Microsoft Sentinel pricing in India — INR by ingestion tier

Pawan Sharma Published 03 Jun 2026  ·  By Pawan Sharma  ·  SIEM  ·  13 min read

Microsoft Sentinel pricing in India is per-GB ingested with multiple cost levers — commitment tiers, Auxiliary Logs tier, Microsoft 365 E5 ingestion benefits, Archive tier for long-tail retention. The headline pay-as-you-go rate looks expensive until you stack the levers correctly. This post walks the pricing model with INR figures (₹98/USD where Microsoft publishes USD), the worked example math for a 200 GB/day workload, and the four levers that flip the TCO conversation.

Per GB

Ingestion pricing

Analytics tier per GB ingested. Commitment tiers discount 15-65%.

100 MB/user/day

E5 free benefit

For Microsoft 365 sources. Significant offset for Microsoft-anchored estates.

90 days FREE

Analytics retention

No extra charge for the first 90 days; CERT-In 180d adds modest cost.

2 Indian regions

Central + South India

Same data residency story as the compliance post.

The pricing model in one table

ComponentPay-as-you-go (INR @ ₹98/USD)200 GB/day commitment tier
Analytics tier ingestion~₹275 / GB ($2.80)~₹130-160 / GB
Auxiliary Logs tier~₹50 / GBsame
Basic Logs tier~₹55 / GBsame
Analytics retention (after 90d)~₹10 / GB / monthsame
Archive tier retention~₹2-5 / GB / monthsame
Logic Apps playbookConsumption-based (~₹0.20 / 10K runs)same

Source: Microsoft Sentinel pricing page snapshot, May 2026, Azure Central India region. INR conversion at ₹98/USD where USD published. Microsoft also publishes INR direct for some commitment tiers; verify against the live pricing page at quote time. Commitment tier discounts vary — 100 GB/day ~15-25%, 200 GB/day ~30-40%, 500 GB/day ~45-55%, 1+ TB/day ~55-65%.

A worked example — 200 GB/day mid-market SaaS

Workload: 200 GB/day ingest, 5000 M365 E5 users, 180-day retention

Monthly Sentinel bill: ~₹26-32 lakh — split below

LineCalculationINR / month
Microsoft 365 E5 free benefit (100 MB/user/day × 5,000)500 GB/day FREE₹0 (covers most M365 sources)
Net billable Analytics ingestion (non-M365 sources)~150 GB/day × 30 days × ~₹150/GB (200 GB commit tier)~₹6.75 lakh
Auxiliary Logs (CDN logs, Azure Activity)~50 GB/day × 30 × ~₹50/GB~₹75K
Retention beyond 90 days (50 GB/day × 90 days)~4.5 TB × ~₹10/GB/mo~₹45K
Logic Apps playbook executions~50K runs/month~₹10K
Defender XDR Premium connector (Defender Experts add-on)OptionalPer-quote
Total monthly (commitment tier 200 GB/day Analytics)~₹8.0 lakh / mo

Without the E5 benefit, the same workload at pay-as-you-go would run ~₹26-32 lakh/month for Analytics ingestion alone. The E5 ingestion benefit is the single biggest cost lever for Microsoft-anchored estates.

Four levers to flip the math

Commitment tier

Match daily ingestion to the nearest commit tier (100 / 200 / 500 / 1000 GB/day). Discount of 15-65% on Analytics per-GB rate.

Data Collection Rules (DCR)

Filter noisy events at the Azure Monitor Agent layer before they reach Sentinel. Often cuts ingest 20-30% without losing detection coverage.

Auxiliary Logs tier

High-volume low-value sources (CDN logs, large telemetry, Azure Activity) route to Auxiliary Logs at ~₹50/GB vs Analytics ~₹150-275/GB.

M365 E5 ingestion benefit

100 MB/user/day FREE for Microsoft 365 sources. For a 5,000-user E5 tenant that's 500 GB/day worth — often covers entire M365 telemetry.

