Microsoft has introduced a new capability in Microsoft Sentinel that gives organisations greater control over data lake costs by allowing limits to be enforced on KQL queries and notebooks.

As more teams adopt the Microsoft Sentinel data lake for large-scale investigation and analytics, it becomes increasingly important to manage how data is queried. Complex or unoptimised queries can consume significant resources, leading to unexpected cost increases.

What’s changed?

You can now configure cost limits that apply to:

• KQL queries executed against the Sentinel data lake
• Notebooks used for advanced hunting and investigation

Once configured, queries that exceed defined thresholds will be restricted – helping to prevent excessive data processing charges.

Why this matters

This update provides a practical way to strengthen cost governance without limiting analyst capability. It enables:

• Better cost control across your Sentinel deployment
• Reduced risk of unexpected spend from high-volume queries
• More confidence when enabling self-service querying for analysts

Where to find it

This feature is available within the Microsoft Sentinel experience in the Defender portal, under Cost Management and Configure Policies.

Note: You must have Billing Administrator permissions to view and enable this feature.

Learn more

For full details from Microsoft, see the official announcement.

Our recommendation

We recommend reviewing current query usage and setting appropriate limits based on your environment and operational requirements. This is particularly important for organisations with multiple analysts or teams accessing the data lake.

If you’re unsure what thresholds make sense, Quorum Cyber can help assess your current usage and implement controls aligned to your cost and security objectives.