Introduction
Security teams have long faced a tough challenge: balancing visibility with cost. A year ago, many organizations hesitated to adopt Microsoft Sentinel because of the high cost of the Analytics tier, forcing them to strip data down to the bare minimum. Microsoft listened. The Sentinel Data Lake tier is the proven way to slash SIEM costs while maintaining full visibility, compliance, and advanced analytics. In this post, we’ll break down why these matters, show real-world cost comparisons across multiple log sources, and explain how to implement summarization workflows for maximum savings.
Why Sentinel Data Lake Exists
Clients asked for:
- Lower retention costs for massive log volumes.
- Predictable query pricing without sacrificing performance.
- Advanced analytics capabilities for AI and ML readiness.
Microsoft delivered:
- Storage at $0.026 per GB/month.
- Query-on-demand at $0.005 per GB scanned.
- Processing at $0.05 per GB summarized.
- Seamless integration with Analytics tier for real-time detection.
Expanded Cost Breakdown: Analytics vs Data Lake
For an organization with 5,000 users and 3 locations, here’s a realistic estimate of daily log volume across multiple sources:
Estimated Daily Log Volume by Source
| Data Source | Daily Ingest | Monthly Ingest |
| Microsoft Defender (Endpoint, Office 365, Identity) | ~ 6 GB | ~ 182.5 GB |
| Microsoft Entra ID | ~ 2 GB | ~ 60.8 GB |
| Defender for Cloud Apps | ~ 1 GB | ~ 30.4 GB |
| Windows Security Events (Server & Domain Controllers) | ~ 9 GB | ~273.8 GB |
| Azure Activity Logs (Resource Management) | ~ 2 GB | ~ 60.8 GB |
| Network Logs (Firewall, VPN, IDS/IPS) | ~ 8 GB | ~ 243.3 GB |
| Application Logs (Custom Apps, API Gateways) | ~ 3 GB | ~ 91.25 GB |
| Cloud Platform Logs | ~ 4 GB | ~ 121.7 GB |
| Total | ~ 35 GB | ~ 1.03 TB |
Option A: Analytics Tier Only
- Ingestion:
1,064 GB × $5 = $5,273/month ($63,276/year) - Retention beyond 90 days:
1,064 GB × $0.12 × 9 months = ~$128/month ($1532.16/year) - Annual cost: ~$64,808/year
Option B: Data Lake + Summarization (Every 5 min Summarization Reduction to an Analytics Table)
- Data Lake Storage:
1,064 GB × $0.026 = ~$27.66/month ($331.97/year) - Data Lake Query:
~288 runs per day at ~.12 GB per scan = $5/month ($60/year) - Processing:
$0.05/GB processed → ~$52.50/month ($630/year) - Analytics ingestion (summarized data):
Assume 90% reduction → 105 GB × $5 = $525/month ($6300/year) - Annual cost: ~$7320/year
✅ Savings: ~$57,488/year (≈88%)
The Proven Workflow
Instead of ingesting raw logs into Analytics tier:
- Store raw data in Data Lake for compliance and retention.
- Run scheduled KQL jobs every 5 minutes to:
- Query recent data from Data Lake.
- Summarize key metrics.
- Write results into a new Analytics table for fast queries and alerts.
Example KQL Job
firewall_table
| where TimeGenerated > ago(5m)
| summarize TotalConnections = count(), BytesTransferred = sum(Bytes)
by DeviceName, bin(TimeGenerated, 5m)
| into analytics_table("TrafficSummary")Benefits
- Cost efficiency: Reduce ingestion volume dramatically.
- Performance: Analytics tier queries run faster on summarized tables.
- Compliance: Keep full raw logs in Data Lake for audits.
- AI readiness: Unified data foundation for advanced analytics and machine learning.
Closing Thoughts
The proven way to slash SIEM costs is here. By combining Data Lake for affordable retention with Analytics tier for real-time detection, organizations achieve full visibility without overspending.
Microsoft Sentinel Data Lake isn’t just storage, it’s a strategic solution for scalable, AI-ready security operations.
Over the next few weeks, we will dive deeper into these KQL jobs using custom log sources and how we reduce them, validating the savings clients will see.
For previous posts, please take a look here: Home – Its Security Day with Mike