Sentinel Pricing Calculator

Microsoft Sentinel cost estimator for Business Premium & Defender for Business

Required Data Connectors

This calculator assumes the following data connectors are enabled in Microsoft Sentinel:

Microsoft Entra ID
Sign-In Logs Audit Logs Service Principal Sign-In Logs Managed Identity Sign-In Logs Provisioning Logs ADFS Sign-In Logs User Risk Events Risky Users Network Access Traffic Logs Risky Service Principals Service Principal Risk Events Enriched Office365 Audit Logs Remote Network Health Logs
Microsoft Defender for Endpoint
DeviceInfo DeviceNetworkInfo DeviceProcessEvents DeviceNetworkEvents DeviceFileEvents DeviceRegistryEvents DeviceLogonEvents DeviceImageLoadEvents DeviceEvents DeviceFileCertificateInfo
Microsoft 365
Exchange SharePoint Teams

E5, A5, F5, G5, and E5/A5/F5/G5 Security licenses include a 5 MB per user per day data grant for Microsoft 365 data ingestion.

Eligible data sources:
Microsoft Entra ID SigninLogs AuditLogs
Defender for Cloud Apps McasShadowItReporting
Microsoft Purview InformationProtectionLogs
Microsoft 365 Advanced Hunting DeviceEvents DeviceFileEvents DeviceImageLoadEvents DeviceInfo DeviceLogonEvents DeviceNetworkEvents DeviceNetworkInfo DeviceProcessEvents DeviceRegistryEvents DeviceFileCertificateInfo EmailEvents EmailAttachmentInfo EmailUrlInfo EmailPostDeliveryEvents CloudAppEvents IdentityLogonEvents IdentityQueryEvents IdentityDirectoryEvents AlertEvidence UrlClickEvents
Custom Estimates & Pricing

Run this KQL query in Microsoft Sentinel to get your actual daily averages:

// First, find the earliest timestamp across key tables to determine full data range
let EarliestTime = toscalar(
    union 
        (SigninLogs | summarize min(TimeGenerated)),
        (DeviceInfo | summarize min(TimeGenerated)),
        (DeviceEvents | summarize min(TimeGenerated))
    | summarize min(min_TimeGenerated)
);
let DaysOfData = (now() - EarliestTime) / 1d;
let UserCount = toscalar(
    SigninLogs
    | where TimeGenerated >= EarliestTime
    | distinct UserPrincipalName
    | count
);
let UserIngested = toscalar(
    union withsource=TableName1 *
    | where TimeGenerated >= EarliestTime
    | where _IsBillable == true
    | where TableName1 !startswith "Device"
    | summarize sum(_BilledSize)
);
let DeviceData = union withsource=TableName1 Device*
    | where _IsBillable == true
    | where TimeGenerated >= EarliestTime
    | join kind=inner (
        DeviceInfo
        | summarize arg_max(TimeGenerated, *) by DeviceName
    ) on DeviceName
    | summarize TotalBilledSize = sum(_BilledSize), Count = dcount(DeviceName) by DeviceType1
    | where DeviceType1 in ("Workstation", "Server")
    | project 
        Category = DeviceType1,
        TotalIngestedGB = TotalBilledSize / 1024.0 / 1024.0 / 1024.0,
        Count,
        GBPerUnitTotal = (TotalBilledSize / 1024.0 / 1024.0 / 1024.0) / Count;
let UserData = print 
        Category = "User",
        TotalIngestedGB = UserIngested / 1024.0 / 1024.0 / 1024.0,
        Count = UserCount,
        GBPerUnitTotal = (UserIngested / 1024.0 / 1024.0 / 1024.0) / UserCount;
DeviceData
| union UserData
| extend 
    DaysOfData = DaysOfData,
    AvgGBPerUnitPerDay = GBPerUnitTotal / DaysOfData
| project 
    DaysOfData = round(DaysOfData, 2),
    Category,
    Count,
    AvgGBPerUnitPerDay = round(AvgGBPerUnitPerDay, 10)

Use the AvgGBPerUnitPerDay values from the results.

Log Generation (GB per day per unit)
Costs (€)