MicrosoftDocs
diff --git a/‎articles/sentinel/TOC.yml‎
Lines changed: 41 additions & 6 deletions b/‎articles/sentinel/TOC.yml‎
Lines changed: 41 additions & 6 deletions
diff --git a/‎articles/sentinel/billing-monitor-costs.md‎
Lines changed: 1 addition & 1 deletion b/‎articles/sentinel/billing-monitor-costs.md‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎articles/sentinel/billing-reduce-costs.md‎
Lines changed: 3 additions & 2 deletions b/‎articles/sentinel/billing-reduce-costs.md‎
Lines changed: 3 additions & 2 deletions
diff --git a/‎articles/sentinel/billing.md‎
Lines changed: 13 additions & 34 deletions b/‎articles/sentinel/billing.md‎
Lines changed: 13 additions & 34 deletions
@@ -598,11 +598,37 @@
     - name: Microsoft Sentinel data lake overview
       href: datalake/sentinel-lake-overview.md
       displayName: data lake
-    - name: Microsoft Sentinel graph overview
-      href: datalake/sentinel-graph-overview.md
-    - name: Compare KQL jobs, summary rules, and search jobs
-      href: datalake/kql-jobs-summary-rules-search-jobs.md
-      displayName: data lake
+    - name: Data federation in the Microsoft Sentinel data lake
+      items:
+        - name: Overview
+          href: datalake/data-federation-overview.md
+          displayName: data lake
+        - name: Set up federated tables
+          href: datalake/data-federation-setup.md
+          displayName: data lake
+        - name: Using federated tables
+          href: datalake/using-data-federation.md
+          displayName: data lake  
+    - name: Microsoft Sentinel graph
+      items:
+        - name: Microsoft Sentinel graph overview
+          href: datalake/sentinel-graph-overview.md
+        - name: Graph visualization
+          href: datalake/graph-visualization.md 
+        - name: Microsoft Sentinel custom graphs
+          items:
+            - name: Custom graphs overview
+              href: datalake/custom-graphs-overview.md
+            - name: Create custom graphs
+              href: datalake/create-custom-graphs.md
+            - name: Microsoft Sentinel graph provider reference
+              href: datalake/sentinel-graph-provider-reference.md
+            - name: Create custom graph using AI 
+              href: datalake/create-graphs-with-ai.md 
+            - name: GQL reference for Sentinel custom graph
+              href: datalake/gql-reference-for-sentinel-custom-graph.md
+            - name: Graph REST API
+              href: datalake/graph-rest-api.md
     - name: Microsoft Sentinel MCP server
       items:
         - name: Microsoft Sentinel MCP server overview
@@ -661,9 +687,15 @@
         - name: Manage KQL jobs
           href: datalake/kql-manage-jobs.md
           displayName: data lake
+        - name: Compare KQL jobs, summary rules, and search jobs
+          href: datalake/kql-jobs-summary-rules-search-jobs.md
+          displayName: data lake
         - name: Troubleshoot KQL for the lake
           href: datalake/kql-troubleshoot.md
           displayName: data lake
+        - name: Workbooks for Microsoft Sentinel data lake
+          href: datalake/workbooks-for-data-lake.md
+          displayName: data lake
     - name: Notebooks for data lake exploration
       items:
         - name: Overview
@@ -682,7 +714,6 @@
           href: datalake/notebook-examples.md
     - name: Microsoft Sentinel data lake service limits
       href: datalake/sentinel-lake-service-limits.md
-
 - name: Collect and manage data
   items:
     - name: Overview
@@ -820,6 +851,8 @@
         - name: Manage tables, tiers, and retention
           href: manage-table-tiers-retention.md
           displayName: table management, tiers, retention, tables
+        - name: Data transformation using filter and split
+          href: transformation-filter-split.md
 
 - name: SOC optimizations
   items:
@@ -964,6 +997,8 @@
               href: ../role-based-access-control/built-in-roles.md
             - name: Microsoft Sentinel roles
               href: ../role-based-access-control/built-in-roles.md#security
+            - name: Configure Microsoft Sentinel scoping (row-level RBAC)
+              href: scoping.md
     - name: Advanced Security Information Model (ASIM)
       items:
         - name: ASIM content
 
@@ -60,7 +60,7 @@ You could also apply further controls. For example, to view only the costs assoc
 
 Microsoft Sentinel analytics tier data ingestion volumes appear under **Security Insights** in some portal Usage Charts.
 
