Blog | 3-minute Read
How to control Microsoft Sentinel costs without cutting corners
Anna Webb
Head of Global Security Operations
Published: 14 July 2025
Learn how to optimise your Microsoft Sentinel deployment and cut security costs through smarter data ingestion, automation, and leveraging built-in savings from Microsoft 365 E5 and Defender licences.
As Spider-Man’s uncle (twice) said: With great power comes great responsibility.
Microsoft Sentinel gives you serious power. But it definitely needs some responsible management.
It pulls in data from everywhere, flags everything, and before long you could be racking up unwanted ingestion costs.
But responsibility doesn’t mean holding back. With the right approach, you can unlock Sentinel’s full potential and keep costs under control.
That’s exactly what we explored in our Microsoft Sentinel cost saving masterclass, sharing practical ways to fine-tune ingestion, cut wasted spend, and make Sentinel work smarter, not louder.
Here’s what we revealed.
Cost transparency in Microsoft Sentinel is your secret weapon
It’s tempting to ingest every log, but at £2.46 per gigabyte, it’s an easy way to burn through budget fast. Plus, it’s counterproductive. Visibility is crucial, of course, but not all logs deliver equal security value.
Time and again do we see teams pulling in legacy data, noisy streams and low-value events that add nothing. The key is precision, not volume.
And the reality is that Sentinel deployments which apply targeted strategies achieve significant savings and more accurate security analysis.
Three ways to optimise Sentinel data ingestion costs
- Remove low-value logs: Discontinue ingestion of logs that don’t directly relate to actionable security insights or essential compliance.
- Optimise Data Collection Rules (DCRs): Use DCRs to filter out redundant fields and low-priority events before ingestion.
- Monitor ingestion anomalies: Proactively identify unusual data spikes from misconfigurations or new workloads to avoid unexpected costs.
Unlock substantial savings with auxiliary logs and smarter tiering
Costs spiral when data sits unnecessarily in Sentinel’s analytics tier. However, by tiering your data appropriately you can see significant reductions in these costs.
- Commitment tiers: Using commitment tiers in Log Analytics can reduce analytics-tier ingestion costs by up to 30% compared to pay-as-you-go.
- Auxiliary logs: Ideal for high-volume, low-value data, auxiliary logs are significantly cheaper than analytics-tier logs, offering substantial storage cost savings.
- Archive tier and long-term retention: Offloading older logs to the archive tier reduces costs significantly without compromising compliance or visibility.
By carefully allocating logs between analytics, auxiliary, and archive tiers, organisations regularly achieve cost reductions of 30% or more without losing critical visibility.
Of course, this isn’t something to approach with a blunt instrument. Moving data across tiers requires care, planning, and timing. Get it wrong and you risk breaking detection logic, losing investigative fidelity, or creating blind spots in your threat model. Done right, with a clear understanding of your detection dependencies and investigative needs, and the savings will follow.
Start by identifying which logs support your key detections and compliance needs. Review them with your SOC team and test any changes in a safe environment before making the switch.
The goal is to keep what’s useful, trim what isn’t, and avoid surprises later.
Free Video
Take more control over your Microsoft Sentinel costs
Watch the Microsoft Sentinel Cost Management Masterclass and discover how to slash waste, boost detection, and take full control of your SIEM spend.
Includes: Real-world cost-saving strategies, tooling insights, and log optimisation techniques from Microsoft and Kocho experts.
Don’t leave money on the table: Microsoft’s hidden cost-saving tools
Are you claiming all the ingestion grants that you’re entitled to within your existing Microsoft licences?
A lot of organisations aren’t. Which means they’re paying more than they need to be.
If you’re on Microsoft 365 E5 or Defender for Server P2, it’s highly likely you have access to:
E5 data grant
Organisations leveraging Microsoft 365 E5 licences can save thousands monthly through built-in data ingestion allowances. Surprisingly, many remain unaware of this straightforward saving.
Server protection savings
Sentinel customers using Defender for Server Plan 2 receive free ingestion up to 500MB per server daily. For mid-sized deployments, these savings can quickly reach meaningful sums.
This is free money. Be a shame to waste it, wouldn’t it?
Microsoft Sentinel cost optimisation is a process not a project
Here’s what most teams get wrong: they treat Sentinel cost optimisation as a one-off project. Fix it once and move on.
It doesn’t work that way.
Cost control is an operating discipline. A process that needs ongoing attention, regular reviews, and someone who understands both the technology and the business impact.
