Applies to: Organisations evaluating or adopting Microsoft’s integrated security platform
Overview
This article provides a practical cost and configuration guide for organisations considering the Microsoft security stack, typically alongside a Managed Security Service Provider (MSSP). It covers the four key components of the solution, how each is purchased, how billing works, and realistic cost estimates based on a 250-server environment ingesting approximately 70 GB of log data per day.
Reference Scenario
The cost estimates in this article are based on the following environment:
- 90 days of online data retained in Microsoft Sentinel
- 365 days of data retained in Azure Data Lake Storage
- 250 servers protected by Microsoft Defender for Servers (P1 or P2)
- Log ingestion volume of approximately 70 GB/day (primarily Check Point firewall logs)
- Deployment in the UK South Azure region
1. Microsoft Sentinel – SIEM & 90-Day Online Data
What is it?
Microsoft Sentinel is a cloud-native Security Information and Event Management (SIEM) and Security Orchestration, Automation and Response (SOAR) solution. It collects, analyses, and correlates security data across your environment and is the primary tool for threat detection, investigation, and response.
Data Retention
90 days of interactive (online) data retention is included as standard in the Analytics tier. No additional configuration is required for this; it is part of the base Sentinel offering. Data beyond 90 days must be offloaded to a separate storage layer such as Azure Data Lake (see Section 2).
How Pricing Works
Sentinel pricing is based primarily on the volume of data ingested, measured in GB per day. There are two main pricing models:
- Pay-As-You-Go (PAYG): Charged per GB ingested, with no upfront commitment
- Commitment Tiers: Pre-purchase a fixed daily ingestion volume at a discounted rate — beneficial if your daily ingestion is consistent and predictable
Current PAYG rate (UK South): approximately £2.167 per GB ingested
Pricing reference: Azure Log Analytics Cost Calculator UK
Cost Estimate (70 GB/day)
|
Item |
Monthly |
Annual |
|
Sentinel ingestion (70 GB/day @ £2.167/GB) |
£4,550.70 |
£54,608.40 |
How to Purchase
Sentinel is purchased and configured through the Azure Portal:
- Create or select an existing Log Analytics Workspace
- Enable Microsoft Sentinel on that workspace
- Connect data sources (e.g. Check Point, Azure AD, Microsoft 365)
- Choose your pricing tier: PAYG or a Commitment Tier based on your expected daily ingestion volume
|
💡 Tip If your log volume is relatively stable (e.g. consistently around 70 GB/day), a Commitment Tier could reduce per-GB costs compared to PAYG around 90 GB/day. Review your ingestion volume over 30+ days before committing. |
2. Azure Data Lake Storage – 365-Day Long-Term Retention
What is it?
Azure Data Lake Storage Gen2 (ADLS) provides scalable, low-cost object storage for long-term log retention. It is the underlying storage layer used for retaining security logs beyond the 90-day Sentinel window, enabling compliance, historical investigation, and audit requirements.
Important distinction: Sentinel provides security analytics and active querying. Data Lake is purely a storage layer — logs stored there are not directly queryable in Sentinel without re-ingestion unless you use Sentinel’s Basic Logs or Search Jobs feature.
Storage Tiers
ADLS offers four storage access tiers. Choose based on how frequently you need to access archived data:
- Hot – Frequent access; highest storage cost, lowest retrieval cost
- Cool – Infrequent access (at least 30 days); lower storage cost
- Cold – Rare access (at least 90 days); lower still
- Archive – Very rare access (at least 180 days); lowest storage cost, highest retrieval cost and latency
Pricing reference: Azure Data Lake Storage Pricing
Cost Estimate (70 GB/day, 365 days, Cool tier)
|
Item |
Monthly |
Annual |
|
Data Lake storage (approx. £0.02/GB/month) |
~£85 |
~£1,020 |
Note: Actual cost depends on the storage tier selected, retrieval frequency, and any data transactions. The estimate above assumes Cool tier with minimal retrieval.
3. Microsoft Defender for Servers – 250 Servers
What is it?
Defender for Servers is a workload protection plan within Microsoft Defender for Cloud that adds threat detection and advanced defences for Windows and Linux servers, whether hosted on Azure, on-premises, or in other clouds (AWS, GCP).
