Sentinel pricing and analytics rules

[assaf-grth]

Hi, Can you add any reference to the subject of analytics rules and their relation to the costs of the Sentinel service? There is no document stating that execution of these rules doesn't incur any charges, but the Sentinel service pricing consists of a thing called "volume of data analysed in Microsoft Sentinel" which looks related to the result of executing an analytics rule query

---

Document Details

⚠ Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.

• ID: a8bb0e76-7b39-2d7f-d8f0-d2ec1fd26849
• Version Independent ID: bbf5604d-4c5b-e984-9567-d3e8670a8c20
• Content: Plan costs, understand Microsoft Sentinel pricing and billing
• Content Source: articles/sentinel/billing.md
• Service: microsoft-sentinel
• GitHub Login: @cwatson-cat
• Microsoft Alias: cwatson

[Naveenommi-MSFT]

@assaf-grth Thanks for your feedback! We will investigate and update as appropriate.

[ManoharLakkoju-MSFT]

@assaf-grth You are correct that there is no explicit documentation stating that the execution of analytics rules does not incur any charges in Microsoft Sentinel. However, it is important to note that the pricing for Microsoft Sentinel is based on the volume of data analyzed, not the number of analytics rules executed.

When you create an analytics rule in Microsoft Sentinel, it is essentially a query that runs over the data in your workspace. The results of this query are used to generate alerts, incidents, and other outputs. However, the cost of running this query is already included in the pricing for the volume of data analyzed.

In other words, you are not charged separately for the execution of each analytics rule. Instead, you are charged based on the amount of data that is analyzed by all of your analytics rules and other detections in Microsoft Sentinel.

I hope this information helps clarify the relationship between analytics rules and the costs of the Sentinel service. Please let me know if you have any further questions or concerns.

[assaf-grth]

Thanks for the details @ManoharLakkoju-MSFT So just to make sure I understand, the pricing spans across the same amount of volume of data across two charge metrics Its charged per log analytics workspace storage and the same amount of storage is charged as Sentinel data analyzed?

Another question regarding the free data sources feature, these sources will not count as part of the costs in terms of Sentinel data analyzed, but the data stored in the log analytics workspace will be included as part of the costs?

[ManoharLakkoju-MSFT]

@assaf-grth I'm going to assign this to the document author so they can take a look at it accordingly

@cwatson-cat Can you please check and add your comments on this doc update request as applicable.

[assaf-grth]

Thanks @ManoharLakkoju-MSFT , waiting for further updates

[cwatson-cat]

Thanks for the details @ManoharLakkoju-MSFT So just to make sure I understand, the pricing spans across the same amount of volume of data across two charge metrics Its charged per log analytics workspace storage and the same amount of storage is charged as Sentinel data analyzed?

Another question regarding the free data sources feature, these sources will not count as part of the costs in terms of Sentinel data analyzed, but the data stored in the log analytics workspace will be included as part of the costs?

@nayef-yassin Would you be able to answer this last question?

[nayef-yassin]

Sentinel is charged based on data analyzed which is exactly equal to the data ingested into the underlying Log Analytics workspace. This is completely separate from how many analytics rules a user may or may not run. You essentially pay once for the data that is brought into Sentinel and can then operate on it however you like and can run or not run as many analytics as you'd like with no additional cost.

[batamig]

label:"backlog-item-created"

[assaf-grth]

Thanks for the details Can you relate to this question: Regarding the free data sources feature, these sources will not count as part of the costs in terms of Sentinel data analyzed, but the data stored in the log analytics workspace will be included as part of the costs?

[cwatson-cat]

Please post any remaining questions to Microsoft Q&A. #please-close