Update Aug 2025 — Asking ChatGPT if Microsoft Sentinel is “free” with an E5 license. Spoiler alert — not free…

Been tracking this topic for a few years. An update.

Question to ChatGPT:

“Imagine that I am a US based customer with a Microsoft E5 license. I need to ingest 500GB per day of logs, and I need to store these logs for 1 year. How much would this cost me?”

Analysis:

The reader should not take ChatGPT’s answers in this blog as “procurement correct”, but rather look at this as a fun experiment — dabbling with GenAI to dispel an urban legend, and to budget some SIEM gear.

In Sep 2021, ChatGPT 4 estimated Sentinel’s cost for these specs at $0.645M. Already not free back then!!

First off, ChatGPT4 should have asked us a few questions to better estimate Sentinel’s cost, for example questions around the log mix, because some Microsoft logs are cheaper to manage than logs from other vendors. This, along with other parameters — e.g., do we also need to perform analytics on this data space, what is the scope of use cases — would impact the cost of the solution. ChatGPT4 didn’t ask us anything, used some assumptions I’m not aware of, and gave its estimate. As a spoiler alert, ChatGPT5 did better. It used its own assumptions, but also encouraged us to refine the estimation by providing answers to its qualifying questions.

In any case, again we can conclude that based on ChatGPT4’s hypothesis, Sentinel was far from free in June 2023.

Where are we today, 2 years later, Mon Aug 25th 2025? Well, let’s ask that same question to ChatGPT 5 in Auto mode. Looks like it went into some “thinking” — it spent 3 minutes and 24 seconds being pretty thorough spelunking web sites, PDFs and calculators found on the web. I guess this means that the answer was not that obvious.

Short answer: estimates range from $0.79M to $1,15M depending on commit vs. pay-as-you-go. So not only still not free, but the price increase these past 2 years (Jun 23 to Aug 25) is… drum rolls…. 50% ?!?

Either ChatGPT is still hallucinating, or Microsoft is slowly boiling the frog on Sentinel customers once they are deployed.

Or maybe — and these are not all mutually exclusive — I’m just asking ChatGPT a dumb question, or at least a tricky question without much context around my organization, my needs, my use cases, my data sources, my analytics requirements, etc etc.

Takeways:

1. Stop believing that Microsoft Sentinel is free with an E5 license, it’s not. There are a few edge cases where you can get away with free stuff, but generally it’s not free. In fact, ChatGPT directionaly indicates Sentinel prices rising significantly.
2. There is good progress between ChatGPT4 and ChatGPT5 in Auto/Thinking mode. For example, the ChatGPT5 raises the log mix topic in its response. I played a bit more with it and it was astute in asking me necessary questions.
3. However, don’t think that, out of the box, GenAI will make miracles for you in the procurement space for CyberSecurity solutions; each organization is too different. To be effective, be ready to provide answers to lots of context questions before you get a reliable Bill of Material from even ChatGPT5 in Thinking mode.

This is ChatGPT 5’s answer:

Screenshot of my session with ChatGPT5 in Auto/Thinking mode

The below is a straight copy/paste of the text in my session. All the below is ChatGPT5 in Auto/Thinking mode:

Thought for 3m 24s >

Short version: at 500 GB/day for 1 year, you’re looking at roughly $0.79M–$0.82M/year on a commitment tier or ~$1.12M–$1.15M/year on pure pay-as-you-go, before any E5 data-grant offsets — details below.

Assumptions I’m using (and why they’re reasonable)

• You’re using Microsoft Sentinel (SIEM) on a Log Analytics workspace. Pricing is per-GB ingested + retention beyond the free window.
• 90 days of retention is free when Sentinel is enabled; beyond that, retention is billed per GB-month (prorated daily).
• You have Microsoft 365 E5; that includes a data grant up to 5 MB/user/day for eligible M365/XDR data types (doesn’t cover everything — e.g., generic firewall/proxy logs).
• Public list rates vary and Microsoft’s page pushes you to the calculator. Recent, reputable references put ingestionaround $5.22/GB PAYG and ~$3.43/GB effective on a 100 GB/day commitment tier (scales to higher tiers), with retention ≈ $0.10–$0.12/GB-month.

Math (500 GB/day for 365 days)

A) Ingestion

• PAYG (~$5.22/GB):

500 GB/day × $5.22 × 365 ≈ $952,650/year.

• Commitment tier (≈$3.43/GB effective):

500 GB/day × $3.4252 × 365 ≈ $625,099/year.

B) Retention (beyond the free 90 days)

• Chargeable footprint ≈ 275 days of data always “on the meter”: 275 days × 500 GB/day = 137,500 GB stored.
• Price ≈ $0.10–$0.12/GB-month →

137,500 GB × $0.10–$0.12 ≈ $13,750–$16,500 per month, i.e., $165,000–$198,000/year.

Roll-up

• Commitment tier: $625k (ingest) + $165k–$198k (retention) ⇒ **$790k–$823k/year**.
• PAYG: $953k (ingest) + $165k–$198k (retention) ⇒ **$1.12M–$1.15M/year**.

E5 data-grant offset (if applicable)

If you have, say, 3,500 E5 seats, the 5 MB/user/day grant is ~17 GB/day for eligible Microsoft 365/XDR data. That would shave roughly $21k/year (commitment) to $33k/year (PAYG) off the ingestion line. (Grant applies only to specific data types; raw Defender/Entra sign-ins vs. alerts vary.)

Fine print that can swing costs

• Data mix: Some sources/alerts are free to ingest (e.g., O365 audit logs, Defender alerts), while raw logs (firewall, proxy, detailed endpoint telemetry) are billable. Map your tables before estimating.
• Tiers (Basic/Auxiliary/Analytics) & Data Lake: You can push high-volume/low-value logs to cheaper tiers or the Sentinel data lake for long-term storage to cut costs.
• Region & agreements: List prices vary by region and enterprise agreement — use the Azure pricing calculator for tenant-specific quotes.

If you want, tell me your seat count, log mix (firewall/proxy vs. Windows/Linux/Entra/Defender), and whether you’ll use Basic/Auxiliary/Data Lake, and I’ll re-run the math to a tighter number.