The solution is less expensive than an APM option. If the client wants to have a complete solution that covers the whole big organization, a good option will be going with Microsoft Sentinel. For the features it has, the price is justified.
While I wasn't involved with the specifics of Microsoft Sentinel's pricing, my understanding is it scales based on data ingestion. This means we only pay for the amount of data we bring in, which is fair. However, if a device generates excessive data like hundreds of GBs daily, investigating the cause becomes crucial to avoid unnecessary costs. In most cases though, the pay-as-you-go model shouldn't be an issue.
The licensing cost is available on the Microsoft Azure calculator. It depends on the size of the deployment, the size of the data ingestion. It is consumption-based pricing. It is an affordable solution.
Security Ops Management at a manufacturing company with 1,001-5,000 employees
Real User
Top 20
2023-11-10T18:27:00Z
Nov 10, 2023
Microsoft Sentinel can be costly, particularly for data management. While Microsoft provides various free offerings to attract users, these benefits can quickly become overwhelmed by escalating data management expenses if proper precautions are not taken. I don't think it's Microsoft engaging in underhanded tactics. I believe the issue lies with customers not paying close enough attention to what they're enabling. Initially, they're excited and eager to incorporate everything, but before they realize it, they've incurred unexpected costs. Azure Monitor Log Analytics and Sentinel have different subscription plans and pricing tiers. This segmentation was implemented to accommodate the distinct business relationships within our organization. Sentinel costs are managed separately from Azure costs.
The product is costly compared to Splunk. When we pay for the product, we also have Azure Monitor Log Analytics as part of the package. It is economical for us.
Integrator, Microsoft Security Advisor at Hitachi Data Systems
Real User
Top 20
2023-09-15T18:32:00Z
Sep 15, 2023
I know the price, however, I don't know how it compares with other SIEM solutions. I don't have that visibility. I overheard not too long ago that Sentinel is on the expensive side. However, there are some capabilities that are fairly new that Sentinel offers to lower the cost.
Sentinel is fairly priced and pretty cost-effective. Compared to on-premises solutions, Sentinel is very cost-effective. It's certainly possible, if you're not careful about what you connect, to shoot yourself in the foot by ending up with large data sources being ingested that cost you a fair bit of money. You do need to think about what data sources you actually need, which ones will lead to the detection of actual attackers, and how much of that data you need. You also have to consider how you're going to store it, because Sentinel has different levels. You don't have to store it all in the expensive "this will give me alerts" tiers. But, as I said, my clients are small businesses. They certainly don't have a budget for anything expensive, and they're very happy with the costs.
Threat Detection Engineer at a healthcare company with 10,001+ employees
Real User
Top 20
2023-08-15T09:51:00Z
Aug 15, 2023
I would recommend to check regularly for deviations or unexpected surges of ingested events, which will affect the cost. I do not directly handle the pricing portion of the solution. There is a calculator in Azure that helps you estimate the cost.
From a cost point of view, it is not a cheap product. It's, like, an enterprise-level application. So if you compare it with a low-level application, it's expensive, but if you compare it with the same-level application, it's pretty much cost-effective, I think. Because for other products, you need to purchase them by paying thousands of dollars. In Sentinel, you pay for how much you use, or you just pay for how much you consume storage, log interface, or system. It will not be a one-time cost, but it will be like a continuous rental system, where you subscribe to an application, and then you use it. That's very easy. I think the company got the solution for a long time. If you purchase some products, you need to invest in something, and it increases your investment budgeting. Many enterprises do not like investments. But this is not a one-time cost, to be honest, since continuously, we will pay. This is maybe a negative point of view, but considering from company to company, it entirely depends on a company's strategy.
IT Senior Systems Administrator at Dubai Developments
Real User
Top 10
2023-05-17T10:46:00Z
May 17, 2023
The pricing is reasonable, and we think Sentinel is worth what we pay for it. One of the main reasons we switched from on-prem to Azure Cloud was to save money, but at the same time, we kept adding on features and spent a lot doing so. We're now looking at cost optimization and removing unnecessary elements, as one of our primary goals is to reduce costs. I'm unsure if we are, but we are trying to get there.
