Release: Sentinel IngestIQ - Free Ingest Calculator for Microsoft Sentinel

Thu, 16 Apr 2026 00:00:00 GMT

It's here: The Sentinel IngestIQ Calculator is now available - free and without registration.

In my last article, I described why cost calculation for Microsoft Sentinel has become nearly impossible. Six interlinked optimization layers, dozens of interdependent variables, and a pricing model that seems to change every few months. Mapping all of this in a spreadsheet is tedious at best - and usually inaccurate.

IngestIQ solves exactly this problem.

What the Tool Does

The calculator covers the complete Sentinel cost optimization path - from gross calculation to the final monthly bill:

Step 1 - Environment Parameters

Enter your infrastructure: users, servers (Windows, Linux, DCs), firewalls, DNS servers, proxies, network devices. The tool calculates the expected daily ingestion volume per category - drawing on a mix of experience from various Sentinel implementation and migration projects I personally worked on, as well as estimates from reputable sources (e.g. CIS, Microsoft, etc.).

Step 2 - Free Data Sources

Automatic deduction of free sources: Azure Activity Logs, Office 365 Audit Logs, and Security Alerts. Depending on the environment, that's 10-30% of total volume.

Step 3 - M365 E5 Security Benefit

Activatable via toggle: 5 MB/user/day data grant for Entra Sign-In Logs, Audit Logs, MDCA, and Purview. Shows the exact savings in € per day and month.

Step 4 - Defender for Servers P2

Complete ROI calculator: 500 MB/server/day benefit vs. €10/server/month upgrade cost. The tool recommends the optimal number of P2 licenses and shows whether the upgrade is economically worthwhile.

Step 5 - Auxiliary Logs / Data Lake

Per-source configuration with slider: Which log sources should go to the Data Lake (€0.40/GB) instead of the Analytics Tier (€4.80/GB)? DNS, proxy, firewall, NAC, non-interactive sign-ins - each with configurable split ratio.

Step 6 - Commitment Tiers & Pre-Purchase

Commitment tier selection with automatic recommendation based on actual Analytics volume. Plus pre-purchase plan calculation with 12-month projection.

Bonus: Commercial Cost Overview

Professional cost breakdown with all line items (Analytics Tier, Data Lake, MDC P2 licenses, Pre-Purchase CUs) - including a 12-month projection chart. Ideal for proposals and architecture decisions.

All calculation factors (GB per user, per server, per firewall, etc.) are transparently accessible and can be adjusted as needed - so you can calibrate the tool to your specific environment.

Why Free?

I believe good security tools should be accessible to everyone - not just organizations with large budgets. Sentinel is a powerful SIEM, but the complexity of cost calculation prevents many from leveraging available optimization options. IngestIQ aims to remove that barrier.

The tool was born from practice: I originally used lists, Excel files, and a lot of tedious manual work to create sizings for my customers at base-IT - until I decided that the broader community deserved something better. This calculator is the result - and I hope it will help many people get a clearer picture of their Sentinel costs.

PDF Export

The Commercial Proposal can be exported as a professionally structured PDF - perfect for:

Proposals and cost estimates
Architecture documentation
Management presentations
Budget planning

Try It Now

👉 Open Sentinel IngestIQ →

Feedback, feature requests, or bug reports? Reach out on LinkedIn or via email.

Calculating Sentinel Costs? Why Sizing Has Become Rocket Science...

Sun, 12 Apr 2026 00:00:00 GMT

I've been working with Microsoft Sentinel for years - as Lead Architect Security at base-IT, I regularly deploy the Microsoft SIEM & SOAR solution for customers. And if there's one thing I've learned, it's this: Cost calculation for Sentinel has become the most complex part of the entire deployment.

Sound like an exaggeration? Unfortunately, it isn't. We're no longer talking about a simple GB × price model (well, yes - in principle, but...). We're talking about a system with interlinked optimization layers, where turning the wrong dial on one can invalidate another.

I barely know anyone who truly understands their Sentinel costs down to the detail. Most just take the Pay-As-You-Go price and hope for the best. This article aims to solve that "mystery." If you still need help after reading this, don't hesitate to reach out.

The Core Problem: Too Many Variables

When someone asks me: "What will Sentinel cost us?", my honest answer is: It depends. On significantly more factors than you'd expect...

