Learn Azure Sentinel
上QQ阅读APP看书,第一时间看更新
上一章目录下一章

Service pricing for Azure Sentinel

There are several components to consider when pricing Azure Sentinel:

  • A charge for ingesting data into Log Analytics
  • A charge for running the data through Azure Sentinel
  • Charges for running Logic Apps for Automation (optional)
  • Charges for running your own machine learning models (optional)
  • The cost of running any VMs for data collectors (optional)

The cost for Azure Monitor and Azure Sentinel is calculated by how much data is consumed, which is directly impacted by the connectors: which type of information you connect to and the volume of data each node generates. This may vary each day throughout the month as changes in activity occur across your infrastructure and cloud services. Some customers notice a change based on their customer sales fluctuations.

The initial pricing option is to use Pay As You Go (PAYG). With this option, you pay a fixed price per gigabyte (GB) used, charged on a per-day basis. Microsoft has provided the option to use discounts based on the larger volumes of data.

It is worth noting that Microsoft has made available some connectors that do not incur a data ingestion cost. The data from these connectors could account for 10-20% of your total data ingestion, which reduces your overall costs. Currently, the following data connectors are not charged for ingestion:

  • Azure Activity (Activity Logs for Azure Operations)
  • Azure Active Directory Identity Protection (for tenants with AAD P2 licenses)
  • Azure Information Protection
  • Azure Advanced Threat Protection (alerts)
  • Azure Security Center (alerts)
  • Microsoft Cloud App Security (alerts only)
  • Microsoft Defender Advanced Threat Protection (monitoring agent alerts)
  • Office 365 (Exchange and SharePoint logs)

The following table is an example of the published pricing for Azure Log Analytics:

The following table is an example of the published pricing for Azure Sentinel:

Important note

In both examples, everything over 500 GB remains at the same price per GB as the 500 GB tier. Pricing also varies depending on the region you choose for the Azure Monitor workspace; these examples are shown based on East US, December 2019. You may receive discounts from Microsoft, depending on individual agreements.

The pricing works by charging a fixed price for the tier (100 GB = $296 per day), and then charges PAYG price for each GB over that tier. When you work out the calculations for the pricing tiers, it makes financial sense to increase to the next tier when you reach the 50% marker. For example, if you are ingesting an average of 130 GB per day, you will pay for the first 100 GB at $2.96 per GB, and then pay a PAYG price of $4.76 per GB for the additional 30 GB (total per day = $438.80). Now, if you increase your daily usage to 155 GB, you would save money by increasing your plan to the 200 GB option (total per day = $548) and paying for the extra capacity, instead of paying for the 100 GB (fixed) + 55 GB (PAYG) (total per day = $557.80).

When you look at the amount of data you are using, you may see a trend toward more data being consumed each month as you expand the solution to cover more of your security landscape. As you approach the next tier, you should consider changing the pricing model; you have the option to change once every month.

The next area of cost management to consider is retention and long-term storage of the Azure Sentinel data. By default, the preceding pricing includes 90 days of retention. For some companies, this is enough to ensure visibility over the last 3 months of activity across their environment; for others, there will be a need to retain this data for longer, perhaps up to 7 years (depending on regulatory requirements). There are two ways of maintaining the data long term, and both should be considered and chosen based on price and technical requirements:

  • Azure Monitor: Currently, this is available to store the data for up to 2 years.

    Pros: The data is available online and in Azure Monitor, enabling direct queries using KQL searches, and the data can be filtered to only retain essential information.

    Cons: This is likely the most expensive option per GB.

  • Other storage options: Cloud-based or physical-based storage solutions can be used to store the data indefinitely.

    Pros: Cheaper options are available from a variety of partners.

    Cons: Additional charges will be made if data is sent outside of Azure, and the data cannot be queried by Azure Monitor or Azure Sentinel. Using this data requires another solution to be implemented to query the data when required.

The final consideration for cost analysis includes the following:

  • Running any physical or virtual machines as Syslog servers for data collection
  • Charges for running your own machine learning models, which can be achieved using Azure ML Studio and Azure Databricks
  • The cost of running Logic Apps for automation and integration

Each of these components is highly variable across deployments, so you will need to carry out this research as part of your design. Also, research the latest region availability and ascertain whether Azure Sentinel is supported in the various government clouds, such as in China.

上一章目录下一章