Senior Cyber Security Operations Analyst at a financial services firm with 5,001-10,000 employees
Real User
Top 20
2023-05-09T16:57:00Z
May 9, 2023
The current licensing is based on the logs that are being ingested on the platform. Most of the SIEM solutions utilize that pricing model, but Microsoft should give us a customization option for controlling the kind of logs that we feed into Microsoft Sentinel. That will be much better. Otherwise, the pricing is a bit higher.
It's expensive, but it's beneficial. Because of the way that the Government of Canada allows access to the Azure marketplace, we don't typically employ other cloud SIEMs. However, many departments of the government use on-prem SIEMs. When I consider the licensing and the functionality for those on-prem SIEMs, Sentinel is fairly pricey. That being said, for an Azure tenant, it's really the only game in town, unless you're pulling in information or you're exporting information from Sentinel to a third-party source on-prem for further analysis or storage. Cost-wise, Sentinel is based on the volume of information being ingested, so it can be quite pricey. The ability to use strategies to control what data is being ingested is important. Because it's expensive, I've seen other departments that have on-prem SIEMs that reanalyze telemetry that is exported from the Azure cloud. It's not like-for-like, though.
The pricing is fair. With a traditional SIEM, people are required for SOC operations and investigations and they require licenses. With Sentinel, people in SOC operations are still required to investigate, but we don't need any licenses for them. With a traditional SIEM, you pay a lump sum for licenses. But with Sentinel, it's pay-as-you-go according to the amount of data you inject.
The pricing was a big concern and it was very hard to explain to our stakeholders why they should bear the licensing cost and the Log Analytics cost. And the maintenance and use costs were on the higher side compared to other products. But the features and capabilities were going to ease things for my operations and SOC teams. Finally, the stakeholders had clarity.
Senior Cloud and Network Security Architect at a cloud solution provider with 51-200 employees
Real User
2022-11-13T20:37:00Z
Nov 13, 2022
The price is reasonable because Sentinel includes features like user behavior analytics and SOAR that are typically sold separately. Overall, a standalone on-prem solution would require some high-end servers at a different cost. It is a cloud-based solution, so there are backend cloud computing costs, but they are negligible. The most significant cost factor is log ingestion. The best approach with any SIEM solution is only to ingest the necessary security-specific logs. You consume the EPS licenses, memory, bandwidth, and CPU. It doesn't make sense to forward and dump everything into any SIEM solution. If you are doing the architecture correctly, you send the right amount of logs. On top of that, Sentinel provides you with a workbook that tells you which log costs how much. You can optimize that part so it's cost-effective. Its dashboard offers clear graphs and charts, showing which log sources ingest the most logs, contributing to the cost. We can easily cut 40-60% of the price if we do appropriate fine-tuning. As long as you're doing the fine-tuning regularly, it's a highly cost-efficient solution.
From a cost perspective, there are some additional charges in addition to the licensing. Initially, the cost appears expensive, but over time, the solution justifies that cost. The cost is not straightforward, but instead really complex. We are charged for data ingestion as well as data leaving the environment. We are also charged for running playbooks and for logic apps. Compared with SIEM solutions, whose cost is simply based on EPS or data storage, Microsoft Sentinel's cost is complex. Over time we can predict what the cost of using the solution will be. Other standalone SOAR tools have fixed licensing and their cost is simple. We don't need to pay for each command we run or each integration we have or each automation we do. With Microsoft Sentinel, there is a cost associated with each of the connectors that we use in our playbook. Every time we run that playbook, there will be charges, but the charges are minimal unless we run the playbook repeatedly, then over time the cost shoots up.