The Obvious Variables

Number of users - drives Sign-In Logs, Entra Audit Logs, collaboration data, business applications, and much more
Number of servers - Windows Event Logs, Security Event Logs, Syslog, performance counters
Network devices - firewalls, switches, access points, NAC
DNS/DHCP infrastructure - often the single largest log producer by volume, yet still a very interesting log source
Proxy/SWG - web traffic logs can easily generate several GB/day per 1,000 users and offer comparatively little added value

The Less Obvious Variables

Licensing - Does the organization have M365 E5 or E5 Defender Suite? That activates one of many Microsoft Ingest Benefits.
Microsoft Defender for Cloud - Is Plan 2 for Servers active? That directly impacts ingestion costs.
Log verbosity - A domain controller produces significantly more event logs than a standard server.
Non-interactive sign-ins - Token refreshes and silent SSO typically generate 3-10× the volume of interactive sign-ins.
Time of day - Yes, this matters too. Log distribution across 24 hours is not uniform, and weekends naturally look different again.

The Layers of Cost Optimization

What makes this truly complex: There isn't one price. There are multiple benefits and optimization options that build upon each other. Each stage reduces costs - but only if you know about it and apply it correctly.

Step 1: Calculate Gross Volume

The first step is relatively straightforward: Estimate the daily gross ingestion volume per category. How many GB/day each source will produce.

Sounds trivial, but it isn't. Because who actually knows how much data their own infrastructure produces? And Microsoft's own estimates are... to put it kindly: rarely accurate (or non-existent).

My experience from various projects:

Log Category	Typical Driver	Magnitude
Sign-In Logs	per user/day	15-25 MB (interactive + non-interactive)
Control Plane (Entra Audit)	per user/day	3-8 MB
Windows Event Logs	per server/day	200-500 MB (DC: 500-2000 MB)
Firewall	per FW/day	highly variable, 500 MB - 50 GB
DNS	per DNS server/day	1-20 GB (!)
Proxy/SWG	per 1,000 users/day	2-10 GB

DNS & DHCP logs are a classic: Hardly anyone expects a single DNS/DHCP server to produce several GB per day. These are often the most expensive "surprises" on the first monthly bill. The same applies to firewall logs, of course.

Step 2: Subtract Free Data Sources

What many don't know: Some data sources are completely free in Sentinel. This is documented in the Microsoft documentation, but surprisingly often overlooked in sizing exercises.

The following sources cost nothing:

Azure Activity Logs (AzureActivity table) - all control plane activities of Azure subscriptions
Office 365 Audit Logs (OfficeActivity table) - SharePoint, Exchange, Teams activities
Security Alerts (SecurityAlert table) - alerts from Defender XDR, Defender for Cloud, Defender for Identity, MDE, MDCA, MDO

Depending on the environment, that's easily 15-30% of total volume that simply drops off. For customers with primarily cloud workloads and M365, it can be even more.

Step 3: The M365 E5 Security Benefit

This is where it gets really interesting. Customers with Microsoft 365 E5 or E5 Defender Suite Add-on receive a Data Grant of 5 MB per user per day for specific Sentinel data sources.

That sounds small - but it isn't. For 1,000 users, that's 5 GB/day deducted from:

Entra ID Sign-In and Audit Logs
Microsoft Defender for Cloud Apps (MDCA)
Microsoft Purview Information Protection
M365 Advanced Hunting data (Defender XDR)

At a Pay-As-You-Go price of €4.80/GB (EU West region), that's €24/day or €720/month in savings - just from the E5 benefit. For 5,000 users, we're talking €3,600/month.

Step 4: Defender for Servers P2 Benefit

Those with Microsoft Defender for Cloud Plan 2 active get an additional ingestion benefit of 500 MB per server per day.

This benefit applies to specific security tables:

SecurityEvent / WindowsEvent
SecurityAlert / SecurityBaseline
WindowsFirewall / ProtectionStatus
Update / UpdateSummary

Important: The upgrade from Defender for Cloud P1 to P2 costs approximately €10/server/month. Whether that pays off depends directly on how much eligible data the servers actually produce.

The math simplified:

A Windows server typically produces 200-500 MB/day of eligible events (DCs naturally more)
The benefit covers 500 MB/day → most of it is covered
Savings at €4.80/GB: approximately €1-2.40/server/day = €30-72/server/month
Minus the €10/month upgrade cost: Net €20-62/server/month savings

With 50 Windows servers, that can mean savings of €1,000-3,000/month. That's significant.

Step 5: Auxiliary Logs / Data Lake Tier

This is - in my opinion - one of the best features Microsoft introduced in 2026, making the pricing model considerably more complex yet again.

The idea: Not all logs need real-time detection in the Analytics Tier. Some log sources have extremely high volume but are primarily relevant for threat hunting and forensics - not real-time alerting.

