Microsoft Sentinel is Microsoft's cloud-native SIEM (Security Information and Event Management), merged with SOAR (Security Orchestration, Automation and Response) and UEBA (User and Entity Behavior Analytics) capabilities. Launched in 2019 as Azure Sentinel, repositioned in 2024 within the Microsoft Defender portal, Sentinel collects, analyzes and correlates cloud-scale security logs to detect threats, intrusions and anomalous behavior.

The sales pitch: "Unlimited SIEM, cloud scalability, built-in AI, simple per-GB pricing." The reality on the ground: unpredictable monthly bills that double in three months if ingestion isn’t managed, a steep KQL (Kusto Query Language) learning curve, and a pricing trap where verbose network logs can cost tens of thousands of euros per month even though their detection value is virtually zero.

Between Splunk at 500k€/year (rigid licensing, heavy installation) and Sentinel sold as "flexible and economical", the choice seems obvious. But what Microsoft doesn't say: Sentinel becomes more expensive than Splunk beyond 500 GB/day of poorly optimized ingestion. This article exposes the true cost of Sentinel, compares it objectively with Splunk/QRadar, explains how to avoid the €50k/month bill, and above all calculates whether your organization really needs a SIEM or whether a centralized EDR + logs is enough (spoiler: 60% of SMBs don't need a SIEM).

‍

What is Microsoft Sentinel and how does it really work?

‍

Architecture and positioning

Sentinel is not software to be installed, but an Azure SaaS service based on three components:

Azure Monitor Log Analytics Workspace: storage backend. All logs ingested into Sentinel transit and are indexed in Log Analytics. Herein lies the pricing confusion: you pay for Log Analytics + Sentinel as combined third parties (simplified since 2023), but there are additional costs (retention, archiving, restoration).

Correlation and analytics engine: detection rules written in KQL (Kusto Query Language, Microsoft’s version of SQL). Sentinel includes over 300 pre-configured rules (MITRE ATT&CK attacks, abnormal behavior, indicators of compromise) plus the ability to create custom rules. Integrated machine learning to detect anomalies (connections from an unusual location, spike in user activity at 3 a.m.).

SOAR and automation: playbooks based on Azure Logic Apps. When an alert is triggered (e.g., an RDP brute-force attempt), a playbook can automatically block the IP address in the firewall, create a ServiceNow ticket, and send a Teams notification to the SOC. Cost savings: up to 70% of Level 1 responses automated.

Defender XDR Integration: Starting in 2024, Sentinel will run within the Microsoft Defender portal. Integration with Defender for Endpoint, Defender for Cloud, and Defender for Identity. Unified view: endpoints, identity, cloud, and on-premises in a single pane of glass.

‍

Third-party data: Analytics vs. Data Lake

Analytics tier: high-value logs (authentications, EDR alerts, threat intelligence). Real-time analysis, correlation, and detection. Free 90-day retention. Billing based on ingestion (Pay-As-You-Go) or via a commitment tier starting at 100 GB/day. The price per GB varies significantly by region: check the Azure calculator for West Europe.

Data Lake tier: long-term storage for large, low-value logs (verbose firewall, web proxy, network flow), significantly cheaper than the Analytics tier (around $0.19/GB at ingestion). Billed for ingestion + processing + retention (this is not free). Uses: forensic analysis, compliance, occasional queries. No real-time detection.

Optimal approach: ingest Windows Security Events, Microsoft Entra ID logs, and EDR alerts into the analytics tier; route verbose firewall logs (e.g., 50 GB/day) to the data lake. At these volumes, the price difference per GB between the two tiers drastically reduces the cost without any loss of detection capability (network logs almost never trigger real-time alerts).

‍

Connectors and data sources

Native Microsoft connectors (free to ingest):

• Azure Activity Logs (Azure resource auditing)
• Microsoft 365 Audit Logs (Exchange, SharePoint, Teams)
• Microsoft Defender for Endpoint
• Microsoft Entra ID Identity Protection (formerly Azure AD)
• Office 365 Advanced Threat Protection

With an M365 E5/A5/G5 license: 5 MB per user per day data allowance. An organization with 1,000 users = 5 GB per day free for Microsoft 365 logs.

With Defender for Servers P2: 500 MB per VM per day free for server logs.