I think Sentinel's pricing is reasonable. It's more reliable if it can integrate with other enterprise technologies, so you have to pay for that. We have to consider the size of the organization. We might shift to other security products for a smaller company. Given the reliability of Microsoft support, Sentinel is cost-effective. Sentinel is one of the best products compared to other SIEM solutions like CyberArk. Microsoft's market share is enormous, and they have surpassed AWS, so more companies are adopting Sentinel. A company can centralize everything with Sentinel, and that's great from a cost perspective.
My job as a consultant is to work with many different departments and agencies, whether it's on their architecture or assessing their environments, as they all move to the cloud. I've seen many different environments and a lot of them have some common overlaps in terms of security services. Sentinel can be expensive. When you ingest data from sources that are outside of the cloud, you're paying a fair amount for that data ingestion. When you're ingesting data sources from within the cloud, depending on what your retention periods are, it's not that expensive. For certain customers, depending on the requirements, it can be a pricey service.
Senior Cloud Infrastructure Consultant at a tech services company with 201-500 employees
Consultant
2022-09-03T21:49:00Z
Sep 3, 2022
I'm not happy with the pricing on the integration with Defender for Endpoint. Defender for Endpoint is log-rich. There is a lot of information coming through, and it is needed information. The price point at which you ingest those logs has made a lot of my customers make the decision to leave that within the Defender stack. The big challenge for me right now is having to query data with the Microsoft Defender API and then querying a similar structure. That's a simple cost decision. If that cost can be brought down, I'm sure more of my clients would be interested in ingesting more of the Defender for Endpoint data, and that alone will obviously drive up ingestion. They are very willing to look at that, but right now, it is at such a price point that it is not cost-effective. Most of them are relying on us to recreate our solution, to integrate with two portals rather than having the data integrator Sentinel. If we can make a way there, it'll be a big one.
Consultant at a tech services company with 11-50 employees
Real User
2022-08-23T11:28:00Z
Aug 23, 2022
No license is required to make use of Sentinel, but you need to buy products to get the data. In general, the price of those products is comparable to similar products.
SIEM Engineer at a tech services company with 501-1,000 employees
Real User
2022-08-08T10:38:00Z
Aug 8, 2022
Some of the licensing models can be a little bit difficult to understand and confusing at times, but overall it's a reasonable licensing model compared to some other SIEMs that charge you a lot per data. There are additional fees for things like data usage and CPU cycles. When you're developing queries or working on queries, make sure that they're optimized so you don't use as much CPU when they run.
It is certainly the most expensive solution. The cost is very high. We need to do an assessment using the one-month trial so that we can study the cost side. Before implementing it, we must do a careful calculation. Something that could be improved is the documentation of the cost because there is none. All the other features are documented, but the pricing is not very clear. The Office 365 connectors to Sentinel are free, as is the support.
There is a community version. Whether or not the pricing is expensive depends on what a company needs and if it covers its requirements. I've been satisfied with the pricing so far. I don't find it overly expensive. You do pay a subscription fee for the service if you aren't using the community version.
I have worked with a lot of SIEMs. We are using Sentinel three to four times more than other SIEMs that we have used. Azure Sentinel's only limitation is its price point. Sentinel costs a lot if your ingestion goes up to a certain point. Initially, you should create cost alerts in the cost management of Azure. With one of my clients, we deployed the solution. We estimated that the ingestion would be up to this particular mark, but that ingestion somehow got way beyond that. Within a month to a month and a half, they got charged 35,000 CAD, which was a huge turn off for us. So, at the very beginning, do your cost estimation, then apply a cost alert in the cost management of Azure. You will then get notified if anything goes out of bounds or unexpected happens. After that, start building your entire security operation center on Sentinel.
