Share via

What is the method for splitting Azure Sentinel costs based on the log volume originating from a specific subscription?

Kajetan 0 Reputation points
2025-11-14T13:41:18.4966667+00:00

Hi,

I have the following issue. I have one tenant with several clients, and we are in the process of implementing Microsoft Sentinel. However, it is important for me to allocate costs between subscriptions. How should I approach this?

Should I create a separate Microsoft Sentinel instance per subscription and manage rules, configuration, etc., using Terraform? Or is it possible to consolidate multiple Log Analytics workspaces, where logs are being collected, into a single Microsoft Sentinel instance?

Additionally, what happens when Microsoft Sentinel transitions to the Microsoft Defender platform? How should I allocate costs in that case, considering that, if I understand correctly, there will only be one Microsoft Sentinel instance within the Microsoft Defender platform?

For example, if I am collecting logs from several hundred KeyVaults, some of the logs will belong to Client A and some to Client B. How should I allocate the costs generated by each client?

I would appreciate your insights on this matter.

Microsoft Security | Microsoft Sentinel
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Q&A Assist
    2025-11-14T13:42:37.9033333+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    To allocate Azure Sentinel costs based on log volume from specific subscriptions, you have a couple of options:

    1. Separate Microsoft Sentinel Instances: Creating a separate Microsoft Sentinel instance for each subscription is a straightforward way to manage costs. This allows you to track and allocate costs directly based on the logs ingested from each subscription. You can manage the configurations and rules using Terraform, which can help automate the deployment and management of these instances.
    2. Consolidated Log Analytics Workspaces: Alternatively, you can consolidate multiple Log Analytics workspaces into a single Microsoft Sentinel instance. This approach can be beneficial if the combined log volume from all subscriptions reaches a commitment tier, potentially leading to cost savings. However, this may complicate cost allocation since all logs will be aggregated in one instance.

    Regarding the transition of Microsoft Sentinel to the Microsoft Defender platform, it is essential to understand how costs will be structured in that environment. If there is only one Microsoft Sentinel instance within the Microsoft Defender platform, you will need to implement a strategy to allocate costs based on the logs collected from each client. This could involve tagging logs or using specific naming conventions to differentiate between clients, allowing for more straightforward reporting and cost allocation.

    In your example with logs from several KeyVaults belonging to different clients, you could consider using Azure's resource tagging features to tag resources by client. This would help in tracking usage and costs associated with each client, even if all logs are collected in a single Sentinel instance.

    Ultimately, the choice between separate instances or a consolidated approach depends on your specific needs for cost tracking, management complexity, and the volume of logs being processed.

    References:

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.