Third-party connectors (chargeable):

• Firewalls (Palo Alto, Fortinet, Checkpoint) via Syslog/CEF
• Proxies (Zscaler, Cisco Umbrella)
• Third-party EDR (CrowdStrike, SentinelOne) via API
• Cloud providers (AWS CloudTrail, GCP Audit)
• Legacy SIEM (Splunk, QRadar) for gradual migration

Connector pitfalls: some send extremely verbose logs. An unfiltered Palo Alto firewall = 200 GB/day of unnecessary authorized traffic. Filtering at the collector level (deny logs only) = reducing traffic from 200 GB to 5 GB/day.

‍

KQL: the language that makes or breaks your experience

Kusto Query Language = an SQL-like language for querying logs. Syntax:

kusto

SecurityEvent
| where TimeGenerated > ago(24h)
| where EventID == 4625 // Failed logon
| summarize FailedAttempts = count() by Account, Computer
| where FailedAttempts > 10
| order by FailedAttempts desc

Learning curve: 2–3 weeks for a Windows administrator. 1–2 months to master complex aggregations (join, union, parse). Required for creating custom rules, tuning false positives, and investigating incidents.

SPL (Splunk) Comparison: KQL is simpler for basic queries but less powerful for advanced transformations. Splunk SPL offers more built-in functions and better community documentation.

‍

Actual pricing and costing: the €50k/month trap

‍

2026 Rate Structure

Since 2025, Sentinel has been organized into two tiers:the Analytics tier (real-time detection, queries, alerts, hunting—the "full" tier) and the Data Lake tier (low-cost, long-term storage for large volumes of logs that are rarely queried). The right approach to budgeting isn’t to negotiate the price per GB, but to decide which logs go into which tier.

Analytics tier — Pay-As-You-Go: Billing combines two charges: Log Analytics ingestion + a Sentinel analytics surcharge. The PAYG rate varies significantly by region (ranging from approximately $4.30/GB in the cheapest regions to $5.59/GB in the most expensive regions in the US). For West Europe, check the exact rate on the Azure calculator: the old amounts in euros (~€2.76/GB) correspond to the old billing model and are no longer reliable.

Please note: The Sentinel surcharge does not apply to ingested Auxiliary logs or Basic logs.

Analytics tier — Commitment tiers (capacity reservation): You reserve a daily volume at a discounted rate, ranging from 100 GB/day to 50,000 GB/day. Microsoft reports savings of up to 52% compared to PAYG on the highest tiers. Two rules to remember:

• Any usage exceeding the reserved volume is billed at the reduced commitment tier rate (not the full PAYG rate)—this is a major advantage.
• Conversely, unused reserved capacity is not refunded: over-reserving is costly. The commitment tier can be adjusted every 31 days.

50 GB/day Promo (preview): Microsoft launched a 50 GB/day commitment tier in public preview on October 1, 2025, which finally bridges the gap between PAYG and the historical minimum of 100 GB. Enrollment window: through June 30, 2026. Customers who sign up during this period lock in the promotional rate through March 31, 2027.

Data Lake tier: low-cost storage (around $0.19/GB at ingestion) for verbose sources (firewall, network traffic, proxy, DNS). Note: The Data Lake is not free —it is billed based on ingestion, processing, and retention. In exchange, these logs do not trigger real-time analysis rules or alerts; they remain queryable via KQL and notebooks for forensic analysis and compliance.

Retention and archiving:

• Analytics tier: 90-day interactive retention by default, extendable up to 2 years (retention beyond the default period is billed separately).
• Archive: ~$0.025/GB/month for data stored for more than 14–30 days.
• Search Job on Archive: ~$0.10 per GB scanned (forensic on demand).
• Data Restore (Archive → Analytics): billed per GB and moved to the hot tier.

Additional costs that are often overlooked:

• Azure Logic Apps (SOAR playbooks): billed per action; negligible for low volumes.
• Outbound bandwidth: Exporting logs to a third-party tool = Azure Egress billing (first GB free, then standard Azure rates).

Realistic monthly cost estimate

The amounts below are approximate: the exact price depends on your Azure region and billing model. Be sure to recalculate using the Azure calculator before making any commitments.

Scenario: Small and medium-sized business with 200 employees, hybrid cloud:

• Windows Event Logs (50 servers): 2 GB/day
• Azure AD Sign-ins: 1 GB/day (included free of charge E5)
• Microsoft 365 Audit: 1.5 GB/day (included free of charge in E5)
• Defender for Endpoint: 3 GB/day (included free with Defender for Servers)
• Fortinet firewall: 15 GB/day (filtered, deny only)
• Zscaler proxy: 5 GB/day
• Total Analytics tier: ~27.5 GB/day

Conclusion: At this volume, the 100 GB/day Tier 100 plan would be a waste (72.5 GB/day reserved but unused). Stick with Pay-As-You-Go, and switch the verbose firewall to Data Lake if you enable it in full mode. The new 50 GB/day promotional tier may also be a good option at this ingestion level.