Cloud and DevOps Architect at a financial services firm with 11-50 employees
Real User
2021-10-25T16:21:00Z
Oct 25, 2021
From a cost perspective, there are certain Azure resources that we don't need to additionally pay for when using Sentinel. When we looked at other SIEM tools, they were quite expensive. Sentinel is also expensive for a startup, but we were able to configure it so there are some logs that Azure frees up, like your firewall, Office 365, or Kubernetes logs. From a cost perspective, this works well financially for us. Sentinel is a bit expensive. If you can figure a way of configuring it to meet your needs, then you can find a way around the cost.
Azure Sentinel is very costly, or at least it appears to be very costly. The costs vary based on your ingestion and your retention charges. Although it's very costly to ingest and store data, what you've got to remember is that you don't have on-premises maintenance, you don't have hardware replacement, you don't have the software licensing that goes with that, you don't have the configuration management, and you don't have the licensing management. All of these costs that you incur with an on-premises deployment are taken away. This is not to mention running data centers and the associated costs, including powering them and cooling them. All of those expenses are removed. So, when you consider those costs and you compare them to Azure Sentinel, you can see that it's comparative, or if not, Azure Sentinel offers better value for money. All things considered, it really depends on how much you ingest into the solution and how much you retain.
Director - Technology Risk & Cyber at a financial services firm with 10,001+ employees
Real User
2021-08-23T13:12:00Z
Aug 23, 2021
I have had mixed feedback. At one point, I heard a client say that it sometimes seems more expensive. Most of the clients are on Office 365 or M365, and they are forced to take Azure SIEM because of the integration.
Senior Microsoft 365 Consultant at The Collective Consulting
Real User
2021-06-18T10:57:00Z
Jun 18, 2021
The cost can be a little confusing at first, but the Azure calculator is a great place to start. I would advise to start with integrating Microsoft products first, as this is the most convenient way forward and allows you to learn the product as you go. In general, Azure Sentinel can be set up really quickly.
Domain Architect at a government with 5,001-10,000 employees
Real User
2021-04-08T08:18:00Z
Apr 8, 2021
It is a consumption-based license model. bands at 100, 200, 400 GB per day etc. Azure Sentinel Pricing | Microsoft Azure Good monthly operational cost model for the detection and response outcomes delivered, M365 logs don't count toward the limits which is a good benefit.
SOC Analyst at a wholesaler/distributor with 10,001+ employees
Real User
2021-02-12T14:37:31Z
Feb 12, 2021
The product is extremely cost-effective and affordable for customers. I'm more on the technical side. Therefore, I don't have any insights into the actual cost or the structure of the license.
It's free. It comes with a Microsoft subscription which the customer has, so they don't have to invest somewhere else. That'd be great if it was supporting other things.
Microsoft Sentinel is a scalable, cloud-native, security information event management (SIEM) and security orchestration automated response (SOAR) solution that lets you see and stop threats before they cause harm. Microsoft Sentinel delivers intelligent security analytics and threat intelligence across the enterprise, providing a single solution for alert detection, threat visibility, proactive hunting, and threat response. Eliminate security infrastructure setup and...
The pricing of Microsoft Sentinel is considered expensive, particularly due to the cloud-related costs for workspace, Sentinel, and storage.
The solution is less expensive than an APM option. If the client wants to have a complete solution that covers the whole big organization, a good option will be going with Microsoft Sentinel. For the features it has, the price is justified.
While I wasn't involved with the specifics of Microsoft Sentinel's pricing, my understanding is it scales based on data ingestion. This means we only pay for the amount of data we bring in, which is fair. However, if a device generates excessive data like hundreds of GBs daily, investigating the cause becomes crucial to avoid unnecessary costs. In most cases though, the pay-as-you-go model shouldn't be an issue.
The licensing cost is available on the Microsoft Azure calculator. It depends on the size of the deployment, the size of the data ingestion. It is consumption-based pricing. It is an affordable solution.
