Getting Started
This advanced calculator allows you to create multiple cost elements to model complex Microsoft Sentinel deployments. Each element represents a different data source or table with its own configuration and constraints.
- Configure Pricing: Start by expanding the "Pricing Configuration" section and either select your Azure region or enter custom pricing values.
- Add SCU: Add an SCU (Sentinel Commit Unit) / Pre-purchase plan to decrease the overall cost.
- Add Cost Elements: Click "Add Analytics Category" or "Add Data Lake Category" to create elements for different data sources (e.g., Security Events, Windows Events, Custom Logs).
- Configure Each Element: Set ingestion rates, retention periods, and data lake settings for each element. Analytics data is mirrored into data lake for free, but you can still execute non-free actions on it.
- Free ingestion: Enable free ingestoin for specific Analytics sources.
- Review Constraints: The calculator automatically enforces some constraints.
- Analyze Results: View costs broken down by element and category in the chart and summary cards.
- Export Data: Download detailed cost breakdowns in CSV format.
Cost Components
Each cost compotent represents a separate data source or table and can be configured independently:
Analytics Tier Components (purple on the GUI)
- Analytics Ingestion: Daily data volume ingested into the analytics tier (GB/day). If you push data into analytics tier configure this element.
- Analytics Retention: How long to retain data in the analytics tier (days). Free for first 90 days, charged beyond that.
Data Lake Tier Components (blue on the GUI)
- Data Lake Ingestion: Daily data volume ingested directly into data lake tables (GB/day). Does not include mirrored analytics data. This is the data that actually reaches your data lake storage. So if you filter out data via DCRs don't add the dropped data.
- Data Lake Processing: Data volume processed by the ingestion pipeline (GB/day). May be higher than ingestion if filtering occurs. All the data that reaches the ingestion pipeline should be added, even data you drop via DCRs. According to Microsoft even data filtered via DCRs incurs this charge. Does not inlcude mirrored analytics data.
- Total Retention (Data Lake Storage): Total retention period for the data (days). For data lake table this is the only storage. For Analytics table this is the long-term storage for data kept after the analytics retention period. Constraint: Must be ≥ Analytics Retention
- Data Lake Query: Monthly query volume against data lake data (GB/month).
- Advanced Data Insights: Monthly advanced analytics compute usage for this element (hours/month). Utilized via managed Notebooks.
Constraints & Calculation Logic
The calculator enforces the following constraints and logic:
⚠️ Key Constraints
- Data Lake Retention ≥ Analytics Retention: Total retention must be equal to or longer than analytics retention for analytics data. In case of = there is not long-term retention, otherwise long-term retention will be data lake-based.
💰 Cost Calculation Logic
- Analytics Ingestion: Charged for all ingested data, with commitment tier minimums applied if configured.
- Analytics Retention: Only charged for days beyond the 90-day free period. Formula: (Daily Ingestion) × (Days beyond 90) × (Retention Price).
- Data Lake Storage: Only charged when Total Retention > Analytics Retention. Includes 6:1 compression. Free during analytics retention period.
- Data Lake Ingestion: Charged per GB for data ingested directly into data lake tables.
- Data Processing: Charged per GB for data reaching the ingestion pipeline (regardless of filtering) directly into data lake tables.
- Data Lake Query/Insights: Charged based on actual usage volumes specified.
Accumulating Mode
- Enabled (Default): Simulates gradual data accumulation from zero to full retention capacity. Realistic for new deployments.
- Disabled: Assumes immediate full retention capacity. Useful for steady-state cost analysis of existing deployments.
Understanding the Results
The advanced calculator provides detailed cost breakdowns:
- Cost Elements Table: Shows individual element configurations and allows editing/deletion.
- Summary Cards: Display total costs by category. Click cards to see detailed breakdowns.
- Interactive Chart: Visualize costs over time by category and element. Use the popup feature for larger views.
- CSV Export: Download complete cost breakdowns with monthly details for all elements.
Example Scenarios
Scenario 1 - Extended Retention: Analytics Ingestion: 50GB/day, Analytics Retention: 90 days, Total Retention: 365 days → Result: Ingestion costs + data lake storage for extra 275 days.
Scenario 2 - Data Lake Only with filtering: Analytics Ingestion: 0GB/day, Data pushed to the DCR: 80GB/day but drop 30 GB/day of this data, real Data Lake Ingestion: 50GB/day, Data Processing: 80 GB/day, Total Retention: 730 days → Result: Data lake ingestion (30 GB) + processing (80 GB) + data lake storage for full 730 days.