azurerm_sentinel_log_analytics_workspace_onboarding cost estimation
Onboards a Log Analytics workspace to Microsoft Sentinel (SIEM), adding a per-GB analysis charge on top of Log Analytics ingestion. 100 GB/month is ~$430.
An azurerm_sentinel_log_analytics_workspace_onboarding enables Microsoft Sentinel — Azure's cloud-native SIEM/SOAR — on a Log Analytics workspace. Sentinel doesn't have its own data store; it analyzes the data ingested into the workspace, and it bills a Sentinel analysis fee per GB on top of the underlying Log Analytics ingestion cost. At the Pay-As-You-Go rate that's roughly $2.00/GB Sentinel + $2.30/GB Log Analytics ≈ $4.30/GB, so 100 GB/month is ~$430.
The crucial cost insight is that Sentinel doubles down on ingestion volume — you pay for it twice (LA ingestion + Sentinel analysis). So the single biggest Sentinel cost lever is reducing or tiering what you ingest: route high-volume, low-security-value logs to the Basic/Auxiliary logs tier (much cheaper, limited analytics), filter at the source, and only bring into the analytics tier the data your detections actually use.
Commitment tiers apply to both the Log Analytics and Sentinel sides at high volume, discounting the per-GB rate versus Pay-As-You-Go. For high, steady ingestion, committing is a meaningful saving.
c3x prices the onboarding from monthly ingestion GB at the combined Sentinel + Log Analytics rate, so the SIEM cost is visible before deployment.
Terraform example
A minimal but realistic configuration that C3X can estimate.
resource "azurerm_sentinel_log_analytics_workspace_onboarding" "main" {
workspace_id = azurerm_log_analytics_workspace.main.id
}Pricing dimensions
What you actually pay for when you provision azurerm_sentinel_log_analytics_workspace_onboarding.
| Dimension | Unit | What's being charged |
|---|---|---|
| Analyzed data (Sentinel + Log Analytics) | per GB | Sentinel analysis fee plus Log Analytics ingestion — you pay for ingested volume on both. Commitment tiers discount the per-GB rate at scale. ~$4.30/GB combined (PAYG) → 100 GB ≈ $430/month |
Sample C3X output
100 GB/month ingested into a Sentinel-onboarded workspace:
azurerm_sentinel_log_analytics_workspace_onboarding.main
└─ Analyzed data (Sentinel + LA) 100 GB $430.00
Monthly $430.00Optimization tips
Common ways to reduce azurerm_sentinel_log_analytics_workspace_onboarding cost without changing the workload.
Tier high-volume logs to Basic/Auxiliary
Large on high-volume noiseSentinel charges analysis on top of LA ingestion, so volume costs twice. Route high-volume, low-security-value logs (verbose firewall/proxy/NetFlow) to the Basic or Auxiliary logs tier — much cheaper, with limited analytics — and keep only detection-relevant data in the analytics tier.
Filter at the source
Proportional to volume filteredUse data collection rules to drop fields and events you'll never query or alert on before they're ingested. The cheapest GB is the one you don't ingest into either meter.
Use commitment tiers at high volume
Up to ~30%+ at high volumeBoth Log Analytics and Sentinel offer commitment tiers (e.g. 100 GB/day) that discount the per-GB rate versus Pay-As-You-Go. For steady high ingestion, committing saves meaningfully.
Set table-level retention
Per GB-month of retained dataBeyond the included retention, archived data still bills. Set per-table retention to what investigations and compliance actually need, and archive cold data at the cheaper tier.
FAQ
How is Microsoft Sentinel billed?
By the volume of data analyzed — a Sentinel analysis fee (~$2.00/GB PAYG) on top of the underlying Log Analytics ingestion (~$2.30/GB), so ~$4.30/GB combined. 100 GB/month is ~$430. Sentinel has no separate data store; it analyzes the workspace's ingested data.
Why does Sentinel cost so much per GB?
Because you pay for ingestion twice — once for Log Analytics to store it, once for Sentinel to analyze it. That's why reducing and tiering ingestion (Basic/Auxiliary logs, source filtering) is the dominant Sentinel cost lever.
How does c3x estimate the cost?
From monthly ingestion GB at the combined Sentinel + Log Analytics rate. Reducing ingestion or moving to commitment tiers lowers it; model your expected ingestion to see the SIEM cost.
Related resources
Estimate this resource in your own Terraform
Free, open source, no API key. C3X parses your Terraform and shows line-item cost for every resource, including azurerm_sentinel_log_analytics_workspace_onboarding.