After a break following my last blog when I explained how to save money with Microsoft Sentinel data lake, I’d like to focus on how you can track costs with data lake meters. If you read my earlier blogs on Quorum Cyber’s thought leadership pages you’ll know that this entire collection of advice and tips is covered in detail on a series called A little slice of… published with my peer Jon Shectman, Principal Program Manager for Security at Microsoft.
Jon and I are very much aware that cost visibility and control is a major challenge for Security Operations Centre (SOC) practitioners. As more organisations adopt the Microsoft Sentinel data lake, cost visibility becomes as important as detection quality – everyone wants to know what they’re paying for.
I’ll split this into two parts: Azure analysis, which I’ve covered in this blog, and tracking costs natively in the data lake, which I’ll cover in next week’s blog.
Azure Cost analysis
Let’s start with Azure Cost analysis, which is very good if you’re optimising storage accounts and virtual machines. It also provides the guardrails you might need to use Sentinel’s data lake responsibly.
Azure Cost analysis clearly surfaces the Sentinel data lake meters – once you know where to find them and how to read them. Historically, this has been a tool owned by Azure or finance teams rather than security. But as security teams face growing pressure to justify how limited budgets are spent, that’s starting to change.
This is a capability worth paying close attention to. Sentinel isn’t the only thing you can monitor – Azure Cost analysis works across many other Azure resources too.
To access this from the Azure Portal, navigate to portal.azure.com – search for “Cost Analysis” –> Select your Security related < Azure Subscription > / < Resource Group > –> All Views –> daily costs.
For the full instructions (as there are a few details and tips we mention) head over to LinkedIn and our blog on Azure Cost analysis that I co-wrote with Jon Schectman.
Understanding Sentinel data lake meters
As Jon and I covered in Planning Your Data Lake Strategy – Part 2, Sentinel data lake spins five meters (Ingest, Transform, Compute, Store, and Query). I’ll cover a few key points.
Identifying cost drivers
Watch for changes that could push costs up, such as shifts in ingestion patterns, new data sources, additional summary rules, or increased hunting activity. Using a daily view is particularly helpful for spotting these trends.
Sample data lake ingestion does fluctuate, but the amount of data stored often remains fairly consistent.
Turning insight into action
Cost visibility supports more intentional architecture decisions, allowing teams to optimise for value without compromising security outcomes. Sharing or emailing the report can also be useful, as it provides a weekly or monthly prompt to review how things are tracking. This is especially helpful given that many Sentinel users now spend more of their time in the Defender portal.
However, for all of these benefits, Azure Cost analysis doesn’t know the difference between:
- A DNS log table ballooning because you just onboarded a new region
- A firewall rule misconfigured and sending 10x traffic
- Someone running a wide-open hunting query on petabytes of raw data.
This is why it’s important that I also explain how you can track costs natively in the data lake.
So, how do costs compare with Sentinel pre-data lake?
This is all well and good, but how much storage and expense will you save compared to before the data lake was available?
Look at the data drop off for one Table we optimised from late November, where ~100GB per day used to be in the Analytics Tier. With Sentinel data lake it’s now just ~20GB per day and the 80GB/day is stored in Sentinel data lake for less than £200 ($270) a month (second chart).
Explore more of this series
If you wish to go deeper into this subject, please take a look at the more detailed blog on Azure Cost analysis that I co-wrote with Jon Shectman.
I’ll explain another way to track cost with Sentinel data lake meters next week. In the meantime, feel free to contact us at Quorum Cyber if you would like to discuss your cyber security and data security.
