Part of my day job is helping people source a security operations center (SOC) solution. Those tend to come with a managed SIEM platform, an EDR agent, and some additional playbooks/detections layered on top as their core offering. Pretty much without fail I end up discussing whether Microsoft Sentinel would be a good fit for a SIEM, and whether or not a business should decide on Microsoft Defender for EDR. They are already paying for Microsoft licensing every month, why not bump it up a bit and then have the SOC manage that?
Great in theory, but just like life, it isn't quite that simple. So lets break down where that is a good idea vs bad idea by demystifying the slightly muddy water that is Microsoft security capability licensing. We will go through the considerations for Sentinel pricing to get the full capability you are likely looking for: detection and automated response of some kind.
Disclaimer: This post is meant to be informative, not ALL-ENCOMPASSING. Lots of businesses will have fun nuances, but since this is the internet I can't cover every possible outcome. The overall goal is to get you some information to make a better decision (that's why you get paid those big tech $$$$, right?). *Cheap Advertising Plug* If you need more help, there is a contact button at the bottom and I'm happy to help source a solution for you!
Assumptions
We have to start out laying some ground rules or this will turn into anarchy pretty quickly. We will not be getting into other Microsoft licensing discussions (Sharepoint, Intune, Autopilot looking at you...). As a result, this will be some "wave-top" discussions and costs for you to know what you are getting into.
- Your business has 350 people and everyone has an E3 license. (Note: If you have Business Premium at less than 300 seats, things get weirder, but this still might be helpful. Fully outsourced tends to be better at that level because it's unlikely you have the in-house expertise to leverage all the security tools to their maximum benefit.)
- You have 5 offices (4x branches and 1x HQ) and a healthy mix of remote personnel. Lets just pick a number and say 6 firewalls (2x high availability for HQ, 1 each per branch), plus some AWS stuff out there.
- At that size, you have a handful of IT personnel, and maybe a security person. Since your team is likely overworked and under-staffed, you are looking at weighing both an in-house managed solution and an out-sourced solution (or at least you should be!).
The Obvious Question: Sentinel Costs
Lets REALLY start having fun... Straight from the Microsoft Sentinel pricing page:
Microsoft Sentinel Pricing
Microsoft Sentinel is billed for the volume of data analyzed in Microsoft Sentinel and stored in Azure Monitor Log Analytics workspace. Data can be ingested as two different types of logs: Analytics Logs and Basic Logs.
Sentinel Pricing (link) Tweet
So there is no direct license cost for Sentinel, you are paying for the data ingested and stored.
Pricing is broken down into different groups: Pay-as-you-go and Commitment Tiers. The real challenge is the first tier doesn't start until 100GB/day. That is a LOT of log data!
Besides the base price for Sentinel, the chart also indicates an additional price for the actual log analysis. They are also kind enough to work it all together, and we end up with an effective price of $5.22/GB/day with Pay-As-You-Go.
Now we look at the two types of logs: basic and analytic. Lets run back into the documentation and see that, "Analytics logs typically make up most of your high security value logs. Basic logs tend to be verbose with low security value. It's important to note that billing is done per workspace on a daily basis for all log types and tiers."
The additional wildcard is that since we are using a Microsoft product, they offer no charge for some Microsoft data ingestion. But since that is difficult to estimate for each organization, we will just ignore it and realize this is a guesstimate overall.
Another Cost: Data Retention
To give you a glimpse into the challenge that is pricing for Sentinel, lets look at a quote from the Microsoft Sentinel Technical Playbook for MSSPs:
Cost components
Microsoft Sentinel is billed based on the volume of data ingested for analysis in Microsoft Sentinel and stored in the Azure Monitor Log Analytics workspace. The analytics enabled by Microsoft Sentinel do not include the related data ingestion charges for Log Analytics, and both costs must be considered within the estimation.
Once Microsoft Sentinel is enabled on your Azure Monitor Log Analytics workspace, every GB of data ingested into the workspace can be retained at no charge for the first 90 days. Retention beyond 90 days will be charged per the standard Azure Monitor Log Analytics retention prices.
Additional costs may be incurred based on usage of other services within Microsoft Sentinel. Utilizing Logic Apps for automation, or Machine Learning for analysis are two common examples. Microsoft Sentinel Technical Playbook for MSSPs Tweet
Okay, so how much is it going to be? That's the hard part: at this stage, you likely have no idea, and neither to I. Do you need additional log retention past 90 days? How much log data are you ingesting each day? Do you want to add cloud apps or your AWS service logs into ingestion as well? Do you want to hook up some awesome ML analysis your Data Science intern read about on a blog? Unknown, so lets just work out the base cost.