When pay-as-you-go is the right choice

  • POC / pilot deployments (sub-30 GB/day) where commitment-tier minimums don't fit
  • Workloads with extreme variance (bursty: 50 GB on weekdays, 5 GB on weekends)
  • Greenfield deployment where 30 days of pay-as-you-go data establishes the right commitment-tier choice

FAQ

What's the headline Sentinel cost driver?
Daily ingestion volume in GB. Sentinel charges per-GB-ingested on the Analytics tier; commitment tiers (100/200/500/1000+ GB per day) discount the per-GB rate by 15-65%. For a 200 GB/day workload, commitment tier is non-optional — pay-as-you-go is 30-50% more expensive.
How do I size daily ingestion before committing?
Free 31-day trial — provision Sentinel + enable connectors, watch actual ingest. Microsoft also publishes per-connector estimates (Entra ID ~50 KB/user/day, Defender XDR ~5-50 MB/endpoint/day depending on telemetry verbosity). Ogma's sizing assessment estimates from your tenant + Azure Activity Log baseline.
Does M365 E5 include Sentinel ingestion?
E5 includes a 100 MB/user/day FREE ingestion benefit for Microsoft 365 sources (M365 audit logs, Defender XDR, Defender for Cloud Apps, Entra ID sign-in logs). For a 5,000-user E5 tenant that's ~500 GB/day free — often covers Microsoft-source ingestion entirely. Critical pricing lever.
Can ingestion costs be reduced by data filtering?
Yes. Three patterns: (1) Auxiliary Logs tier for high-volume low-value sources at ~₹30-60/GB vs Analytics ₹220-280/GB; (2) Data Collection Rules (DCR) at agent layer to drop noisy events before ingest; (3) Basic Logs tier for query-only workloads. Together can cut Analytics ingest 30-50% without losing detection capability.
How does retention pricing work?
Analytics tier — first 90 days FREE retention; beyond that, additional retention at ~₹10/GB/month for Analytics or ~₹2-5/GB/month for Archive tier. For CERT-In's 180-day floor, the first 90 days are free; the next 90 days cost ~₹0.9-1.0 / GB total extra. Cheap relative to ingest cost.
What's a representative monthly bill?
200 GB/day Analytics tier on commitment-tier 200 GB/day pricing: ~₹26-32 lakh/month for ingest. + retention beyond 90 days adds ~₹1-2 lakh/month. + Logic Apps playbook executions (typically <₹50K/month). E5 ingestion benefit can offset 100-300 GB/day depending on user count.
Are there hidden costs?
Three to plan for: (1) Logic Apps consumption-tier playbook runs (small but adds up at scale); (2) Azure Storage for archive tier; (3) Egress charges for moving data out of Azure region (rare in steady state). Microsoft Defender XDR licences (P2) are not part of Sentinel — separately budgeted via E5 or per-user.
Is INR pricing locked, or USD-converted?
Microsoft publishes INR pricing for Azure India regions on the pricing page. Bills come in INR + GST when sold via Microsoft CSP partner (Ogma). USD-denominated direct subscriptions (web direct) carry monthly FX exposure on the cloud invoice — same as the AWS / Azure marketplace dynamic we covered in the FortiWeb BYOL vs PAYG post.

Free Sentinel sizing + 3-year TCO model

Your actual workload — your actual M365 E5 footprint — your INR + GST quote

Ogma audits your current telemetry, applies the 4 cost levers above, and returns a 3-year Sentinel TCO model with commit-tier recommendation, E5 ingestion-benefit math, and per-month line-item breakdown. 5 working days.

Request the TCO model or explore the Sentinel pricing landing

Sources

Related: Sentinel for India compliance · Sentinel vs Splunk · E5 Security bundle math

Stay ahead of cyber threats

One short email a week — curated Indian cybersecurity news, Fortinet releases, DPDPA updates. No fluff.

Related Posts

Microsoft Sentinel pricing in India — INR by ingestion tier

Sentinel pricing model with INR + worked example for 200 GB/day, the 4 cost levers, and the E5 ingestion-benefit math.

Splunk → Microsoft Sentinel — the 90-day migration playbook

Splunk to Sentinel 90-day playbook — data source waterfall, SPL→KQL re-authoring, Logic Apps SOAR, parallel-run...

Microsoft Sentinel vs Splunk — when each wins in Indian BFSI and SaaS

Sentinel vs Splunk — capability comparison, bundling economics, TCO sketch + migration shape for Indian enterprise.

Search
Talk to an Expert

Get a free consultation from Ogma's certified IT & cybersecurity engineers.

Get in Touch
Cato Firewall as a Service
Cato ZTNA — Zero Trust Network Access
Cato SASE Solution