculator assumes the following data connectors are enabled in Microsoft Sentinel:

Microsoft Entra ID

Sign-In Logs Audit Logs Service Principal Sign-In Logs Managed Identity Sign-In Logs Provisioning Logs ADFS Sign-In Logs User Risk Events Risky Users Network Access Traffic Logs Risky Service Principals Service Principal Risk Events Enriched Office365 Audit Logs Remote Network Health Logs

Microsoft Defender for Endpoint

DeviceInfo DeviceNetworkInfo DeviceProcessEvents DeviceNetworkEvents DeviceFileEvents DeviceRegistryEvents DeviceLogonEvents DeviceImageLoadEvents DeviceEvents DeviceFileCertificateInfo

Microsoft 365

Exchange SharePoint Teams

Users Entra ID active users

Workstations Defender for Business

Servers Defender for Business

Retention Months (min. 3)

Custom Estimates & Pricing

Run this KQL query in Microsoft Sentinel to get your actual daily averages:

// First, find the earliest timestamp across key tables to determine full data range
let EarliestTime = toscalar(
    union 
        (SigninLogs | summarize min(TimeGenerated)),
        (DeviceInfo | summarize min(TimeGenerated)),
        (DeviceEvents | summarize min(TimeGenerated))
    | summarize min(min_TimeGenerated)
);
let DaysOfData = (now() - EarliestTime) / 1d;
let UserCount = toscalar(
    SigninLogs
    | where TimeGenerated >= EarliestTime
    | distinct UserPrincipalName
    | count
);
let UserIngested = toscalar(
    union withsource=TableName1 *
    | where TimeGenerated >= EarliestTime
    | where _IsBillable == true
    | where TableName1 !startswith "Device"
    | summarize sum(_BilledSize)
);
let DeviceData = union withsource=TableName1 Device*
    | where _IsBillable == true
    | where TimeGenerated >= EarliestTime
    | join kind=inner (
        DeviceInfo
        | summarize arg_max(TimeGenerated, *) by DeviceName
    ) on DeviceName
    | summarize TotalBilledSize = sum(_BilledSize), Count = dcount(DeviceName) by DeviceType1
    | where DeviceType1 in ("Workstation", "Server")
    | project 
        Category = DeviceType1,
        TotalIngestedGB = TotalBilledSize / 1024.0 / 1024.0 / 1024.0,
        Count,
        GBPerUnitTotal = (TotalBilledSize / 1024.0 / 1024.0 / 1024.0) / Count;
let UserData = print 
        Category = "User",
        TotalIngestedGB = UserIngested / 1024.0 / 1024.0 / 1024.0,
        Count = UserCount,
        GBPerUnitTotal = (UserIngested / 1024.0 / 1024.0 / 1024.0) / UserCount;
DeviceData
| union UserData
| extend 
    DaysOfData = DaysOfData,
    AvgGBPerUnitPerDay = GBPerUnitTotal / DaysOfData
| project 
    DaysOfData = round(DaysOfData, 2),
    Category,
    Count,
    AvgGBPerUnitPerDay = round(AvgGBPerUnitPerDay, 10)

Use the AvgGBPerUnitPerDay values from the results.

Log Generation (GB per day per unit)

Per User Default: 0.000168

Per Workstation Default: 0.007606

Per Server Default: 0.003364

Costs (€)

Ingestion per GB Default: €5.56

Retention per GB/month Default: €0.113