Managed SIEM · Deep dive 01

The Sentinel bill nobody scoped for, and how to cap it

Sentinel's 2025 dual-tier model changed the maths. What to route to the analytics tier, what to send to the lake, and how it all stays inside a fixed monthly fee.

Draft outline · Cost / FinOps lens
The anchor

In 2025 Microsoft introduced the Sentinel data lake alongside the analytics tier: analytics ingest runs roughly $4 to $5.50 per GB pay-as-you-go, while data-lake ingest is about $0.05 per GB with cheap long-term retention. Get the routing wrong and the Log Analytics bill runs away from you; get it right and it is predictable.

Sources we build on
Primary

Primary product documentation for the dual-tier model, retention and query-cost mechanics.

Journalism
Independent Sentinel pricing analysis

Third-party breakdown of the 2025 pricing change and where real bills come from, free of Microsoft's framing.

Article outline
  1. Why Sentinel bills surprise people. Verbose sources (firewall, sign-in) at analytics-tier rates.
  2. The dual-tier model. Analytics for detection, data lake for volume and retention.
  3. A routing policy. What belongs in each tier, by table and by detection need.
  4. Retention without pain. Meeting long-retention obligations at lake prices.
  5. Holding a fixed fee. How we absorb this into a predictable monthly number.
How it aligns to what we do

Deliberately a non-security piece: pure cost engineering. It proves the fixed-price promise is real by showing the mechanism behind it, and it speaks to the accountable, budget-owning reader who has been burned by an unbounded cloud bill. This is the differentiator against threat-blog competitors.

Points to hit
Control it ratifies
ISM / E8 Not a control-mitigation piece; supports ISM event-logging and retention requirements by making full-fidelity logging affordable enough to actually keep.