Microsoft Sentinel is a cloud-native SIEM (Security Information and Event Management) and SOAR (Security Orchestration and Automated Response) platform built on Azure. Unlike Microsoft Defender XDR — which is included in Microsoft 365 E5 — Sentinel is a separately priced, consumption-based Azure service.
Understanding Sentinel pricing is essential before deployment — costs can vary significantly based on data volume, retention requirements, and which Microsoft 365 plan you already have. This guide covers exactly how Sentinel is priced in India and how to estimate your spend.
How Microsoft Sentinel Pricing Works
Sentinel charges are based on data ingested — the volume of log data collected from your connected sources (endpoints, firewalls, identity systems, cloud services, etc.). This is the model used by most cloud-native SIEMs (Splunk Cloud, Elastic SIEM) and differs from user-count or device-count models.
Two Pricing Models
1. Pay-As-You-Go (PAYG) Pay per GB ingested, billed monthly. No commitment. Suitable for:
- Initial pilots and proof-of-concept deployments
- Environments with highly variable log volumes
- Small-scale deployments under 5 GB/day
2. Commitment Tiers Commit to a daily data volume in exchange for a lower per-GB rate. Available at 100 GB/day, 200 GB/day, 500 GB/day, 1 TB/day, 2 TB/day, etc. For production deployments, commitment tiers provide predictable costs and significant discounts over PAYG.
Note: Microsoft regularly adjusts Sentinel pricing. Contact Cloudfy for current INR pricing applicable to Indian Azure subscriptions under the Microsoft Cloud Agreements available in India.
The Microsoft 365 E5 Benefit — Critical for Indian Enterprises
This is the most important pricing factor for organisations already on Microsoft 365 E5:
Microsoft 365 E5 subscribers receive a free Sentinel data ingestion benefit — a daily data allowance covering logs from specific Microsoft 365 and Defender products:
- Defender for Endpoint logs
- Defender for Office 365 logs
- Defender for Identity logs
- Defender for Cloud Apps logs
- Azure Active Directory / Entra ID sign-in and audit logs
- Microsoft 365 audit logs
For an organisation on M365 E5 that exclusively uses Microsoft security products, a significant portion of their Sentinel data comes from this free benefit — effectively meaning Sentinel costs are primarily driven by non-Microsoft log sources (firewalls, third-party applications, on-premise infrastructure).
What this means in practice: An Indian enterprise on M365 E5 deploying Sentinel primarily for Microsoft security correlation may find the effective incremental Sentinel cost very low — primarily the Azure workspace and any non-Microsoft log ingestion.
What Contributes to Sentinel Data Volume
Understanding which log sources generate the most data is essential for cost estimation:
High Volume Sources (plan carefully)
- Windows Security Event Logs (endpoint): Can generate 1–5 GB/day per 100 endpoints depending on audit policy configuration. Using the recommended "Common" event set rather than "All Events" significantly reduces volume.
- Network firewall logs (Fortinet, Palo Alto, Check Point): High-volume sources — firewall session logs, URL filtering, and IPS events can generate 10–50+ GB/day for medium-large organisations.
- Web Application Firewall (WAF) logs: High volume for e-commerce, BFSI organisations with significant web traffic.
- Linux syslog: Verbose by default — requires filtering to avoid ingesting noise.
Medium Volume Sources
- Azure Activity Logs (if cloud workloads): Moderate volume, high security value.
- Azure AD / Entra ID sign-in logs: Covered by M365 E5 benefit.
- Microsoft 365 Management Activity API: Covered by M365 E5 benefit.
Low Volume Sources (high security value)
- DNS query logs: Typically low volume, high threat hunting value.
- DHCP logs: Low volume.
- VPN authentication logs: Low volume.
Estimating Your Sentinel Cost
A rough framework for Indian enterprise Sentinel cost estimation:
Step 1: Count your endpoints (Windows workstations + servers). Using the "Common" security event set: estimate ~200–400 MB/endpoint/day. 100 endpoints × 300 MB = ~30 GB/day from endpoints alone.
Step 2: If you have M365 E5, subtract the free Microsoft product benefit. For 100 endpoints on E5: Defender for Endpoint logs covered by free benefit — this portion costs nothing.
Step 3: Add non-Microsoft sources. Fortinet FortiGate logs for a 200-user organisation: ~2–8 GB/day depending on logging verbosity. Other application logs: typically 1–5 GB/day.
Step 4: Match to commitment tier. If total billable volume is ~10–15 GB/day, a 100 GB/day commitment tier provides headroom with significant discount vs PAYG.
For a formal Sentinel cost estimate for your specific environment, Cloudfy performs a log volume analysis before recommending commitment tier sizing.
Data Retention Pricing
Beyond ingestion, Sentinel also charges for data retention:
Hot tier (0–90 days): Included in ingestion pricing — all ingested data is queryable at no additional storage charge for the first 90 days.
