Taming Microsoft Sentinel Costs: Log Analytics Tables and the Data Lake Tier

Microsoft Sentinel is a powerful SIEM, and for many security teams, it is also the line item that grows fastest. The reason is simple: Sentinel bills primarily on the volume of data you ingest, and modern environments produce an enormous amount of log data.

The good news is that Sentinel no longer forces you to put every log in the same expensive place. By combining the premium Log Analytics tables with the newer, much cheaper Data Lake tier, you can keep the security coverage you need while cutting the cost of the data you rarely touch.

This article breaks down how Sentinel charges you, what the Analytics and Data Lake options each do well, where each falls short, and how to use both together to build a cost-aware logging strategy.

A note on pricing before we start: every dollar figure below is based on retail list pricing in the East US region and is provided only to show relative scale. Your actual cost will vary by region, commitment level, and discounts. Treat these numbers as directional, not as a quote.

How Sentinel Actually Charges You 

Sentinel cost comes from three distinct activities, and understanding the split is the key to controlling spend: 

Ingestion

What you pay to bring a gigabyte of data in. This is where the largest charges accumulate, because it scales directly with log volume. 

Retention

What you pay to keep that data over time, both in interactive (queryable) retention and in long-term retention for compliance. 

Query

What you pay to search the data after it lands. In the premium tier, this is effectively included. In the cheaper tiers, you pay per gigabyte scanned. 

The strategic insight is that not all data deserves to pay the full ingestion and retention price. Microsoft frames this as primary security data versus secondary security data.

Primary Data drives real-time detection and needs to be instantly queryable.

Secondary Data is high-volume, verbose, and mostly useful only during a deep investigation or for compliance retention. Paying premium rates to store secondary data is where most Sentinel budgets quietly bleed. 

The Premium Option: Log Analytics Tables 

The Analytics tier is the classic Log Analytics table that Sentinel has always used. It is your hot storage. 

The Value: This is where real-time security happens. Analytics tables support full KQL, scheduled analytics rules, near real-time detection, correlation across tables, UEBA, and fast interactive hunting. There is no extra per-query charge, so your analysts can hunt aggressively without watching a meter. 

What It Costs: Analytics ingestion for Sentinel starts around $4.30 per GB on pay-as-you-go and drops toward roughly $2.06 per GB at the higher commitment tiers. Interactive retention runs 90 days by default with Sentinel and can extend up to two years, and long-term retention can reach 12 years. 

Pros 

• Fastest query performance, built for sub-second interactive work 
• Full, unrestricted KQL across multiple tables 
• Required for scheduled analytics rules and most real-time detections 
• No per-query cost, so hunting and investigation are predictable 
• The data feeds every Sentinel experience natively 

Cons

• The most expensive tier by a wide margin 
• Paying premium rates for verbose, low-value logs is pure waste 
• Commitment tiers help, but only if your volume is steady and high enough to justify the pre-commit 

Put your authentication logs, EDR and antivirus alerts, cloud audit trails, and threat intelligence here. This is the data you run rules against every few minutes. 

The Cheaper Option: The Data Lake Tier 

The Data Lake Tier is Microsoft’s newer answer to the cost problem, and it changes the math for high-volume data. It provides very low-cost storage for long-term retention and large-scale search, with cost reductions that approach 90 percent compared to the Analytics tier for the same volume. 

The Value: Data Lake lets you retain everything without compromise. Instead of dropping noisy, high-volume logs to save money, you keep them at a fraction of the cost and reach for them only when an investigation or audit requires it. It supports retention up to 12 years and integrates with Sentinel hunting, and you can use summary rules to roll verbose data up into the Analytics tier when you want aggregate signal without paying to keep every raw row hot. 

Pros 

• Dramatically lower storage cost, which makes long retention affordable 

• Up to 12 years of retention for compliance and historical investigation 

• Let’s you keep data you would otherwise discard, preserving forensic value 

• Works with KQL through summary rules and on-demand search 

• A natural home for the Auxiliary logs that Microsoft is migrating into it 

Cons

• Not built for real-time detection; do not expect it to drive your fast analytics rules 

• Queries are pay-per-scan, so heavy ad-hoc searching can add up if you are not careful 

• Query performance is slower than Analytics, by design, as the tradeoff for cheap storage 

• Requires deliberate planning about what to summarize versus what to leave in the lake 

Put your network flow logs, storage and blob access logs, DNS query logs, verbose firewall traffic, and legacy compliance logs here. These are the sources you need to have, but rarely need to query at speed. 

A Word on Basic and Auxiliary Logs

Between the two main options sit two more table plans worth knowing.

Basic Logs

Basic Logs offer discounted ingestion (around $1 per GB for Sentinel) with limited, single-table KQL and shorter interactive retention, suited to troubleshooting and occasional incident response.

