Microsoft Sentinel is ideal for extending the functions of Microsoft Defender XDR and other Defender products. I have already described this in the blog entry Microsoft Sentinel for Microsoft 365 – a must have! explained in more detail. But what does Microsoft Sentinel for Microsoft 365 actually cost? There is no clear answer to this question, which is due to the difficulty of calculating the M365 log size for Microsoft Sentinel. This blog deals with precisely this question. It is intended to serve as a guide for cost estimation and shed some light on the murky depths of log size and Sentinel costs. M365 Log-Size Calculation for Sentinel - a guide to cost estimation.
Log size estimation
Note
The estimate is based on measurements of tenants with M365 E3 + E5 security licences. Deviations may occur if other licences are used. The calculation is based on Office users with "normal use". The calculation template is freely available, but any liability is excluded.
Based on my measurements and experience, the average Office user generates around 6.89 MB per day. This is at the time of writing this blog entry and assuming that all Defender products are activated. I will show you step by step how I proceeded with this measurement in the following chapter.
However, I can still adjust my calculation, as it includes log data that is transferred free of charge from Defender XDR to Microsoft Sentinel. Experience shows that around 20% of the M365 log size can be deducted for Microsoft Sentinel (this is a rule of thumb for me). In this case, this results in 5.51 MB per user and day (6.89 x 0.8). Since I like to calculate the negative case in cost calculations and am a friend of cost ceilings, I like to keep this 20% as a reserve for deviations.
Calculation procedure
The preceding estimate is based on measurements that can also be carried out by yourself if a corresponding tenant with the activated M365 Defender products and M365 services is available. Here are the steps I took for the calculation. I analyse the relevant logs and use the last 30 days to calculate a daily average per user.
Analysis of existing M365 log data
- Firstly, I access the Microsoft Security Portal https://security.microsoft.com and navigate to "advanced hunting".
- Now I open my GitHub repo in a new tab, in which I provide the required queries and an Excel file. I download the Excel so that I can fill it out.
- Next, I set it to 30 days and run the various KQL queries from the GitHub repo in the "advanced hunting" section of the Microsoft Security Portal. I have found it practical to split this up per Defender and run it separately to get a better overview.
- I now transfer the respective results per query to the previously downloaded Excel file and thus obtain the average per user and day in MBs (don't forget to enter the number of licensed users correctly).
This is the first interim result that can be transferred to the Azure Pricing Calculator and thus already provides information about the possible price. However, the measurement also includes log data that can be sent to Sentinel free of charge. However, this only affects a small minority and essentially concerns the security alerts and activity logs in this evaluation. In addition, all activity logs from SharePoint, Exchange and Teams are also free of charge (part of Defender for Cloud Apps in this evaluation). You can find a list of the free logs in the blog entry Microsoft Sentinel for Microsoft 365 – as must have!
However, it is now clear from this overview that Defender for Endpoint accounts for by far the largest share.
M365 licence benefit
The result corresponds to the initially mentioned log size estimate per user. However, the evaluation is not yet conclusive. Because what is often forgotten and not taken into account is that there are further price advantages, depending on which licences are available. Because if a suitable licence is available, 5 MB per day and licensed user are not charged. This is also taken into account by Excel.
- I now check the tenant and enter all relevant licences in the Excel file with the corresponding number. As already described, all users in my example calculation have an M365 E5 Security licence and I enter this accordingly.
The result is now significantly different and is shown accordingly. Whereas previously the figure was 6.89 MB per day and user without the licence advantage, it is now only 1.89 MB per day and user. Microsoft only charges for this part.
Conclusion
At first glance, Microsoft Sentinel is often expensive and unpredictable in terms of costs. For me, this is due to the costs, which depend on the amount of data generated. However, when looking at the Microsoft 365 case in detail, it is clear to me that the costs can be easily calculated at least as a cost ceiling. While some data is written to Microsoft Sentinel for free, there is also an M365 licence benefit. Provided the right licences are available. This licence benefit is significant and reduces the price by around 70%! In my experience, organisations often do not take the benefit granted by Microsoft into account at first glance. This often leads to incorrect price assessments and therefore incorrect conclusions.
As already stated in my blog post Microsoft Sentinel for Microsoft 365 - as must have!. Sentinel is an important addition to Microsoft 365. With this blog post, I hope to show that organisations need to consider the paid log data for Microsoft 365 in Sentinel in relative terms. With this blog, I hope to provide help on how anyone can reliably calculate the log data.