What do I do for base cost? Check the docs! Microsoft includes Sentinel in the Azure services calculator here. Many different SIEM platforms also use a calculator to help figure out their OWN ingestion, like this one from Teska Labs. We can assume that Microsoft Active Directory logs are going to be free in Sentinel, so lets type in our counts for other estimates to get a low-end ballpark on what we might be looking at.
Estimates from the calculator:
Lets round up to 23GB/day. That seems like a lot of data. And other calculators I've looked at estimated even more: up to 109 GB per day. That first 100GB commitment tier is starting to look pretty good at $3.43/GB/day.
The point is: you never really know a good way to estimate your log usage unless you:
- Actually measure/estimate it in advance per device type from documentation or log size on the device
- Start a free Sentinel trial, ingest an example device into sentinel, and extrapolate
- Have someone on staff/pay someone who has done this before to estimate it
Sure, this is an estimate as the data could be more or less depending on the "robustness" of your logging level for different devices. But the primary goal is figuring out whether this adds $100 or $1000 per month so we know how much it may increase. So lets get a baseline at our 23 GB/day estimate above and work out some rough numbers.
Using the Microsoft Azure calculator for Sentinel (search for Sentinel) I previously talked about, we get:
This brings us to a total of $2,955 estimated cost for Sentinel and data, but this only includes the ingested data from endpoints, firewalls, and EDR.
What this doesn't capture is log storage past 90 days. But the same Azure calculator will do the estimate for us.
Just to give you an idea here, 9 months of logs (see the note saying "Total Retention" and "The first 3 months are free.") at our 23 GB estimate works out to be an additional $629.63. If we want to put 12 months into archive, we end up with a $167.90/month additional storage fee.
That brings up our overall monthly cost to $3,752.63 once we actually meet those data storage limits.
This is an incredibly simple estimate and doesn't take into account any other logs from any security tools, cloud platforms, or any extended data retention you may have. Are you subject to HIPAA? Better increase that log retention QUITE a bit. As you grow and add more products you can also expect the cost for Sentinel to increase as well, so ensure you budget that into the cost of new tools.
What's Still Missing: Analytic Rules, Response, and Playbooks
What we have right now is a consolidated location for all of our logs and any alerts being triggered by any security tools you are ingesting. But we still need to consider that your organization will be responsible for configuring and managing the analytic rules that are run on all that log data. That is all done in an analytic workspace within Azure. Luckily, Microsoft bundled this cost into our Sentinel cost estimation.
So fire up those reading eyes and check out more documentation, this time check out the Security Orchestration, Automation, and Response in Microsoft Sentinel documentation.
The cliff notes are that you can do some basic automations for free, but if you want more advanced response than tagging a person as an "owner" of an incident, you are looking at creating playbooks. Since the analytic rules workspace is free, I'll leave you with the resources to investigate that yourself and we can move on.
Microsoft Sentinel Playbooks
There is a whole guide about playbooks. But here is some slightly bad news.
Playbooks in Microsoft Sentinel are based on workflows built in Azure Logic Apps, a cloud service that helps you schedule, automate, and orchestrate tasks and workflows across systems throughout the enterprise. This means that playbooks can take advantage of all the power and capabilities of the built-in templates in Azure Logic Apps.Note:Azure Logic Apps creates separate resources, so additional charges might apply. For more information, visit the Azure Logic Apps pricing page. Automate Response With Playbooks - Microsoft (link) Tweet
That's right. Here is another pricing page. This one I won't try to estimate since it is based on run time. Only bring it to your attention that it's another thing your team will have to budget and manage. Hopefully someone out there will offer their expertise here, and I will come back and edit this article!
Adding Endpoint Response Options With Defender
So far we have gotten Sentinel to consolidate logs, detect bad things, and have some automated response actions built in. But if you want an actual response on the endpoint, the Microsoft Defender for Endpoint plan that comes with the E3 license does not include "True" EDR capabilities. A security team can isolate a host and perform scans with Plan 1, but there are no behavioral analytic detections like the Crowdstrikes and Sentinel Ones of the world. If you are already paying for an EDR agent you can skip this section, but since you are investigating Sentinel I'd imagine you are also interested in Defender.
If you read that Gartner rated Microsoft Defender as a good capability, they were referring to Defender for Endpoint Plan 2. Which comes with an additional cost. That can come in the form of the Microsoft E5 Security Addon, the Enterprise Mobility and Security E5 Addon, or just adding the Defender for Endpoint Plan 2.