Auxiliary Logs

Auxiliary Logs were the prior low-cost tier (about $0.15 per GB to ingest, $0.02 per GB for long-term retention), and Microsoft is now folding Auxiliary into the Data Lake model. If you are using Auxiliary logs today, review them, because they are migrating automatically, and your tiering strategy should account for it.

Using Both Together: An Effective Strategy 

The point is not to pick one tier. It is to route each log to the tier that matches how you actually use it. A workable approach looks like this: 

1. Audit Your Ingestion First. Run a usage query over the last 30 days to rank your tables by volume and by how often they are queried. The tables that are large but rarely queried are your savings opportunity. 
2. Keep Primary Security Data In Analytics. Anything that drives a detection rule, feeds correlation, or gets hunted daily stays in the premium tier. Do not sacrifice detection to save money. 
3. Move High-Volume, Low-Touch Data To Data Lake. Network flows, storage logs, and verbose compliance sources belong in cheap storage, retrieved on demand. 
4. Use Summary Rules To Bridge The Two. Aggregate noisy Data Lake data into compact summaries that live in Analytics, so you keep the signal for detection without paying to keep every raw event hot. 
5. Filter Before You Ingest. Use data collection rules to drop the columns and rows you will never need. The cheapest gigabyte is the one you never ingest. 
6. Match Retention To Obligation, Not Habit. Set long-term retention to your actual compliance requirement, in the cheapest tier that satisfies it, rather than defaulting everything to the same window. 
7. Revisit Commitment Tiers. If your Analytics volume is steady and high, a commitment tier lowers the per-GB rate meaningfully. If it is variable or modest, pay-as-you-go avoids over-committing. 

A Simple Decision Guide

Ask two questions of every log source: how fast do I need to query it, and how often?

If the answer is fast and often, it belongs in Analytics.

If the answer is rarely and I can wait, it belongs in the Data Lake.

Most environments find that a large share of their total volume is the second kind, which is exactly where the savings live. Documented write-ups of this approach commonly report cost reductions in the 60 to 80 percent range, driven almost entirely by moving high-volume secondary data out of the premium tier.

Common Pitfalls 

• Treating Every Log As Primary. The instinct to keep everything hot is the single biggest cost driver. Be honest about what you actually query. 
• Ignoring Query Costs In The Cheap Tiers. Data Lake storage is cheap, but undisciplined ad-hoc scanning can erode the savings. Use summaries for recurring questions. 
• Forgetting The Portal Transition. After March 31, 2027, Sentinel will be available only in the Microsoft Defender portal, and table tiering for Defender-connected workspaces is managed there. Plan your transition rather than reacting to it. 
• Setting It Once & Walking Away. Log volumes and query patterns drift. A tiering strategy needs a periodic review, not a one-time configuration. 

How eGroup’s ThreatDefender Service Puts This Into Practice 

Knowing the tiers is one thing. Operating them well, day after day, is another. Deciding which tables belong in Analytics, which to push to the Data Lake, when to summarize, and when to pull data back into hot storage for an active investigation is ongoing work, and getting it wrong in either direction costs you, either in dollars or in missed signal. 

This is exactly what eGroup’s ThreatDefender, our managed extended detection and response (MXDR) service, is built to handle. ThreatDefender runs across both tiers as a matter of course: primary detection data stays in the Analytics tables where our analysts hunt and respond in real time, while high-volume and compliance data lives in the Data Lake at a fraction of the cost. The service actively manages the movement between the two, converting data from one tier to the other as your needs change, so you keep full coverage without paying premium rates for logs you are not actively using. 

The Value: you get the security outcome of keeping everything, with the cost profile of keeping only what you query. Our team continuously tunes the tier assignments, applies summary rules to preserve signal from noisy sources, and reaches into the Data Lake on demand during investigations, so your coverage stays broad while your operational cost stays controlled. Instead of standing up that expertise in-house, you inherit a practice that already does this every day across multiple environments. 

The Bottom Line 

Sentinel cost control is not about collecting less security data. It is about being deliberate over where that data lives.

Keep your primary detection sources in the Analytics tables, where speed and full KQL are worth the premium. Push your high-volume, low-touch, and compliance data into the Data Lake tier, where you can retain it for years at a fraction of the cost and still reach it when an investigation demands it. Bridge the two with summary rules and ingestion-time filtering.

Done well, this lets you expand your coverage and shrink your bill at the same time, which is a rare combination in security. If you would rather not manage that balance yourself, ThreatDefender does it for you. 

Pricing referenced throughout is based on retail list pricing in the East US region and is provided only to illustrate relative scale. Actual pricing varies by region, ingestion commitment, retention configuration, and your agreement. To map your current Sentinel ingestion against the right tier mix, model the savings, and see how eGroup ThreatDefender can manage it end-to-end, talk with your eGroup team. 

See What Smarter Sentinel Tiering Looks Like in Practice

eGroup’s ThreatDefender actively manages your log tier assignments, summary rules, and Data Lake strategy so your security coverage stays broad and your Sentinel bill stays controlled. Talk to our team to model your current ingestion against the right tier mix.