That’s why managed services like Kocho’s XDR Rapid Protect deliver:
- Continuous log and data governance
- Smart ingestion modelling that adapts to your needs
- Cost monitoring and budget protection that works while you sleep
You really don’t have to figure this out alone. The teams that get Sentinel cost control right usually use the right people, with the right experience to help make the right decisions.
Managed correctly Sentinel should deliver best-in-class security and cost-efficiency to your SOC
The difference between cost-effective and wasteful Sentinel deployments comes down to intent. The teams getting the best results know exactly what they need to see.
And what they don’t.
They tune for relevance, not volume.
Start with your risks. Keep what gives you real insight. Drop what doesn’t. Review your tiers, refine your rules, and cut the noise without cutting coverage.
If you missed the webinar, Microsoft Sentinel cost saving masterclass, then hit the link below and watch the full video. It’s full of clear, actionable guidance for making Sentinel work harder without spending more.
And if you want to find out how Kocho’s managed security services are helping organisations stay protected without unnecessary costs, speak to our team today.
Microsoft Sentinel cost saving Q&A
-
Turn off noisy or legacy log sources, trim unneeded fields with Data Collection Rules (DCRs) and set an alert for any sudden ingestion spikes. Precision beats volume every time.
-
For most UK clients on standard pay‑as‑you‑go, you can expect to pay around:
- £2.30 – £2.46/GB for analytics logs
- £0.50/GB for basic logs
Commitment tiers can drive those effective costs down significantly to as low as ~£1.48/GB at scale.
Naturally, pricing changes, so for a clear understanding please refer to the relevant Microsoft page, or contact our team for further advice.
-
- Analytics: Full query power, scheduled rules and 90 days’ interactive retention; premium price.
- Auxiliary: Stripped-down query support, 30 days’ interactive retention; priced for bulk traffic.
- Archive: Cold storage for long-term compliance, restored only when you need it.
-
Yes. Eligible tenants get up to 5 MB per user, per day of Microsoft 365 security data ingested at zero cost. If you have E5 (or A5/F5/G5) and you’re paying for those logs, you’re leaving money on the table.
-
Yes, you are. Each protected server gets 500 MB of free security log ingestion every day – straight into the workspace. Works out as meaningful savings once you pass a handful of hosts.
-
Commitment tiers start at 100 GB/day and can shave around 30 percent off your per-GB rate. They make sense once you have stable, predictable volumes; stay flexible until then.
-
Monthly cadence as a minimum. Log sources, workloads and attack paths change too fast for annual spring-cleaning. Automate the reports, keep a human in the loop.
-
Absolutely. Build a workbook or Logic App that flags any workspace breaching its daily baseline by, say, 20 percent. Fast alert, fast fix, no invoice shock.
-
Not if you like predictable bills. Treat cost control as an operating discipline, or outsource it to a managed service that lives and breathes Sentinel.
-
Accurately calculating Sentinel costs starts with understanding what you’ll ingest:
- Identify your data sources: Logs vary in cost—analytics logs are charged at the full rate (approx. £2.30/GB), while basic logs are cheaper but limited.
- Estimate your volume: Use the Azure Monitor Usage tools or Log Analytics Cost workbook to assess daily ingestion or forecast based on planned sources.
- Pick a pricing model: Choose between pay-as-you-go or a capacity commitment tier, which can reduce costs to as low as £1.48/GB.
- Include retention and automation: Costs rise with extended data retention and playbook activity, so these need factoring into any forecast.
While Microsoft provides the tools, accurate forecasting depends on estate size, log types, and security tooling.
That’s where a managed service helps. Kocho’s managed SecOps team builds precise, risk-aligned Sentinel forecasts based on your actual environment, optimising for cost, performance, and Microsoft licensing benefits to help you forecast with pinpoint accuracy.
Free Video
Take more control over your Microsoft Sentinel costs
Watch the Microsoft Sentinel Cost Management Masterclass and discover how to slash waste, boost detection, and take full control of your SIEM spend.
Includes: Real-world cost-saving strategies, tooling insights, and log optimisation techniques from Microsoft and Kocho experts.
Great emails start here
Sign up for free resources and exclusive invites
Subscribe to the Kocho mailing list if you want:
- Demos of the latest Microsoft tech
- Invites to exclusive events and webinars
- Resources that make your job easier
Don't Miss
Great Microsoft Sentinel resources