Scenario: A company with 2,000 employees using a multi-cloud environment:

• Server logs (300 VMs): 30 GB/day
• Azure + AWS + GCP audit logs: 20 GB/day
• Multi-platform EDR: 40 GB/day
• Network logs (firewalls, IDS/IPS): 200 GB/day → Data Lake
• Proxy and DNS: 50 GB/day → switch to Data Lake
• Analytics tier: ~90 GB/day
• Data Lake tier: ~250 GB/day

The issue isn't the cost per GB, but rather the filtering: sending 340 GB/day to Analytics would result in a massive bill, whereas routing 250 GB/day to the Data Lake drastically reduces the total cost without compromising detection capabilities (network and proxy logs almost never trigger real-time alerts).

Worst-case scenario — non-optimized ingestion:

• Firewall logs ALL traffic (authorized + deny): 500 GB/day
• Unfiltered debug application logs: 200 GB/day
• Duplicate logs (sent from 2 sources): 100 GB/day
• Total: 800 GB/day, all in the Analytics tier

At this volume, without governance, the monthly bill runs into the tens of thousands of euros for 95% data that no one looks at. Lesson: filter at the source, route verbose sources to the data lake, and monitor daily ingestion. Sentinel without governance = a financial black hole.

Free trials and data grants

31-day trial: 10 GB/day free per workspace (Log Analytics ingestion and Sentinel analysis waived), limited to 20 workspaces per tenant. Perfect for a POC.

Microsoft 365 E5 data allowances: Certain Microsoft sources are ingested for free regardless of the commitment tier. For an E5 organization, free ingestion can account for 30 to 50% of the total log volume.

Data grants Defender for Servers P2: free ingestion quota per protected VM, which significantly reduces costs for large server fleets.

Strategy: Maximize free data allowances, route verbose data sources to the data lake, and reserve a commitment tier only for the actual volume of paid Analytics data consumed.

‍

Sentinel vs Splunk vs QRadar: battle of the SIEM giants

‍

Splunk Enterprise Security: the flexible behemoth

Strengths:

• SPL (Search Processing Language): the most powerful of SIEM query languages
• 2800+ Splunkbase apps (community integrations)
• On-premise, cloud, hybrid: deployment everywhere
• Risk-Based Alerting (RBA): reduces alerting volume by 90% via cumulative risk scoring
• Native MITRE ATT&CK aligned detection

Weaknesses:

• Prohibitive cost: €150/GB (classic licensing) or complex workload pricing
• Heavy infrastructure: indexers, search heads, forwarders to manage (except Splunk Cloud)
• Steep SPL learning curve (but massive community)

Pricing Splunk:

• Ingestion 200 GB/day = ~30k€/month (licensing) + infra (10-15k€/month) = 40-45k€/month
• Same Sentinel PAYG volume: 200 GB x €2.76 x 30 = €16,560/month

When to choose Splunk: if heterogeneous stack (multi-vendor, legacy on-prem), advanced SPL needs, budget >500k€/year, Splunk expert SOC team.

IBM QRadar SIEM: the structured veteran

Strengths:

• Licensing EPS (Events Per Second): predictable (but rigid)
• Correlation engine mature (offense ranking)
• Strong compliance (finance, government)
• Support for physical appliances (sovereign datacenters)

Weaknesses:

• Monolithic architecture (difficult scaling)
• Aging UX (slow improvements)
• Limited integrations (600 vs. 2800 Splunk)
• Weak cloud-native (late catch-up)

Pricing QRadar:

• Licensing ~€15k/year for 5000 EPS
• 200 GB/day ≈ 20 000 EPS = 60k€/year licensing + appliance (20k€) = 80k€/year or 6666€/month

When to choose QRadar: regulated environments (banking, OIV), sovereign on-premise requirements, EPS licensing preferred for large volumes.

‍

SIEM Comparison 2026

‍

‍

Objective verdict:

• Sentinel: unbeatable for Microsoft-first organizations (Azure, M365), provided you keep costs under control using data grants and effectively manage cloud elasticity.
• Splunk: a market leader, designed for complex heterogeneous environments, with budgets exceeding €500,000 per year, and in-house SPL expertise.
• QRadar: Historically focused on highly regulated sectors and EPS licensing, with a fully sovereign on-premises infrastructure—but its future is worth watching since Palo Alto acquired the QRadar business.

