L7. Sentinel Architecture: Workspaces, Connectors and Costs
Video generating
Check back soon for the video lesson on Sentinel Architecture: Workspaces, Connectors and Costs
Microsoft Sentinel is a cloud-native SIEM and SOAR built on Log Analytics workspaces. This lesson covers workspace architecture decisions, pricing tiers, data retention, and the role of content hub solutions for the SC-200 exam.
What Is Microsoft Sentinel?
Microsoft Sentinel is Microsoft's cloud-native Security Information and Event Management (SIEM) and Security Orchestration, Automation and Response (SOAR) platform. It runs on top of Azure Log Analytics workspaces and provides:
- Intelligent security analytics across enterprise data
- Built-in AI for threat detection and hunting
- Automated response through playbooks (Logic Apps)
- Integration with 300+ data connectors
Workspace Architecture
Sentinel is enabled on a Log Analytics workspace. The workspace decision is one of the most important architectural choices:
| Approach | When to Use |
|---|---|
| Single workspace | Small to mid-size organizations with simple requirements |
| Multi-workspace | Multi-tenant MSPs, data residency requirements, or separation of duties |
| Workspace manager | Centrally manage multiple Sentinel workspaces at scale |
- Data residency: Some regulations require logs to stay in specific Azure regions
- RBAC boundaries: Separate workspaces enable separate permission models
- Cost optimization: Different workspaces can use different pricing tiers
- Query performance: Cross-workspace queries are possible but slower
workspace() function in KQL.
Pricing and Cost Management
Sentinel pricing has two components:
- Log Analytics data ingestion: Cost per GB ingested
- Sentinel analytics charge: Additional cost per GB for Sentinel features
Pricing tiers:
| Tier | Best For |
|---|---|
| Pay-As-You-Go | Unpredictable or low volume (<100 GB/day) |
| Commitment Tiers (100, 200, 400 GB/day, etc.) | Predictable, higher-volume ingestion with discounts |
- Azure Activity logs
- Office 365 audit logs (SharePoint, Exchange, Teams activity)
- Alerts from Microsoft Defender products
Data Retention
Default retention is 90 days at no additional cost. Extended retention options:
- Interactive retention: Up to 2 years (pay per GB/month beyond 90 days)
- Archive tier: Up to 12 years total (low-cost, query with search jobs or restore)
- Basic logs: Lower-cost ingestion for high-volume, low-value logs (limited query capabilities, 8-day interactive retention)
Basic logs support only simple KQL queries (no joins, summarize, or aggregations) and have an 8-day interactive retention window followed by archive.
Content Hub
The Content Hub provides pre-built security content packages called "solutions." A solution can include:
- Data connectors
- Analytics rules
- Hunting queries
- Workbooks
- Playbooks
- Watchlists
Solutions are published by Microsoft, partners, and the community. Install solutions from the Content Hub to quickly deploy detection and response capabilities for specific data sources.
Sentinel in the Defender Portal
Microsoft Sentinel can now be accessed through the unified Defender portal at security.microsoft.com, alongside Defender XDR. This brings Sentinel incidents, hunting queries, and automation into the same interface SOC analysts already use for Defender workloads.
- ✓Sentinel runs on Log Analytics workspaces. Use a single workspace unless regulations or RBAC require separation.
- ✓Azure Activity logs and Office 365 audit logs are free to ingest into Sentinel (no analytics charge).
- ✓Basic logs offer lower-cost ingestion for high-volume data but limit KQL queries and have 8-day interactive retention.
- ✓The Content Hub provides pre-built solutions containing connectors, analytics rules, workbooks, and playbooks.
- ✓Cross-workspace queries use the workspace() function in KQL.
- ✓Commitment Tiers provide discounts for predictable ingestion volumes starting at 100 GB/day.
1. Which data source is free to ingest into Microsoft Sentinel with no additional analytics charge?
2. An organization needs to retain security logs for 7 years at minimal cost. Which Sentinel retention option should they use?
3. What KQL function enables querying data across multiple Sentinel workspaces?