-The Microsoft Sentinel classic pricing tiers don't include Log Analytics charges, so you might see those charges billed separately. Microsoft Sentinel simplified pricing combines the two costs into one set of tiers. To learn more about Microsoft Sentinel's simplified pricing tiers, see [Simplified pricing tiers](billing.md#simplified-pricing-tiers).
+The Microsoft Sentinel classic pricing tiers don't include Log Analytics charges, so you might see those charges billed separately. Microsoft Sentinel simplified pricing combines the two costs into one set of tiers. To learn more about Microsoft Sentinel's pricing tiers, see [Understand the full billing model for Microsoft Sentinel](billing.md#understand-the-full-billing-model-for-microsoft-sentinel).
 
 For more information on reducing costs, see [Create budgets](#create-budgets) and [Reduce costs in Microsoft Sentinel](billing-monitor-costs.md).
 
 
@@ -4,7 +4,7 @@ description: Learn how to reduce costs for Microsoft Sentinel by using different
 author: EdB-MSFT
 ms.author: edbaynash
 ms.custom: subject-cost-optimization
-ms.topic: how-to
+ms.topic: conceptual
 ms.date: 06/14/2025
 appliesto:
     - Microsoft Sentinel in the Microsoft Defender portal
@@ -23,6 +23,7 @@ Costs for Microsoft Sentinel are only a portion of the monthly costs in your Azu
 [!INCLUDE [unified-soc-preview](includes/unified-soc-preview.md)]
 
 ## Set or change pricing tier
+
 To optimize for highest savings, monitor your ingestion volume to ensure you have the commitment tier that aligns most closely with your ingestion volume patterns. Consider increasing or decreasing your commitment tier to align with changing data volumes.
 
 You can increase your commitment tier anytime, which restarts the 31-day commitment period. However, to move back to pay-as-you-go or to a lower commitment tier, you must wait until after the 31-day commitment period finishes. Billing for commitment tiers is on a daily basis.
@@ -35,7 +36,7 @@ To change your pricing tier commitment, select one of the other tiers on the pri
 
 To learn more about how to monitor your costs, see [Manage and monitor costs for Microsoft Sentinel](billing-monitor-costs.md).
 
-For workspaces still using classic pricing tiers, the Microsoft Sentinel pricing tiers don't include Log Analytics charges. For more information, see [Simplified pricing tiers](billing.md#simplified-pricing-tiers).
+For workspaces still using classic pricing tiers, the Microsoft Sentinel pricing tiers don't include Log Analytics charges. For more information, see [Understand the full billing model for Microsoft Sentinel](billing.md#understand-the-full-billing-model-for-microsoft-sentinel).
 
 ## Buy a pre-purchase plan
 
 
@@ -5,7 +5,7 @@ description: Learn how to plan your Microsoft Sentinel costs, and understand pri
 author: EdB-MSFT
 ms.author: edbaynash
 ms.topic: concept-article
-ms.date: 09/11/2025
+ms.date: 03/11/2026
 ms.collection: usx-security
 appliesto:
     - Microsoft Sentinel in the Microsoft Defender portal
@@ -16,13 +16,10 @@ ms.custom:
 
 
 #Customer intent: As a SOC manager, I want to understand Microsoft Sentinel's pricing and billing models so that I can optimize costs and accurately forecast expenses.
-
 ---
 
 # Plan costs and understand Microsoft Sentinel pricing and billing
 
-As you plan your Microsoft Sentinel deployment, you typically want to understand its pricing and billing models to optimize your costs. Microsoft Sentinel's security analytics data is stored in an Azure Monitor Log Analytics workspace. Billing is based on the volume of data *analyzed* in Microsoft Sentinel and *stored* in the Log Analytics workspace. The cost of both is combined in a simplified pricing tier. Learn more about the [simplified pricing tiers](#simplified-pricing-tiers) or learn more about [Microsoft Sentinel pricing](https://azure.microsoft.com/pricing/details/microsoft-sentinel/) in general.
-
 To help estimate your Microsoft Sentinel expected costs, [contact a Security sales specialist](https://info.microsoft.com/ww-landing-microsoft-defender-contact-me.html) for more information on pricing or to request a quote.
 
