The Reality Check: Why Your Sentinel Costs Are Spiraling
Imagine a client spending £45,000 monthly on Sentinel—90% of it on data they access maybe twice a year for compliance. Sound familiar? With Microsoft's Data Lake preview rolling out and auxiliary logs automatically migrating, it's time to get strategic about data tier management.
After managing a couple of Sentinel environments and seeing the Data Lake in action, I'm sharing what I've discovered about making the most of Microsoft's evolving data tier strategy.
Understanding the Four Tiers
1. Analytics Tier (The Premium Option)
This is your hot storage—full KQL support, real-time analytics rules, and sub-second query performance. Perfect for:
- Security events requiring real-time detection
- Data you query multiple times daily
- Incident investigation primary sources
Cost: Highest tier, but essential for active threat detection.
2. Basic Logs (The Middle Ground)
Reduced functionality but significant cost savings. Good for:
- Verbose logs you might need occasionally
- Compliance data with infrequent access
- Backup investigation sources
Limitations: 8-day retention, limited KQL functions, no scheduled rules.
3. Auxiliary Logs (Being Deprecated)
If you're using auxiliary logs, pay attention—they're automatically migrating to Data Lake. This includes:
- StorageBlobLogs
- AzureMetrics
- ContainerLogV2
Action Required: Review your auxiliary log usage before migration completes.
4. Data Lake (The New Frontier)
Microsoft's latest addition offers:
- 12-year retention capability
- ~90% cost reduction compared to Analytics tier
- Full KQL support through summary rules
- Seamless integration with Sentinel hunting
Strategic Tier Assignment
Here's my recommended approach for common log types:
| Log Type | Recommended Tier | Reasoning |
|---|---|---|
| SecurityEvent | Analytics | Core detection data |
| SigninLogs | Analytics | Identity-based attacks |
| AzureActivity | Basic/Data Lake | High volume, periodic access |
| StorageBlobLogs | Data Lake | Compliance, rare queries |
| NetworkFlowLogs | Data Lake | Massive volume, forensics only |
Implementation Steps
Step 1: Audit Current Usage
// Find your most queried tables
Usage
| where TimeGenerated > ago(30d)
| summarize QueryCount = count(), DataGB = sum(Quantity)/1024 by DataType
| order by DataGB descStep 2: Identify Migration Candidates
Look for tables with:
- High ingestion volume but low query frequency
- Compliance-only retention requirements
- No active analytics rules
Step 3: Configure Data Lake
Enable Data Lake through the Sentinel workspace settings and configure your retention policies. Remember:
- Data Lake supports up to 12 years retention
- Use summary rules to aggregate data for faster queries
- Set up lifecycle policies for automatic tiering
Cost Savings Example
For a typical enterprise environment:
- Before optimization: £45,000/month
- After strategic tiering: £12,000/month
- Savings: 73% reduction
What's Next?
I've shared what I've discovered so far, but there's definitely more to explore—especially with the VS Code extension and Jupyter notebooks for Data Lake queries.
Got your own insights? Found different results? I'd love to hear about your experience. Reach out at hello@cy-brush.com or connect with me on LinkedIn.
Let's figure this out together and share what works.
Resources & Further Reading
- Microsoft Sentinel Data Lake Overview - Official documentation
- Introducing Microsoft Sentinel Data Lake - Microsoft Community Hub announcement
- Set up Connectors for Data Lake - Configuration guide
- Cybrush Attack Range - Test your detections across tiers
- Cybrush Medium Publication - More Sentinel insights