For exactly these data, there's the Data Lake Tier (formerly "Auxiliary Logs") with a drastically reduced price of approximately €0.40/GB (the calculation behind that would warrant its own blog article...) instead of €4.80/GB in the Analytics Tier.

Typical candidates for the Data Lake Tier:

Log Source	Why Data Lake?
DNS/DHCP Logs	Extremely high volume, rarely needed for real-time detection
Proxy/SWG Logs	Summary/block events in Analytics, the rest in the Data Lake
Firewall allow traffic	Deny/threat logs in Analytics, allow traffic in the Data Lake
NAC/Switch Logs	Auth failures in Analytics, port events in the Data Lake
Non-interactive sign-ins	Token refreshes rarely need real-time detection

The trick: You split a source's traffic - e.g., at a 1:6 ratio for DNS (1 part Analytics, 6 parts Data Lake). This preserves detection capability for critical events while massively saving on high-volume data.

Example calculation:

A DNS server produces 3 GB/day
All in Analytics Tier: 3 × €4.80 = €14.40/day
Split 1:6 → 0.5 GB Analytics + 3 GB Data Lake: (0.5 × €4.80) + (3 × €0.40) = €3.60/day
Savings: 75% for this one source

Microsoft themselves explicitly recommend the Data Lake Tier for "lower fidelity or secondary security data" - see the official documentation.

Step 6: Commitment Tiers & Pre-Purchase Plans

Once you know your actual Analytics Tier volume after steps 1-5, you can save even more with Commitment Tiers. Instead of Pay-As-You-Go, you book a fixed daily volume and receive a volume discount.

Tiers start at 50 GB/day (note - likely only temporarily available) and offer discounts of up to 50%+ compared to PAYG depending on volume. The catch: You pay the commitment even if you consume less. That's why it's critical to know the volume after optimization steps 2-5 before committing.

Additionally, since 2024 there are Pre-Purchase Plans: You buy Sentinel Commit Units (CUs) upfront with a very attractive discount (depending on Azure region - but potentially up to 20-30%) and apply them over 12 months. These CUs only apply to the Analytics Tier - the Data Lake Tier is not covered.

Why a Spreadsheet Won't Cut It Anymore

Looking at these options, it becomes clear: The calculation is a multi-dimensional optimization problem.

The steps aren't independent. Both the E5 benefit and the MDC P2 benefit reduce the volume that can be shifted to the Data Lake. Identifying which log sources make sense for Data Lake Tier ingestion and how much that would cost is difficult. And the final Analytics volume determines which Commitment Tier and Pre-Purchase Plan makes sense.

When you additionally consider that:

Each log category has its own volume factor
Free sources and the E5 benefit only affect specific tables
MDC P2 only covers Windows-based (no Syslog) events
The Data Lake split is configurable per source (and even more granularly)
Commitment Tiers have a minimum you pay even if you're under

...you have a system with dozens of interdependent variables. That's nearly impossible to model cleanly in a simple spreadsheet - and certainly not intuitive for someone doing it for the first time.

Conclusion: We Need a Better Tool

The reality is: Most sizing conversations I have follow the same pattern. You estimate roughly, take the PAYG price, and then wonder about the first bill. Or you optimize in one area, miss another - and end up paying more than necessary.

What's missing is a tool that brings all these variables together. That understands the dependencies. That shows which optimization pays off for this specific environment and which doesn't. And that presents the results in a way you can directly use in a proposal or architecture decision.

Sneak Peek: I'm currently working on exactly such a tool. A Sentinel Ingest Calculator that covers all benefits & optimization options - from gross calculation through free sources, E5, MDC P2, and Data Lake all the way to Commitment Tiers and Pre-Purchase Plans. Including ROI calculation for MDC P2, waterfall visualization, and PDF export of a "Commercial Proposal."

The tool will be released for free soon - stay tuned. 🚀

Configure log sources: categories, multipliers, and daily volume at a glance

Waterfall visualization: cost reduction step by step across all benefit stages

Result: final cost overview with commitment tiers and total savings

Essential Documentation

For those wanting to dive deeper, here's the Microsoft documentation I consider essential:

Plan costs and understand Microsoft Sentinel pricing and billing - the starting point for everything
Reduce costs for Microsoft Sentinel - Commitment Tiers, Data Lake, Pre-Purchase
Free data sources - which tables are free
Defender for Servers P2 Ingestion Benefit - the 500 MB/server/day benefit
Switch to simplified pricing tiers - the unified pricing since July 2023
Pre-Purchase Plans - CU-based upfront discounts
Data tiers and retention - Analytics vs. Data Lake vs. Archive

Have questions about Sentinel cost calculation or optimization options? Reach out on LinkedIn or via email.

whennotif.io