The full E5 upgrade and Mobility and Security E5 add-on also come with lots of other Defender capabilities (Identity, Cloud Apps, Cloud (servers), and more). So do realize you are getting more value here, but you are also aggressively buying into the Microsoft ecosystem.
I'm going to be honest, I don't have an E3 license in my Microsoft Account. In my admin portal I can see the Enterprise Mobility and Security E5 add-on, but not the pure security addon. Some sites and people I have talked to have ballparked that at $12.00 per user, so we will use that as a potential example. Also, the specific pricing for Defender for Endpoint Plan 2 addon is similarly difficult to find. So we will do the average of a bunch of online guides and go with $5.00/user.
Looking at adding either E5 licenses (list price of $57.00 per user, per month as of publication, source) or the Microsoft E5 mobility and security add on, officially Enterprise Mobility and Security E5 (list price of $16.40 per user, per month as of publication, source). Since our example company has E3 licenses, we will summarize the potential added costs below:
Total Costs
Breaking it down:
Baseline cost for Sentinel = $2,955
Data Storage = $797.53
Baseline license cost for Defender Add-On = $1,750-$10,850
Total = $5,502.53/month, $66,030.36/year (Waaaaaaay more for full E5)
Not captured:
- Person-hours for configuration, management, alert response, threat hunting
- Playbook add-on cost
So... is that good?
It depends: what are you comparing it to?
I don't think you can directly compare SIEM platform pricing with the majority of the big vendors, mostly because there are so few published prices. Cybersecurity products have this fun sales process where you have no idea how much something costs before your first hour of meetings and a demo. I don't deal in direct software sales so I can't compare to the Splunk, LogRhythm, SumoLogic, FortiSIEM, or any other players out there. In this context, I only hoped to illustrate the overall cost so you can compare it to what you may have in hand from another provider.
Strictly comparing price also doesn't take into account difference in capability of the platforms.
What I will say after having a lot of managed SIEM quotes come through my email for those same SIEM platforms above: for that same price you can pay for a fully managed SIEM solution managed by someone else, plus have a SOC monitor alerts. For a bit more you can get managed EDR on all 350 of those endpoints with Crowdstrike or Sentinel One.
Comparison Costs
For this same organization user and site count we regularly get quotes from a number of really good providers of fully-managed SOCs between $4,000 - $7,000 per month all-in, which includes licensing for a SIEM and EDR like Crowdstrike or Sentinel One, plus all the management. This may decrease slightly for managing your own in-house Sentinel and Defender, but not by much because those providers are leveraging volume for their SIEM licensing, but generally pass through the EDR pricing. Let's call it $3,000-$6,000 per month.
External providers can also include other extras depending on the provider such as vulnerability scanning, risk scores, penetration testing, or others if you bundle. If you really shop around or find providers that are newer or smaller you can bring that down even more. I tend to recommend providers with robust SOC capabilities, mostly because they can actually get a company through a successful implementation with less hiccups.
With other SIEM platforms, we also have the option of "creative billing" providers. By that, I mean looking at vendors who don't charge by ingestion of data, they charge by user. That means no matter how many devices you may have being ingested, their log pricing stays consistent. These are more "XDR" providers who want more context into your environment to get the best detections, and the only real way to convince you to do it is not charge for that log data
Do You Recommend Sentinel And Defender?
It depends. If you are in our example situation (user count 350, E3 licenses already on hand), I don't recommend it. The cost difference is just too great, and we haven't even counted the hours for configuration and management. But for other circumstances, Sentinel and Defender may make sense.
When it makes sense: If you are a larger organization and already pay for E5 licenses for other features (Teams voice, more in depth compliance visibility) or you value the billing simplicity, or even because your team already has the training for Sentinel, it can make a lot of sense. Also, if you are building your own internal SOC rather than relying on an external partner, Sentinel can be a good choice for you (whether you want to do that is yet ANOTHER article). Also, Microsoft is continuing to invest in their security capabilities like Defender and Sentinel, so it's highly likely it will evolve in good ways over the coming years.
When it doesn't make sense: When the cost compares with or outweighs a similar external solution (this example: $5,502.53per month + SOC management cost of $4,000-$7,000 per month), or for smaller teams who don't have the training or bandwidth to continue to maintain Sentinel, it is a much less suitable choice.
At the end of the day, the choice is yours. I hope this has been helpful!