Microsoft Sentinel can be costly, particularly for data management. While Microsoft provides various free offerings to attract users, these benefits can quickly become overwhelmed by escalating data management expenses if proper precautions are not taken. I don't think it's Microsoft engaging in underhanded tactics. I believe the issue lies with customers not paying close enough attention to what they're enabling. Initially, they're excited and eager to incorporate everything, but before they realize it, they've incurred unexpected costs. Azure Monitor Log Analytics and Sentinel have different subscription plans and pricing tiers. This segmentation was implemented to accommodate the distinct business relationships within our organization. Sentinel costs are managed separately from Azure costs.
The product is costly compared to Splunk. When we pay for the product, we also have Azure Monitor Log Analytics as part of the package. It is economical for us.
Sentinel is costly.
I know the price, however, I don't know how it compares with other SIEM solutions. I don't have that visibility. I overheard not too long ago that Sentinel is on the expensive side. However, there are some capabilities that are fairly new that Sentinel offers to lower the cost.
I can't speak to the exact cost.
Sentinel is fairly priced and pretty cost-effective. Compared to on-premises solutions, Sentinel is very cost-effective. It's certainly possible, if you're not careful about what you connect, to shoot yourself in the foot by ending up with large data sources being ingested that cost you a fair bit of money. You do need to think about what data sources you actually need, which ones will lead to the detection of actual attackers, and how much of that data you need. You also have to consider how you're going to store it, because Sentinel has different levels. You don't have to store it all in the expensive "this will give me alerts" tiers. But, as I said, my clients are small businesses. They certainly don't have a budget for anything expensive, and they're very happy with the costs.
I would recommend to check regularly for deviations or unexpected surges of ingested events, which will affect the cost. I do not directly handle the pricing portion of the solution. There is a calculator in Azure that helps you estimate the cost.
From a cost point of view, it is not a cheap product. It's, like, an enterprise-level application. So if you compare it with a low-level application, it's expensive, but if you compare it with the same-level application, it's pretty much cost-effective, I think. Because for other products, you need to purchase them by paying thousands of dollars. In Sentinel, you pay for how much you use, or you just pay for how much you consume storage, log interface, or system. It will not be a one-time cost, but it will be like a continuous rental system, where you subscribe to an application, and then you use it. That's very easy. I think the company got the solution for a long time. If you purchase some products, you need to invest in something, and it increases your investment budgeting. Many enterprises do not like investments. But this is not a one-time cost, to be honest, since continuously, we will pay. This is maybe a negative point of view, but considering from company to company, it entirely depends on a company's strategy.
The pricing is reasonable, and we think Sentinel is worth what we pay for it. One of the main reasons we switched from on-prem to Azure Cloud was to save money, but at the same time, we kept adding on features and spent a lot doing so. We're now looking at cost optimization and removing unnecessary elements, as one of our primary goals is to reduce costs. I'm unsure if we are, but we are trying to get there.
Microsoft Sentinel is included in our E5 license.
The current licensing is based on the logs that are being ingested on the platform. Most of the SIEM solutions utilize that pricing model, but Microsoft should give us a customization option for controlling the kind of logs that we feed into Microsoft Sentinel. That will be much better. Otherwise, the pricing is a bit higher.
In comparison to other security solutions, Microsoft Sentinel offers a reasonable price for the features included.
It's expensive, but it's beneficial. Because of the way that the Government of Canada allows access to the Azure marketplace, we don't typically employ other cloud SIEMs. However, many departments of the government use on-prem SIEMs. When I consider the licensing and the functionality for those on-prem SIEMs, Sentinel is fairly pricey. That being said, for an Azure tenant, it's really the only game in town, unless you're pulling in information or you're exporting information from Sentinel to a third-party source on-prem for further analysis or storage. Cost-wise, Sentinel is based on the volume of information being ingested, so it can be quite pricey. The ability to use strategies to control what data is being ingested is important. Because it's expensive, I've seen other departments that have on-prem SIEMs that reanalyze telemetry that is exported from the Azure cloud. It's not like-for-like, though.