‍

Real use cases and ROI calculation

‍

Use Case 1: Identity Compromise Detection (Microsoft Entra ID)

Background: An attacker steals an employee’s credentials via phishing. A login attempt was made from an IP address in Russia at 2 a.m.

Sentinel Detection:

• Analytics rule: Entra ID login from an unusual country + at an unusual time
• UEBA: user scoring increased from 0 to 85/100 (high risk)
• Alerte générée en <2 minutes
• Auto Playbook: Revoke the session, force MFA re-authentication, notify the manager and the SOC

Without SIEM: manual detection via daily review of Entra ID logs (if performed) = 24–48-hour delay. The attacker exfiltrates emails and gains access to sensitive SharePoint data.

ROI: incident prevented = ~€150,000 (forensics, loss of intellectual property, GDPR notification). Sentinel cost: ~€2,000/month. Payback: 1 major incident prevented per year.

‍

Use Case 2: Ransomware Detection and Propagation

Background: Ransomware infects a user's computer and begins encrypting the network via SMB.

Sentinel Detection:

• Defender for Endpoint alert: suspicious behavior (mass encryption)
• Sentinel Correlation: The same user accessed 50+ servers in 10 minutes (abnormal)
• Network logs: spike in outbound SMB traffic from the infected computer
• Merger Alert: Ransomware Outbreak Underway
• Playbook: Isolate the workstation, lock the AD account, take a snapshot of critical VMs

Detection time: 8 minutes. Containment: 15 minutes. Infected servers: 3. Impact: ~€50,000 (recovery of 3 servers).

Without SIEM: detection on day 2 (users report encrypted files). 200 servers affected. Cost: ~€2 million (downtime, recovery, potential ransom).

ROI: major incident averted (savings of ~€1.95 million) vs. annual Sentinel cost of ~€24,000.

‍

Use Case 3: Compliance and Auditing (GDPR, ISO 27001)

Background: An ISO 27001 audit requires evidence that access to personal data is monitored.

Sentinel:

• Tracking of all access to the customer SQL database (query audit logs)
• Alerts for access outside of business hours (10 p.m.–6 a.m.)
• Monthly reporting: who accessed what, when
• 13-month retention period (compliance)

ISO audit: The auditor asks, "Show me the access logs for the customer database over the past 12 months." Sentinel: Report generated in 5 minutes (KQL query).

Without SIEM: scattered logs (SQL Server, application, AD). Manual aggregation = 40 hours/year. Cost: ~€4,000 (engineer time). Risk of non-compliance if logs are incomplete.

ROI: time savings on the audit (~€4,000/year) + protection against the risk of non-compliance (potential fines).

‍

Use cases with zero value: unnecessary over-ingestion

Anti-pattern: ingest ALL logs from ALL systems "just in case".

Real-life example: A company handles:

• Verbose IIS logs (every HTTP 200 OK): 300 GB/day
• Application debug logs: 150 GB/day
• DNS query logs (all queries): 200 GB/day
• Total: 650 GB/day, all in the Analytics tier

At this volume, the monthly bill runs into the tens of thousands of euros, even though only about 5% of these logs trigger alerts. The remaining 95% is just noise.

Optimization:

• IIS: Log only 4xx/5xx errors = 300 GB → 5 GB
• App debug: disable in prod, enable on-demand = 150 GB → 0 GB
• DNS: Log only rejected requests = 200 GB → 3 GB

After optimization: ~8 GB/day. Savings: ~97% reduction with no loss of detection capability.

‍

Deployment and pitfalls to avoid

‍

Mistake 1: Deploying without an ingestion strategy

Problem: All connectors were activated "just to see." The bill increased tenfold starting in the second month.

Best practice:

• Identify 5–10 critical log sources (AD, EDR, critical firewalls)
• Calculate the expected volume (7-day pilot monitoring)
• Set a maximum monthly budget (e.g., €5,000)
• Roll out gradually; measure ROI by source

‍

Mistake 2: Neglecting M365/Defender data grants

Problem: Paying for Microsoft log ingestion when it is free with existing licenses.

Check: Do you have M365 E5 or Defender for Servers P2 licenses? Enable data grants. For an E5 organization, free ingestion can account for 30–50% of the total log volume. Potential savings: tens of thousands of euros per year.

