Microsoft announced the public preview of Microsoft Sentinel Cost Management at Microsoft Ignite 2025. The new feature brings more in-depth cost visibility into the usage of Sentinel and Sentinel Data Lake. With the release of Microsoft Sentinel data lake, it is essential to gain visibility into pricing and the new key cost drivers that are now available.

Microsoft Sentinel Cost Management

The new cost management experience, currently in preview and under Microsoft Sentinel > Cost management in the Microsoft Defender portal, helps you manage and monitor costs associated with your use of the data lake tier.

Good to know: This preview experience is limited to the data lake tier and does not yet include cost insights for Microsoft Sentinel Log Analytics workspaces. For now, cost management data applies only to data lake usage.

Microsoft Sentinel Cost Management is available via Microsoft Defender -> Cost management

Cost management includes two views:

  • Usage (for getting data lake usage details)
  • Notification (for configuring notification and service alerts related to the ingested cost)

Permissions

Good to know, Microsoft Sentinel cost management is available for users with the Security Administrator role and the Billing Administrator role in Entra. Good to know; this is the Billing Administrator role in Microsoft Entra and not the Azure subscription Billing Administrator role.

When both roles are assigned,Microsoft Sentinel cost management will be available in the Defender portal.

Usage

The Usage page provides entry points to relevant cost-tracking capabilities, along with a direct link to usage reports and settings. The usage report is particularly useful. The general cost management usage blade shows the total data lake ingestion volume with a trendline, as well as the compute hours consumed.

Other usage reports

The following reports are available:

  • Data lake ingestion
  • Data lake storage
  • Data lake query
  • Advanced data insights
  • Data processing

Data Lake ingestion:

This report is useful for viewing the total data ingested in GB, along with a tenant-wide trend of ingestion volume over time. Another valuable insight is the list of the top 10 tables by ingestion volume, which helps identify the most data-intensive tables.

Data Lake storage:

This report is useful for tracking the total data stored in the data lake. It shows the total amount and trend of stored data in GB, as well as the top 10 tables by volume.

Tip: When you add a table to the filter, you can view all tables and their ingested volumes directly in the visual.

Data lake query:

This view displays data lake query usage, showing the total amount of data scanned in GB. Charges are incurred for each GB of data analyzed through data lake exploration using KQL queries, KQL jobs, or Search.

Advanced data insights:

Charges are based on compute hours used when running data lake exploration notebook sessions or jobs. Compute hours are calculated by multiplying the number of cores in the selected pool by the duration of the active session or running job.

Data processing: $0.10/GB if you run transformations (e.g., redaction, filtering, splitting, normalization). Data processing is needed when data is filtered via transformation rules.

Notifications

The Notifications page allows you to set usage thresholds for each capability and receive email alerts when those limits are reached. By configuring these thresholds, you can better monitor your usage and avoid unexpected charges. At this time, notification emails are sent to the billing administrator who sets up the thresholds.

The available notification meters:

Example below ( it will generate a notification email when the GBs analyzed for the data lake query reach 80 percent of the set threshold of 1000GB.

Cost Analysis in Azure

Another method is via the use of Cost Analytics in Azure. Since Sentinel Data Lake is exposed as an Azure resource, all meters are available in Azure. You can use Cost Analysis in Azure Cost Management to get more insights into the specific cost usage of Sentinel data lake, where Cost Management is more for the usage and ingested data.

Since Sentinel Data Lake is exposed as an Azure resource (msg-resources-% prefix or resource type: “microsoft.sentinelplatformservices”

The following meters are available:

  • Data Lake storage Data Stored
  • Data processing Data Processed
  • Data lake ingestion Data Processed
  • Data Lake query Data Analyzed

Pricing in the Data Lake tier is a cost-effective option based on a rate per GB. The following meters are part of the pricing:

  • Data lake ingestion charges are incurred per GB of data ingested for tables in Lake only mode.
  • Data lake storage charges are incurred per GB per month for any data stored beyond the interactive retention period or in Lake only mode.
  • Data lake query charges are incurred per GB of data analyzed using data lake exploration KQL queries, KQL jobs, or Search.
  • Advanced data insights charges are based on compute hours used when running data lake exploration notebook sessions or jobs. Compute hours are calculated by multiplying the number of cores in the selected pool by the duration of the active session or running job.

Sources

Microsoft: Manage and monitor costs for the data lake tier