Sentinel Helps Uncover Security Incidents, for a Potentially High Price

• Microsoft Sentinel is intended to help customers uncover security incidents from their Microsoft services, software, and certain third-party products.
• Sentinel is based on Log Analytics but offers additional analysis, annotation, and dashboard capabilities.
• To make the most of the product, customers will need to route logs into Log Analytics.
• Sentinel can become incredibly expensive if large volumes of log data are ingested and retained.

Microsoft Sentinel, Microsoft’s entry into the security information and event management (SIEM) space, offers customers a single product for analyzing large volumes of security events from across their organization to determine which events could possibly rise to the level of being a security incident. It relies on Log Analytics for log processing but includes additional tools to assist with detection and investigation of events that are security incidents. Sentinel also can be used to automatically respond to detected security incidents. Unpredictable costs for ingesting data into Microsoft Sentinel (and the underlying instance of Log Analytics, charged together) need to be carefully tracked to prevent excess spending. (For a discussion of commitment tiers and other opportunities to save on Sentinel costs, see the sidebar “Saving on Sentinel” For a comprehensive comparison of pay-as-you-go pricing to commitment tiers, see the illustration “Microsoft Sentinel Costs.”)