The pricing is fair. With a traditional SIEM, people are required for SOC operations and investigations and they require licenses. With Sentinel, people in SOC operations are still required to investigate, but we don't need any licenses for them. With a traditional SIEM, you pay a lump sum for licenses. But with Sentinel, it's pay-as-you-go according to the amount of data you inject.
The pricing was a big concern and it was very hard to explain to our stakeholders why they should bear the licensing cost and the Log Analytics cost. And the maintenance and use costs were on the higher side compared to other products. But the features and capabilities were going to ease things for my operations and SOC teams. Finally, the stakeholders had clarity.
The price is reasonable because Sentinel includes features like user behavior analytics and SOAR that are typically sold separately. Overall, a standalone on-prem solution would require some high-end servers at a different cost. It is a cloud-based solution, so there are backend cloud computing costs, but they are negligible. The most significant cost factor is log ingestion. The best approach with any SIEM solution is only to ingest the necessary security-specific logs. You consume the EPS licenses, memory, bandwidth, and CPU. It doesn't make sense to forward and dump everything into any SIEM solution. If you are doing the architecture correctly, you send the right amount of logs. On top of that, Sentinel provides you with a workbook that tells you which log costs how much. You can optimize that part so it's cost-effective. Its dashboard offers clear graphs and charts, showing which log sources ingest the most logs, contributing to the cost. We can easily cut 40-60% of the price if we do appropriate fine-tuning. As long as you're doing the fine-tuning regularly, it's a highly cost-efficient solution.
From a cost perspective, there are some additional charges in addition to the licensing. Initially, the cost appears expensive, but over time, the solution justifies that cost. The cost is not straightforward, but instead really complex. We are charged for data ingestion as well as data leaving the environment. We are also charged for running playbooks and for logic apps. Compared with SIEM solutions, whose cost is simply based on EPS or data storage, Microsoft Sentinel's cost is complex. Over time we can predict what the cost of using the solution will be. Other standalone SOAR tools have fixed licensing and their cost is simple. We don't need to pay for each command we run or each integration we have or each automation we do. With Microsoft Sentinel, there is a cost associated with each of the connectors that we use in our playbook. Every time we run that playbook, there will be charges, but the charges are minimal unless we run the playbook repeatedly, then over time the cost shoots up.
The solution is expensive and there is a daily usage fee.
I think Sentinel's pricing is reasonable. It's more reliable if it can integrate with other enterprise technologies, so you have to pay for that. We have to consider the size of the organization. We might shift to other security products for a smaller company. Given the reliability of Microsoft support, Sentinel is cost-effective. Sentinel is one of the best products compared to other SIEM solutions like CyberArk. Microsoft's market share is enormous, and they have surpassed AWS, so more companies are adopting Sentinel. A company can centralize everything with Sentinel, and that's great from a cost perspective.
My job as a consultant is to work with many different departments and agencies, whether it's on their architecture or assessing their environments, as they all move to the cloud. I've seen many different environments and a lot of them have some common overlaps in terms of security services. Sentinel can be expensive. When you ingest data from sources that are outside of the cloud, you're paying a fair amount for that data ingestion. When you're ingesting data sources from within the cloud, depending on what your retention periods are, it's not that expensive. For certain customers, depending on the requirements, it can be a pricey service.
I'm not happy with the pricing on the integration with Defender for Endpoint. Defender for Endpoint is log-rich. There is a lot of information coming through, and it is needed information. The price point at which you ingest those logs has made a lot of my customers make the decision to leave that within the Defender stack. The big challenge for me right now is having to query data with the Microsoft Defender API and then querying a similar structure. That's a simple cost decision. If that cost can be brought down, I'm sure more of my clients would be interested in ingesting more of the Defender for Endpoint data, and that alone will obviously drive up ingestion. They are very willing to look at that, but right now, it is at such a price point that it is not cost-effective. Most of them are relying on us to recreate our solution, to integrate with two portals rather than having the data integrator Sentinel. If we can make a way there, it'll be a big one.
