Microsoft Sentinel — SKU Constellation Map

What a CISO needs to know about Sentinel as a SKU — licence model, prerequisites, the Defender XDR pairing, ingest-governance discipline, and the operating shape that keeps cost predictable.

BusinessCapabilityTechnology
Compass
  • Businesspersona, use case, outcome
  • Capabilitywhat the org needs to do
  • Technologythe technology choices
Guided journey · Step 1 of 4

Microsoft Sentinel — SKU Anchor

Start at the SKU itself — confirm the consumption model, ingest tiers, and the basic-vs-analytics decision before any onboarding work.

~ 2 weeks

Search any SKU, capability, risk, or source on this map.

Filter by type

Narrative intro

Sentinel is the SIEM-and-SOAR substrate of the modern SOC. The licence model is consumption — ingest, retention, and queries — which means the SKU's operational shape is dominated by data governance rather than seat counts. This map walks the buyer's-eye view: what the SKU includes, what it requires, how it pairs with Defender XDR, and the operating discipline that keeps cost predictable.

Key takeaways

  • Sentinel pricing is dominated by ingest volume — basic-vs-analytics tier discipline is mandatory, not optional
  • Defender XDR is the canonical pairing — the cross-domain correlation is most of the value
  • Detection engineering is a continuous discipline, not a one-off configuration exercise
  • Reservations on Log Analytics capacity tame predictable workloads; ad-hoc ingest is the cost spike

Programme shape

Estimated duration
816 weeks
Estimated FTE
0.5 FTE SOC engineering lead + part-time identity and platform SMEs during onboarding
Spend tier
significant
Risk level
moderate

Cost is the dominant operational risk. Ingest tier discipline and detection-engineering rigour are the difference between predictable consumption and surprise bills.

Back to all maps