Plan Comparison: P1 vs P2
There are two plans available:
|
Feature |
Plan 1 (P1) |
Plan 2 (P2) |
|
Core endpoint protection (MDE integration) |
✔ |
✔ |
|
Threat detection & alerts |
✔ |
✔ |
|
Adaptive application controls |
✔ |
✔ |
|
Vulnerability assessment (Qualys or built-in) |
— |
✔ |
|
Regulatory compliance dashboard |
— |
✔ |
|
Attack surface reduction recommendations |
— |
✔ |
|
Just-in-time VM access |
— |
✔ |
|
File integrity monitoring |
— |
✔ |
|
500 MB/day free log ingestion (Sentinel) |
— |
✔ |
Full plan comparison: Select a Defender for Servers Plan – Microsoft Learn
Pricing (250 Servers)
|
Item |
Monthly |
Annual |
|
Defender for Servers P1 (250 × £3.656/server/month) |
£914.00 |
£10,968.00 |
|
Defender for Servers P2 (250 × £10.880/server/month) |
£2,720.00 |
£32,640.00 |
Pricing reference: Microsoft Defender for Cloud Pricing
|
📌 Note Billing is monthly and scales dynamically with your server count. If the number of protected servers reduces, the cost reduces accordingly — there is no long-term commitment at the server level. |
How to Purchase
Enable Defender for Servers through the Azure Portal:
- Open Microsoft Defender for Cloud
- Navigate to Environment Settings
- Select your Azure subscription
- Enable Defender for Servers and choose Plan 1 or Plan 2
- Billing begins immediately upon enablement, charged monthly based on the number of servers covered
4. Microsoft Defender for Cloud – The Umbrella Platform
What is it?
Microsoft Defender for Cloud is the overarching Cloud Security Posture Management (CSPM) and Cloud Workload Protection Platform (CWPP). It is the portal and framework through which all Defender plans are managed.
The free tier (Cloud Security Posture Management) provides basic security recommendations and a Secure Score at no charge. You then enable paid plans selectively per resource type:
- Defender for Servers (P1 / P2) – as described in Section 3
- Defender for Storage – detects unusual access patterns, malware uploads, sensitive data exposure
- Defender for SQL – protects SQL databases on Azure, on-premises, and other clouds
- Defender for Containers, Key Vault, App Service, and others – available separately
Pricing for all plans: Microsoft Defender for Cloud Pricing
|
💡 Tip You only pay for the plans you enable, and only for the resources covered. Start with Defender for Servers as the primary workload protection, then evaluate additional plans based on your environment (e.g. Defender for Storage if you use Azure Blob Storage for sensitive data). |
Cost Summary
The table below summarises estimated monthly and annual costs for the reference scenario, using Defender for Servers P2 (recommended for comprehensive protection):
|
Item |
Monthly |
Annual |
|
Microsoft Sentinel (70 GB/day ingestion, PAYG) |
£4,550.70 |
£54,608.40 |
|
Azure Data Lake Storage (365-day retention, Cool tier) |
~£85.00 |
~£1,020.00 |
|
Defender for Servers P1 (250 servers) |
£914.00 |
£10,968.00 |
|
Defender for Servers P2 (250 servers) |
£2,720.00 |
£32,640.00 |
|
TOTAL – P1 Scenario |
~£5,550 |
~£66,596 |
|
TOTAL – P2 Scenario (recommended) |
~£7,356 |
~£88,268 |
|
⚠️ Important These figures are estimates based on published Azure pricing at time of writing and the specific reference scenario. Actual costs will vary based on your data ingestion volume, server count, storage tier selection, commitment tier discounts, and Azure region. Always validate against the Azure Pricing Calculator and your specific Azure agreement. |
Key Cost Drivers & Considerations
- Sentinel ingestion is the dominant cost. Log ingestion volume – particularly from verbose sources like firewall logs – will drive the majority of the Sentinel bill. Optimise your data connectors and use data collection rules (DCRs) to filter noise before ingestion.
- Data Lake is low cost. Long-term retention in Azure Data Lake is inexpensive compared to Sentinel. Offloading data beyond 90 days to the Data Lake is an effective cost control strategy.
- Defender for Servers scales with your fleet. As server count changes, so does cost – no minimum commitment per server.
- P2 offers significant additional value. For organisations with compliance requirements, vulnerability management needs, or active attack surface management programmes, P2 is generally the recommended choice. The 500 MB/day free Sentinel ingestion per P2 server can also partially offset Sentinel costs.
- Commitment tiers can reduce Sentinel cost. If ingestion volume is predictable, a Commitment Tier pricing model can be 30–60% cheaper than PAYG at high volumes.