No license is required to make use of Sentinel, but you need to buy products to get the data. In general, the price of those products is comparable to similar products.
Some of the licensing models can be a little bit difficult to understand and confusing at times, but overall it's a reasonable licensing model compared to some other SIEMs that charge you a lot per data. There are additional fees for things like data usage and CPU cycles. When you're developing queries or working on queries, make sure that they're optimized so you don't use as much CPU when they run.
It is certainly the most expensive solution. The cost is very high. We need to do an assessment using the one-month trial so that we can study the cost side. Before implementing it, we must do a careful calculation. Something that could be improved is the documentation of the cost because there is none. All the other features are documented, but the pricing is not very clear. The Office 365 connectors to Sentinel are free, as is the support.
Sentinel is pretty competitive. The pricing is at the level of other SIEM solutions.
Microsoft Sentinel is expensive.
There is a community version. Whether or not the pricing is expensive depends on what a company needs and if it covers its requirements. I've been satisfied with the pricing so far. I don't find it overly expensive. You do pay a subscription fee for the service if you aren't using the community version.
I don't know yet because they gave us a 30-day test window for free.
Pricing is pay-as-you-go with Sentinel, which is good because it all depends on the number of users and the number of devices to which you connect.
I have worked with a lot of SIEMs. We are using Sentinel three to four times more than other SIEMs that we have used. Azure Sentinel's only limitation is its price point. Sentinel costs a lot if your ingestion goes up to a certain point. Initially, you should create cost alerts in the cost management of Azure. With one of my clients, we deployed the solution. We estimated that the ingestion would be up to this particular mark, but that ingestion somehow got way beyond that. Within a month to a month and a half, they got charged 35,000 CAD, which was a huge turn off for us. So, at the very beginning, do your cost estimation, then apply a cost alert in the cost management of Azure. You will then get notified if anything goes out of bounds or unexpected happens. After that, start building your entire security operation center on Sentinel.
From a cost perspective, there are certain Azure resources that we don't need to additionally pay for when using Sentinel. When we looked at other SIEM tools, they were quite expensive. Sentinel is also expensive for a startup, but we were able to configure it so there are some logs that Azure frees up, like your firewall, Office 365, or Kubernetes logs. From a cost perspective, this works well financially for us. Sentinel is a bit expensive. If you can figure a way of configuring it to meet your needs, then you can find a way around the cost.
Azure Sentinel is very costly, or at least it appears to be very costly. The costs vary based on your ingestion and your retention charges. Although it's very costly to ingest and store data, what you've got to remember is that you don't have on-premises maintenance, you don't have hardware replacement, you don't have the software licensing that goes with that, you don't have the configuration management, and you don't have the licensing management. All of these costs that you incur with an on-premises deployment are taken away. This is not to mention running data centers and the associated costs, including powering them and cooling them. All of those expenses are removed. So, when you consider those costs and you compare them to Azure Sentinel, you can see that it's comparative, or if not, Azure Sentinel offers better value for money. All things considered, it really depends on how much you ingest into the solution and how much you retain.
I have had mixed feedback. At one point, I heard a client say that it sometimes seems more expensive. Most of the clients are on Office 365 or M365, and they are forced to take Azure SIEM because of the integration.
The cost can be a little confusing at first, but the Azure calculator is a great place to start. I would advise to start with integrating Microsoft products first, as this is the most convenient way forward and allows you to learn the product as you go. In general, Azure Sentinel can be set up really quickly.
It is a consumption-based license model. bands at 100, 200, 400 GB per day etc. Azure Sentinel Pricing | Microsoft Azure Good monthly operational cost model for the detection and response outcomes delivered, M365 logs don't count toward the limits which is a good benefit.
The product is extremely cost-effective and affordable for customers. I'm more on the technical side. Therefore, I don't have any insights into the actual cost or the structure of the license.
It's free. It comes with a Microsoft subscription which the customer has, so they don't have to invest somewhere else. That'd be great if it was supporting other things.