Cold tier (90 days–7 years): Additional storage charges apply after 90 days. The per-GB cost for archive storage is much lower than ingestion. For compliance requirements mandating 1–2 year log retention (RBI IT Framework, SEBI), budget for cold tier storage.
Note: Microsoft 365 Defender XDR (security.microsoft.com) retains endpoint telemetry for 30 days by default; with Sentinel, this extends to 90 days hot + archive.
Sentinel vs Microsoft Defender XDR — When Do You Need Both?
This is the most common question from Indian IT teams activating security on M365 E5.
Defender XDR is sufficient when:
- Your entire security monitoring footprint is Microsoft products
- You have fewer than 500 users and no complex compliance requirements
- You do not have non-Microsoft infrastructure to correlate (no Fortinet firewall, no AWS, no on-premise Linux servers)
- You do not require custom detection rules beyond Microsoft's built-in analytics
Add Sentinel when:
- You have non-Microsoft infrastructure generating security logs you want to correlate (FortiGate, Check Point, Cisco, Palo Alto firewalls)
- You have cloud infrastructure beyond Azure (AWS CloudTrail, GCP logs)
- You require log retention beyond 30 days for audit/compliance (RBI, SEBI, ISO 27001)
- You need custom SOAR playbooks (Azure Logic Apps automation triggered by security incidents)
- You have a security team doing active threat hunting requiring longer data history
- You want unified security operations across Microsoft and non-Microsoft environments
Sentinel vs Splunk Enterprise Security — India Cost Comparison
| Dimension | Microsoft Sentinel | Splunk Enterprise Security |
|---|---|---|
| Pricing model | Per GB ingested | Per GB indexed (typically higher rate) |
| M365 E5 data benefit | Yes — Defender/M365 logs free | No |
| Deployment | Cloud-only (Azure) | Cloud or on-premise |
| Query language | KQL (Kusto) | SPL (Splunk Processing Language) |
| Connector ecosystem | 300+ built-in connectors | Extensive (Splunkbase marketplace) |
| Microsoft ecosystem integration | Native | Via add-ons |
| India cost (100 GB/day) | Lower — especially with M365 benefit | Higher — no equivalent Microsoft discount |
| Learning curve | Moderate (KQL) | Steeper (SPL for custom work) |
| Best for | Microsoft-first cloud environments | Mature SOC, complex on-prem environments |
For Indian enterprises on Microsoft Azure and M365, Sentinel is typically more cost-effective than Splunk at equivalent data volumes — particularly with the M365 E5 benefit removing a significant portion of ingestion costs.
Common Indian Deployment Scenarios
Scenario 1 — NBFC on M365 E5 + Fortinet firewall (500 users)
Log sources: Defender for Endpoint (covered by E5 benefit), Defender for Identity, Fortinet FortiGate sessions/IPS, Azure AD (covered by E5 benefit).
Estimated billable volume: ~5–15 GB/day (primarily Fortinet, filtered).
Estimated Sentinel cost: Low — PAYG or 100 GB/day commitment tier with significant headroom.
Primary value: Correlating FortiGate network events with Defender endpoint alerts into unified incidents. 12-month log retention for RBI audit.
Scenario 2 — Manufacturing company on M365 E3 + on-premise AD + Sophos firewall (300 users)
Log sources: Windows Security Events (Common set), Active Directory (on-prem, via Azure Monitor Agent), Sophos firewall, Azure AD (limited — no E5 benefit).
Estimated billable volume: ~8–20 GB/day.
Estimated Sentinel cost: Moderate — 100 GB/day tier recommended for predictability.
Primary value: On-prem AD attack detection (Pass-the-Hash, DCSync, lateral movement) that is absent without Defender for Identity. ISO 27001 log retention requirement.
Frequently Asked Questions
Can Sentinel ingest logs from non-Microsoft firewalls like Check Point or Palo Alto? Yes. Sentinel has built-in data connectors for Check Point, Palo Alto, Fortinet, Cisco, SonicWall, and other major firewall vendors. Logs are ingested via Syslog (CEF format) or direct API connectors depending on the vendor.
Is there a free tier for Sentinel? Microsoft offers a free 31-day trial for new Sentinel workspaces. There is no permanent free tier — production deployment requires an Azure subscription with ingestion charges.
What Azure region should Indian organisations use for Sentinel? Microsoft Azure has data centers in India (Central India — Pune, South India — Chennai). For data residency compliance, Indian organisations should deploy their Log Analytics workspace (which underpins Sentinel) in the India region.
How do you control Sentinel costs? Primary cost controls: (1) use the "Common" security event set rather than "All Events" for Windows endpoints, (2) filter verbose network device logs to security-relevant events before ingestion, (3) use Basic logs tier for verbose low-value logs (available at lower cost), (4) regularly review ingestion volume in the Sentinel cost dashboard.
Ready to evaluate Microsoft Sentinel for your organisation? Contact Cloudfy Systems — authorised Microsoft partner — for a Sentinel sizing assessment and formal INR cost estimate.