‍

Mistake 3: Unoptimized Analytics Rules

Problem: Microsoft's default rules generate 500 alerts per day, 90% of which are false positives. The SOC is overwhelmed, and real threats are getting lost in the noise.

Required tuning:

• 1st month: audit mode, no alerting
• Analyze false positive patterns
• Adjust the thresholds (e.g., 10 failed logins → 50 if legacy apps generate a lot of false positives)
• Whitelist of known IP addresses/users

Result: 500 alerts/day → 20 alerts/day, 80% true positives.

‍

Mistake 4: Neglecting retention and archiving

Problem: Compliance requires 12 months of logs. Analytics data retention is free for 90 days, after which it is billed separately.

Calculation: Retaining 100 GB per day for an additional 9 months in Extended Analytics retention is much more expensive than switching to Archive.

Solution: After 90 days, switch to Tier 3 Archive (~$0.025/GB/month) instead of Extended Analytics retention. For the same data volume, the savings amount to thousands of euros per month. The Search Job on Archive (~$0.10/GB scanned) makes on-demand forensic access affordable.

‍

Mistake 5: Underestimating KQL skills

Problem: The SOC does not have a handle on KQL. Incidents are not being properly investigated, and MTTR (Mean Time To Respond) has tripled.

Required education:

• 3-day KQL Basics course (Microsoft Learn, free)
• 2 weeks of investigative practice (labs)
• SC-200 certification (Microsoft Security Operations Analyst)

Alternative : externaliser le SOC (Managed Sentinel). Coût : 5-15k€/mois selon le SLA. Pertinent si <3 FTE SOC internes.

‍

Sentinel: investment or trap?

Microsoft Sentinel is neither the budget-friendly cloud SIEM that marketing hype promises, nor a pricing scam. It is a powerful tool for Microsoft-centric organizations that prioritize data ingestion discipline.

Sentinel makes sense if:

• Dominant Microsoft stack (Azure, M365, Defender)
• Active data grants (E5, Defender for Servers) = immediate ROI
• Volumétrie <300 Go/jour optimisée (Analytics + Data Lake)
• Available KQL skills or Managed SIEM budget
• Need for scalability (temporary spikes in traffic, rapid scaling)

Sentinel is a trap if:

• Uncontrolled ingestion (any logger without filter)
• Multi-vendor heterogeneous stack (Splunk better)
• Volume >500 GB/day poorly optimized (explosive cost)
• No KQL (learning curve)
• 100% on-premise sovereign environment (QRadar/Splunk better)

Realistic ROI:

• Investment: €2,000–€10,000 per month, depending on volume
• Benefits: 1–2 major incidents prevented per year (€150,000–€2 million), simplified compliance (€4,000–€10,000 per year), L1 automation (30% time savings for the SOC)
• Payback: 3–6 months with optimized intake, never in the event of volumetric drift

‍

The real question: Do you need a SIEM?

You do NOT need SIEM if:

• PME <100 employés, infrastructure simple (cloud SaaS uniquement)
• A modern EDR solution is sufficient (Defender for Endpoint, CrowdStrike)
• Basic centralized logs are sufficient (Azure Monitor, CloudWatch)
• No strict compliance requirements

You NEED SIEM if:

• 200 employees, hybrid/complex infrastructure
• Regulated compliance (ISO 27001, NIS2, PCI-DSS)
• Dedicated SOC team or outsourcing
• Critical multi-source correlation (not just EDR)

A 60% cheaper alternative: if you don’t need a full-featured SIEM, Microsoft Defender XDR (without Sentinel) + centralized Azure Monitor logs = €500–1,500/month vs. €5,000–10,000/month for Sentinel.

Next pragmatic steps:

1. Audit the current stack: Which logs are critical? What is the expected volume?
2. Activate the 31-day Sentinel trial: Proof of concept on 3–5 priority sources
3. Calculate the actual cost: PAYG vs. Commitment vs. Data Lake, including data grants
4. Testing detection rules: false positives? Genuine alerts? Need for fine-tuning?
5. Team size at KQL: at least 2 people (skill redundancy)
6. Decide: Sentinel Full, Defender XDR only, or Splunk/QRadar if it's a better fit

Fatal mistake: Deploying Sentinel without ingestion governance or KQL expertise = skyrocketing costs with no detection value. Success: Targeted strategy, optimized ingestion, continuous tuning = 500–1000% ROI over 3 years.

Microsoft Sentinel is an excellent cloud SIEM for those who know how to use it. For the rest of us, it's a money-spinner that detects as many threats as a basic firewall at 1/10th the price. Choose wisely.

‍