Skip to content
Skip to main content
Microsoft Industry Blogs - United Kingdom

As there are lots of question on this topic, I’m hoping this post will help.  Also see my other post if you DO have Log Analytics

What to do if you don’t have Log Analytics already in use in your company today, but want to price Azure Sentinel:

Here I discuss three Options:

 

  1. An Estimate, using typical data volumes

  2. Do you have SIEM today?

  3. Run a small POC / Sizing exercise

 

Option 3 is my preferred method if you have the time

 

Option 1 – Estimate

 

Step 1: A typical Azure Virtual Machine ingest 1-3GB of logs a Month (see screen shot of Azure Monitor) below.   Now we can debate typical for a long time, so please see this as a starting point !

Avg GB per month for Azure Moniitor

 

That is a good starting point for devices (on-premises) or in the cloud.  You now need to work out how many servers/desktops you have and calculate how much data that’s likely to be per day (in Gigabytes)

E.g. 100 Servers all sending 1GB a month = 100GB total / 31days = 3.22GB per day.  Sentinel requires a whole number so I’d advise you top round this figure up (your decision), in this case 4GB a day.

Please put this into your spreadsheet of choice.  In Excel it looks like this.

Where

  1. Column 3 is a calculated value of  Column 1 {Estimated GB} * Column 2 [Device Count],
  2. Where column 5 is a calculated value of = Column 3 [GB per Month / Column 4 [Days in Month]

 

Estimated GB Device Count GB per Month   Days in Month GB per Day
1 100 100 31 3.226
2 100 200 31 6.452
3 100 300 31 9.677
4 100 400 31 12.903
5 100 500 31 16.129
6 100 600 31 19.355
7 100 700 31 22.581
8 100 800 31 25.806
9 100 900 31 29.032
10 100 1000 31 32.258

 

Now we have some data to feed into the Azure Pricing Calculator

Tip:
You can name sections of the calculator, in the following diagram I’ve called mine “Azure Sentinel 1GB per day option“. This is good for ‘what if’ scenarios, as you can take today’s per GB value, and try out others, such as what happens if my ingestion to 2GB a day using the table above.  Just simply clone the entry and re-name

Azure Sentinel 1GB per day option” to “Azure Sentinel 2GB per day option” etc…

 

Step 2: Open the Azure Pricing Calculator https://azure.microsoft.com/en-gb/pricing/calculator/ and also read the Pricing Guide: https://azure.microsoft.com/en-us/pricing/details/azure-sentinel/

  • Login to the calculator if you can, so you can save and share the estimate.  (Optional)
  • Find the [Security] tab on the left hand-side, Select [Security], then [Azure Sentinel]
  • Select your currency (I’ve selected £ in the diagram) – scroll right to the bottom of the page to do this!
  • Answer the 3 questions, you see (marked with red boxes) in the screenshot:
  • use the [CLONE] button if you want some ‘what if’ models, remember to re-name the sections!

 

Azure Cost Calculator example.

Azure Pricing Calculator

 

Notes:

  1. The calculator for Azure Sentinel is for both Log Analytics (ingestion of Billable data, my query doesn’t count the free data types) and the Azure Sentinel analytics of that data – both are measured in Gigabytes (GB) per day.  The calculator will automatically move from PAYG (pay as you go) to Capacity Reservation when the number you enter reaches the right threshold.  Billing will start on Nov 1st 2019.
  2. This is your estimated new monthly price for Log Analytics ingestion and for Sentinel to analyse your data – including 3 months retention. + any additional retention you add
  3. If you plan to use Azure Logic Apps (playbooks) – please add an Item for those.
  4. If you have what-if models and you save them to our Excel via the [EXPORT] button. then the yearly total will be wrong!

 

Option 2 – Do you have a SIEM today?

Maybe you can get some data from that, there are so many variants (Events per Second etc) and tools, so you are going to have to do some work on this one. Sorry!  Do you have some idea that we can use here, if so please leave a comment?

 

Option 3. Run a small POC / Sizing exercise.

Log Analytics allows for 5GB of free ingestion per customer.  You can set a daily cap as well (note that excludes Security Data)

See this article on Daily Cap and Log Analytics: https://docs.microsoft.com/en-us/azure/azure-monitor/platform/manage-cost-storage 

See the blog by Tiander on how to run a POC: https://techcommunity.microsoft.com/t5/Azure-Sentinel/Best-practices-for-designing-an-Azure-Sentinel-or-Azure-Security/ba-p/832574 

Please keep monitoring this environment as you add devices and services, esp. Securirty Data

Ideally you’ll add Servers or Services that are typical (?) maybe you have a Development or Performance/Load testing environment you can use?  You can probably get some reasonable data within 7 days.

 

 

 

All prices shown are in British Pound (£). This is a summary estimate, not a quote. For up to date pricing information please visit https://azure.microsoft.com/pricing/calculator/