$5.22/GB
Sentinel PAYG Analytics tier rate
87% cheaper
Basic Logs cost vs Analytics
97% cheaper
Auxiliary Logs cost vs Analytics
40-60%
Potential cost reduction via right-tiering

SponsoredRetool

Retool's new app builder is where AI-generated code ships safely

Building apps with AI is easy. Getting them to production safely is another story.

Start building for free today

A 200-employee organization running Microsoft Sentinel at pay-as-you-go rates can easily spend $38,000 to $76,000 per year on log ingestion alone. The surprise is not that Sentinel is expensive. The surprise is that most organizations are paying the highest possible rate for data they almost never query. Microsoft's three-tier ingestion model: Analytics Logs, Basic Logs, and Auxiliary Logs: was designed to solve exactly this problem. The vast majority of practitioners leave everything at Analytics tier because it is the default. This guide gives you a per-source-type decision matrix, concrete dollar figures, and the retention arbitrage strategy that most teams miss.

Understanding the Three Tiers: What You Can and Cannot Do

Each tier has a different price point because each tier has a different capability set. Choosing the wrong tier is not just a cost problem: it is a detection problem if you move detection-critical data to a tier that does not support scheduled analytics rules.

Subscribe to unlock Remediation & Mitigation steps

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

The Per-Source Decision Matrix

For each log source type, the right tier depends on three questions: Does your detection logic run against this data? How often do investigators query it interactively? Does regulation require you to retain it long-term? The answers drive the tier assignment.

Subscribe to unlock Remediation & Mitigation steps

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

Free daily briefing

Briefings like this, every morning before 9am.

Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.

Retention Arbitrage: The Move Most Teams Miss

Retention arbitrage is the practice of keeping data at Analytics tier for the active detection window, then transitioning it to a cheaper tier as it ages. Microsoft supports interactive archival directly from Analytics Log workspaces.

Subscribe to unlock Remediation & Mitigation steps

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

Commitment Tiers: When the Math Works

Microsoft Sentinel Commitment Tiers offer significant per-GB discounts for predictable ingestion volume. At 100 GB/day, the Commitment Tier rate is approximately $3.04/GB compared to $5.22/GB PAYG: a 42% discount. At 200 GB/day, the rate drops further.

Subscribe to unlock Remediation & Mitigation steps

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

Common Over-Ingestion Mistakes and How to Catch Them

The fastest way to find savings is to query your current ingestion distribution. The KQL query Usage | where TimeGenerated > ago(30d) | summarize TotalGB = sum(Quantity)/1000 by DataType | order by TotalGB desc shows exactly which table is consuming the most volume. Most practitioners have never run this query.

Subscribe to unlock Remediation & Mitigation steps

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

Implementation Sequence for Existing Workspaces

Changing log tiers on active Sentinel workspaces requires care. Detection rules referencing a table that you move to Basic Logs will stop firing. The sequence below minimizes operational risk.

Subscribe to unlock Remediation & Mitigation steps

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

The bottom line

Most organizations running Microsoft Sentinel are paying for a Porsche and driving it in first gear. The Analytics tier is the right choice for detection-critical data. It is the wrong choice for raw firewall permit traffic, high-volume DNS queries, and aged compliance data. Right-tiering without losing coverage is not a compromise: it is the correct architecture. Run the ingestion distribution query, apply the decision matrix, and execute the migration in stages. A 40-60% cost reduction is realistic within 60 to 90 days without changing a single detection rule.

Frequently asked questions

Can I use Basic Logs tables as a source in Sentinel analytics rules?

No. Basic Logs tables do not support scheduled analytics rules, real-time alert rules, or UEBA. They support interactive KQL queries in Log Analytics only. If you move a table to Basic Logs, any analytics rules referencing that table will stop functioning. Always audit your active detection rules against a table before changing its tier.

What is the retention period for Basic Logs?

Basic Logs have a fixed interactive retention period of 8 days. After 8 days, data transitions to archive storage. You can rehydrate archived data for interactive querying, but this incurs additional compute cost and takes time. For data you need readily available during investigations, 8 days of hot retention may be insufficient.

How long does data rehydration take for Auxiliary Logs?

Rehydration from Auxiliary Log archive storage typically takes up to 24 hours. You submit a rehydration job specifying a time range and target table, and the data becomes queryable in a temporary workspace once the job completes. Plan your incident response playbooks to account for this delay if any log types are in Auxiliary tier.

When do Commitment Tiers make financial sense?

Commitment Tiers pay off when your Analytics-tier ingestion volume is predictable and exceeds roughly 100 GB per day. The 42% discount at the 100 GB/day tier versus PAYG is substantial. However, you should right-tier your sources first to get your Analytics-tier volume to its correct level before committing, otherwise you may over-commit based on inflated mis-tiered volume.

Does moving firewall logs to Basic Logs reduce my detection coverage?

Only if you have active analytics rules querying firewall permit traffic. For most organizations, firewall-based detection rules trigger on deny events, threat signatures, and policy violations rather than raw permit traffic. Audit your active rules, confirm none reference permit-traffic-specific fields, then migrate. Most organizations find zero detection coverage impact when moving permit traffic to Basic Logs.

How do I find which tables are consuming the most ingestion volume in my workspace?

Run this KQL query in Log Analytics: `Usage | where TimeGenerated > ago(30d) | summarize TotalGB = sum(Quantity)/1000 by DataType | order by TotalGB desc`. This produces a ranked list of tables by ingestion volume over the past 30 days. Start your cost optimization work with the top five tables on this list.

Can I move Entra ID sign-in logs to Basic Logs?

Interactive sign-in logs should stay at Analytics tier because they feed identity-based detection rules including impossible travel, MFA bypass, and token theft alerts. Non-interactive sign-in logs (service principal and managed identity traffic) are reasonable Basic Logs candidates if you do not have analytics rules targeting service principal behavior specifically. Split the two categories and evaluate each independently.

Sources & references

  1. Microsoft Sentinel Pricing Documentation
  2. Charbel Nemnom - Sentinel Cost Optimization Series
  3. Microsoft Learn - Sentinel Data Connectors

Free resources

25
Free download

Critical CVE Reference Card 2025–2026

25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.

No spam. Unsubscribe anytime.

Free download

Ransomware Incident Response Playbook

Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.

No spam. Unsubscribe anytime.

Free newsletter

Get threat intel before your inbox does.

50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.

Unsubscribe anytime. We never sell your data.

Eric Bang
Author

Founder & Cybersecurity Evangelist, Decryption Digest

Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.

Black Hat Giveaway

Win a $2,495 Black Hat pass.

Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.

Joins Decryption Digest daily briefing. Unsubscribe anytime.

Giveaway: Black Hat USA 2026 Full-Access Pass ($2,495 value)

Details →
Daily Briefing

Subscribe to enter the giveaway

Every subscriber is automatically entered. You also get daily threat intel every morning: zero-days, ransomware, and nation-state campaigns. Free. No spam.

Already subscribed? You're already entered.

Giveaway

Win a $2,495 Black Hat USA 2026 pass.