Microsoft Sentinel cost optimisation — five plays that cut AU spend by 30–50%

Microsoft Sentinel pricing surprises every Australian SOC team that didn't model it carefully. The data ingest line item compounds month over month, the retention bill compounds quarter over quarter, and by the second renewal cycle the security platform that was supposed to consolidate spend is itself the spend that needs consolidating. The good news: there are five reliable plays that consistently cut Sentinel spend by 30–50 percent without losing detection coverage. We've run all five in Australian midmarket and enterprise tenants.

Play 1: Make sure free Defender data is actually free

Microsoft Sentinel doesn't charge for ingest from Microsoft 365 Defender for Endpoint, Defender for Office 365, Defender for Identity, Defender for Cloud Apps, Microsoft 365 audit logs or Azure Activity logs. Many tenants accidentally route this data through paid connectors instead of the dedicated free ones. Audit your data connectors monthly. The 'Microsoft 365 Defender' connector is free; the older standalone Defender connectors are mostly free; the 'Common Event Format' or 'Syslog' connectors used to bring Defender data in are not. We've seen 25–40 percent of total ingest reclassified to free in the first audit.

Play 2: Move verbose log sources to Basic Logs

Microsoft introduced the Basic Logs SKU specifically for high-volume, low-signal data — typically web server logs, CDN logs, NetFlow, IIS, large CEF feeds. Basic Logs are USD $0.50/GB ingested versus USD $4.30/GB at PAYG analytics rate, which is roughly an 88 percent discount. The trade-off: Basic Logs have an 8-day query retention versus 90 days for analytics, can only be queried with KQL search jobs, and can't drive scheduled detection rules. For data you genuinely never query in real-time, this is the right tier. Identify the top three highest-volume tables that you query less than once a month — those are usually candidates.

Play 3: Tune retention deliberately, not by default

Sentinel's default 90-day retention is generous for most data classes. Anything beyond 90 days costs USD $0.10/GB/month. Default tenants sit on 365–730 days of every table because nobody changed the default — and the AUD bill quietly compounds. The right approach: set retention per table based on the regulatory and operational requirement. APRA-regulated entities need 7 years on certain audit data, but only 12–24 months on most operational logs. Move data older than the operational window to the Archive tier (USD $0.025/GB/month — 75 percent cheaper than long-term retention) for the long-tail compliance hold.

Play 4: Pick the right commitment tier — and review it quarterly

Commitment tiers buy meaningful discounts. The 100 GB/day tier is roughly 27 percent cheaper per GB than PAYG; the 500 GB/day tier roughly 40 percent cheaper; the 1000 GB/day tier roughly 42 percent cheaper. The trap is over-committing — you pay the committed amount whether you use it or not. The right approach: model your average paid ingest, pick the tier that fits without major over-commit, and review every quarter. Use the calculator at /tools/microsoft-sentinel-pricing-australia for the maths in AUD. Most AU midmarket tenants land at PAYG, 100GB or 200GB tiers.

Play 5: Cut the noise at the source

The cheapest GB is the one that doesn't get ingested. Three patterns reliably reduce ingest at source: (1) Filter Defender for Cloud Apps signals — many CASB events are behavioural noise that won't drive detection. Configure the connector to drop low-value event categories. (2) Filter Microsoft Entra sign-in logs — federated sign-ins from trusted apps that produce no detection value can be filtered out. (3) Audit your custom log sources — every CEF, syslog and HTTP-data-collector source should be reviewed against 'does this drive a detection or an investigation in the last 90 days'. If neither, drop it.

Stack the plays — that's the 30–50% saving

No single play hits 50 percent on its own. Stacked, they consistently do: 25 percent from free connector audit, 10 percent from Basic Logs migration, 10 percent from retention tuning, 5 percent from right-tier commitment, 10 percent from source-side filtering. For a Sentinel bill of AUD $200,000/year — typical for an Australian midmarket SOC — that's AUD $60,000–100,000 reclaimed annually. Frontrow runs Sentinel cost optimisation engagements that produce a documented optimisation plan; the typical engagement pays itself back in the first quarter.