Microsoft has introduced a new capability in Microsoft Sentinel that gives organisations greater control over data lake costs by allowing limits to be enforced on KQL queries and notebooks.
As more teams adopt the Microsoft Sentinel data lake for large-scale investigation and analytics, it becomes increasingly important to manage how data is queried. Complex or unoptimised queries can consume significant resources, leading to unexpected cost increases.
What’s changed?
You can now configure cost limits that apply to:
- KQL queries executed against the Sentinel data lake
- Notebooks used for advanced hunting and investigation
Once configured, queries that exceed defined thresholds will be restricted – helping to prevent excessive data processing charges.
Why this matters
This update provides a practical way to strengthen cost governance without limiting analyst capability. It enables:
- Better cost control across your Sentinel deployment
- Reduced risk of unexpected spend from high-volume queries
- More confidence when enabling self-service querying for analysts
Where to find it
This feature is available within the Microsoft Sentinel experience in the Defender portal, under Cost Management and Configure Policies.
Note: You must have Billing Administrator permissions to view and enable this feature.
Learn more
For full details from Microsoft, see the official announcement.
Our recommendation
We recommend reviewing current query usage and setting appropriate limits based on your environment and operational requirements. This is particularly important for organisations with multiple analysts or teams accessing the data lake.
If you’re unsure what thresholds make sense, Quorum Cyber can help assess your current usage and implement controls aligned to your cost and security objectives.
