Security teams are being forced to retain more data for compliance, investigations, and threat hunting, but long-term SIEM storage can get expensive fast. Microsoft Sentinel Data Lake helps you keep hot data in Log Analytics for speed while moving older data into a lower-cost retention tier for “cheap and deep” history.
Both Gartner and Forrester highlight that cost optimization is a top priority for SIEM buyers in 2026. “Storage costs” being cited as the most frequent pain point.
The good news is SIEM retention has gotten less expensive, you just have to take a few steps to get there. A common problem with retaining data in cloud native SIEM solutions like Microsoft Sentinel (being relocated to the Defender Portal on 7/1/2026) is that long term retention had become cost prohibitive. When compliance, investigations, and even sometimes threat-hunting requiring 12-24+ months of data, making tradeoff decisions on what you retained vs. deleted wasn’t always an option. Storing long term data into Azure Log Analytics was expensive at scale ($2-$3 per GB per Month ~ $70,000 per TB). This cost is unsustainable for most organizations compared to the $0.12 per GB of Sentinel Data Lake.
95% reduction in security storage costs for data beyond 90 days! Do I have your attention yet?
To address this growing need (and cost), Microsoft introduced Sentinel Data Lake for long-term retention. Sentinel Data Lake is a purpose-built, low-cost, storage method for long-term Sentinel data. By decoupling retention from real-time analytics, you can now keep that short-term data in Log Analytics workspaces for rapid detection and investigation while leveraging “cheap and deep” storage for compliance, historical analysis and post-event forensics.
Who Needs This?
It’s important to know who can benefit from Sentinel Data Lake and who it just adds complexity for. Sentinel Log Analytics’ default storage is 90 days. With a traditional approach to security, 90 days covers the ability to actively monitor, correlate, and respond to threats. Additionally, if you have small amounts of data or are primarily ingesting Microsoft 365 data that falls under the no cost E5 benefits, it makes sense to keep it in the fastest/hottest storage tiers.
However, organizations under regulatory compliance, large volumes of ingested data, and requiring historical retention of 12+ Months will quickly find costs becoming an issue. For those organizations, it is relatively easy to offload the retention data into predictable, low-cost, cool/cold storage by enabling Microsoft’s built-in policies to transition data seamlessly.
Best Practices for Implementation
To maximize the value of Sentinel Data Lake and shift your current posture, do the following:
- Always start with a plan and definition: Define your retention tiers and requirements: Determine what data needs to stay hot (90 days) versus cold (Years). By defining the requirements, it becomes easy to configure and validate they are being met.
- Automate data movement: Use Microsoft’s built-in policies to transition data seamlessly.
- Plan for retrieval latency: Set reasonable expectations for slower retrieval from slower storage and design workflows accordingly.
- Monitor storage costs: Regularly review usage and optimize based on ingestion patterns. Take advantage of reserved capacity, discounts, and promotions offered by Microsoft to reduce the overall costs of storage throughout your Azure environment.
Outcomes You Can Expect
Overall, this change is a no-brainer for organizations with long-term retention needs.
If you can accept the primary drawback of a slower retrieval speed on data that you rarely (or never) need, you can achieve substantial cost savings on storage in your Azure environment.
ThreatDefender: Accelerate the Path Forward and a Call to Action
As a Microsoft Verified MSSP, we’ve built our ThreatDefender MXDR solution to help clients operationalize Sentinel quickly and effectively. For some, the best approach is to build their own environment with our guidance. For others, a co-managed or fully managed model delivers faster results and lower overhead.
We offer Sentinel Optimization Workshops to assess readiness, design future-state architectures, and support migration efforts. Our managed detection and response services are built around Microsoft security with Microsoft best practices in mind. Enabling you to own your data and access security experts to extend your team or act as your team.
Make Your Sentinel Retention Costs Predictable
Get a clear retention tier plan, validate your cost model, and implement Sentinel Data Lake policies so you keep the data you need without paying “hot storage” prices for everything.
