My customer asked me to calculate Azure consumption costs (before implementation) for Azure AD audit & sign-in log integration to Event Hub, Log Analytics and Storage Account when the final destination is on-premises SIEM system. A piece of cake I thought but it wasn’t. For that reason, I decided to write a short blog post about the topic.
What is needed for integration?
- Azure AD (at least with P1 license)
- Azure subscription
- Azure Monitor aka Log Analytics implemented (this is optional but recommendable)
- Event Hub Namespace with at least one Event Hub
- Storage Account
- On-prem SIEM system (such as Splunk and Qradar)
When planning log integration it’s important to look at the big picture, from which sources your organization wants to send events to SIEM and how much you want to leverage tools available in the cloud. This is a matter of different blog post in 2020.
Guideline – Example
I have personally followed these guidelines when planning log integrations which follow Microsoft best practices:
- Stream Azure AD activity (sign-in & audit) logs to an Azure Event Hub and integrate logs to Security Information and Event Management (SIEM) tools for analytics, such as Splunk and QRadar (consider leveraging Azure Sentinel, at least collecting all events from the cloud).
- Send Azure AD activity logs to Azure Monitor (aka Log Analytics) logs to enable rich visualizations, monitoring and alerting
- Archive Azure AD activity logs to an Azure storage account, to retain the data for a long time
- If only alerts are needed use Intelligent Security Graph (ISG) to get alerts from the cloud to the SIEM system
Scenario
In the following examples, there are hypothetical organizations with 100k, 7k, and 3k users. They want to send Azure AD Sign-in & Audit logs to destinations below, how much does it add Azure consumption for selected components?
- Azure Monitor (Log Analytics)
- Storage Account
- Event Hub
Btw, Microsoft recently started using the term Azure Monitor logs instead of Log Analytics. Log data is still stored in a Log Analytics workspace and is still collected and analyzed by the same Log Analytics service.
Azure Monitor aka Log Analytics
The following table describes the estimated costs for Log Analytics (LA) usage in a defined scenario. Because LA is not used for long-term storage unexpected costs can be avoided with the correct data retention policy.
Data and examples in the table below are from docs.microsoft.com. Based on these numbers I can quickly calculate estimates for 3000 user environment. Keep in mind that these are rough estimates and converted with daily course from $ to €.
| Log | Number of users | Events per day | Events per month | Cost per month € |
| Audit & Sign-in | 100,000 | 16,500,000 | 495,000,000 | 1029€ |
| Audit | 100,000 | 1,500,000 | 45,000,000 | 232€ |
| Sign-in | 100,000 | 15,000,000 | 450,000,000 | 798€ |
| Audit & Sign-in | 3000 | 495,000 | 14,850,000 | 32,82€ |
The estimated Azure Monitor (Log Analytics) cost is approximately 33$ per month, West Europe datacenter based on numbers used on calculation. How estimation matched to a real-life example, scroll down 🙂
Event Hub
Estimated Event Hub costs are in the table below. According to Microsoft, a message in the event hub has a maximum size of 256KB and if the total size of all the messages within the timeframe exceeds that volume, multiple messages are sent.
Calculation from docs.microsoft.com
For example, about 18 events per second ordinarily occur for a large tenant of more than 100,000 users, a rate that equates to 5,400 events every five minutes. Because audit logs are about 2 KB per event, this equates to 10.8 MB of data. Therefore, 43 messages are sent to the event hub in that five-minute interval.
| Log | Users | Events per sec | Events per 5 min interval | Volume per int. | Messages per month | Costs per month € |
| Audit & Sign-in | 100,000 | 18 | 5400 | 10.8 MB | 371,520 | 10.20€ |
| Audit & Sign-in | 3000 | 0,54 | 162 | 0,32 MB | 11,145 | 10€ |
The estimated Event Hub cost is approximately 10€ per month. Demanding factor in Event Hub is throughput units in here because events are measured as millions. One throughput unit (TU) cost is approximately 10€.
Storage
Estimated storage costs for 100,000 & 1000 user environments in the table below.
| Log | Users | Events per day | The volume of data per month | Cost per month $ | Costs per year $ |
| Audit | 100,000 | 1.5 million | 90 GB | 1.93 | 23.12 |
| Audit | 1000 | 15000 | 900 MB | 0.02 | 0.24 |
| Sign-in | 1000 | 34800 | 4 GB | 0.13 | 1.56 |
The estimated storage costs are approximately 0.50€ per month.
Estimation
Rough estimation in an environment of 3000 end-users for log integration cost is per month:
- Azure Monitor aka Log Analytics: 32€
- Event Hub: 10€
- Storage: 0,50$ – 0,45€
- Total: 50,95/month – 611,40€/year
How Pricing Correlates To Real Life?
As said, the numbers above are estimates based on Microsoft reference documentation and pricing calculator. There is a small difference in real-life.
Log Analytics
- 3000 end-users – price estimation of a Log Analytics is 3,46€
- 7000 end-users – price estimation of a Log Analytics is 4,51€
Event Hub
The environment with 7k end-users has 4.18GB of data flowing through the Event Hub. The price of the Event Hub is approx. 11,50€/month.
Storage
Storage account cost in the environment that contains 7k end-users is approximately 6€/month.
Summary
I have to say that Azure pricing is a bit complicated in many circumstances. Anyway, this gives rough estimates of how much log integrations could add Azure consumption. Another point is, to measure Azure consumption costs most probably was more expensive than running services for a year 🙂
Estimations were calculated with Azure pricing calculator and with docs.microsoft.com references compared to real Azure consumption from the subscription invoices.
Initial estimations (3000 end-users) in West Europe Datacenter:
- Azure Monitor aka Log Analytics: 32€
- Event Hub: 10€
- Storage: 0,50$ – 0,45€
- Total: 42,50/month – 510€/year
Real-life costs in the environment which has 3000 end-users)
- Azure Monitor aka Log Analytics: 3,5-5€
- Event Hub: 11,50€
- Storage: 6€
- Total: 22,50/month – 270€/year
Reference
Azure AD logs in Azure Monitor
Until next time, or maybe until next year:) I have one topic on my table (Azure LightHouse and Sentinel integration) but let’s see am I able to solve environment technical issues for the blog before year changes.
If you are this far, thanks for reading my blog, Merry Christmas & Happy New Year!
Sam's Corner 
This is awesome Sam! I can’t wait to dig into this a bit more.
Hi Matt,
Thanks for reading 🙂 Please let me know if you have any questions related to it.
-Sam
Good stuff champ! (y)
Thanks for reading Teemu 🙂
Yes, reading I do well, but not so much writing… 😀 😉
Thank for you for sharing. Sharing exact same dilemm. Very useful
Glad you find it useful!