What Sentinel is
Microsoft Sentinel is a cloud-native security information and event management (SIEM) platform with built-in security orchestration, automation and response (SOAR). It ingests logs and signals from Microsoft 365, Azure, on-premises infrastructure, third-party SaaS and any source that can emit syslog or REST. Detection rules fire on the data, analysts triage in the workspace, and Logic Apps playbooks automate response.
How the pricing works
Sentinel is billed two-tier: a per-GB-ingested charge for Sentinel itself, and a separate per-GB charge for the underlying Log Analytics workspace that stores the data. There are commitment tiers (100GB/day, 200GB/day, 500GB/day) that drop the rate significantly from pay-as-you-go. Many Microsoft 365 connectors are free — Defender for Endpoint, Defender for Office, Defender for Identity, Microsoft 365 audit logs all stream into Sentinel without per-GB charge.
When Sentinel makes sense for AU
For organisations already in Microsoft 365 with Defender XDR, Sentinel is usually cheaper than Splunk Cloud or Elastic SIEM at equivalent scope — particularly because Defender data is free to ingest. For organisations with significant non-Microsoft estate (heavy Linux, OT/ICS, big CDN logs), the per-GB economics shift and Splunk/Elastic can win. Frontrow's pattern: Microsoft 365 + Azure + AD federation = Sentinel; mixed multi-cloud + heavy non-Microsoft logs = compare carefully.