 Costs for Microsoft Sentinel are only a portion of the monthly costs in your Azure bill. Although this article explains how to plan costs and understand the billing for Microsoft Sentinel, you're billed for all Azure services and resources your Azure subscription uses, including Partner services.
@@ -61,52 +58,37 @@ There are two ways to pay for the analytics tier: **pay-as-you-go** and **commit
 
     Increase your Commitment tier anytime to optimize costs as your data volume increases. Lowering the Commitment tier is only allowed every 31 days. To see your current Microsoft Sentinel pricing tier, select **Settings** in Microsoft Sentinel, and then select the **Pricing** tab. Your current pricing tier is marked as **Current tier**.
 
-    To set and change your Commitment tier, see [Set or change pricing tier](billing-reduce-costs.md#set-or-change-pricing-tier). Switch any workspaces older than July 2023 to the simplified pricing tiers experience to unify billing meters. Or, continue to use the classic pricing tiers that separate out the Log Analytics pricing from the classic Microsoft Sentinel classic pricing. For more information, see [simplified pricing tiers](#simplified-pricing-tiers).
+    To set and change your Commitment tier, see [Set or change pricing tier](billing-reduce-costs.md#set-or-change-pricing-tier). Switch any workspaces older than July 2023 to the simplified pricing tiers experience to unify billing meters. Or, continue to use the classic pricing tiers that separate out the Log Analytics pricing from the classic Microsoft Sentinel classic pricing.
 
 <a name=auxiliary-logs-and-basic-logs></a>
 
 #### Data lake tier
 
 To learn more about the Microsoft Sentinel data lake, see [Microsoft Sentinel data lake](datalake/sentinel-lake-overview.md).
 
-The data lake tier incurs charges based on usage of various data lake capabilities. 
+The data lake tier incurs charges based on usage of various data lake capabilities.
+
 - **Data lake ingestion** is charged per GB for all data ingested into tables with retention set to data lake tier only. Data lake ingestion charges don't apply when data is ingested into tables with retention set to include both analytic and data lake tiers.
 - **Data processing** is charged per GB for data ingested into tables with retention set to data lake tier only. It supports transformations like redaction, splitting, filtering, and normalization. Data processing charges don't apply when data is ingested into tables with retention set to include both analytic and data lake tiers.
 - **Data lake storage** charges are applied per GB per month for any data that remains in the data lake tier after the analytic tier retention period ends. Charges are based on a simple and uniform data compression rate of 6:1. For example, if you retain 600 GB of raw data, it's billed as 100 GB of compressed data.
-- **Data lake query** charges apply per GB of uncompressed data analyzed using Kusto Query Language (KQL) queries or KQL jobs.
-- **Advanced data insights** charges apply per compute hour used when using data lake exploration notebook sessions or running data lake exploration notebook jobs. Compute hours are calculated by multiplying the number of cores in the pool selected for the notebook with the amount of time a session was active or a job was running. Data lake notebook sessions and jobs are available in pools of four, eight, and 16 cores.
+- **Data lake query** charges apply per compute hour used when using within notebook sessions, running notebook jobs, or building nodes and edges for custom graphs. Compute hours are calculated by multiplying the number of cores in the pool selected for the notebook with the amount of time a session was active or a job was running. Data lake notebook sessions and jobs are available in pools of four12, 32, and 80 vCores.
 
 Once onboarded, usage from Microsoft Sentinel workspaces begins to be billed through the previously described meters rather than existing long-term retention (formerly known as Archive), search, or auxiliary logs ingestion meters.
 
-> [!IMPORTANT]
-> Existing Microsoft Sentinel customers currently using and billed for auxiliary logs ingestion, long-term retention, and search will see charges transition to the new data lake ingestion, data lake storage, and data lake query meters respectively, once they onboard to Microsoft Sentinel data lake. Pricing from previous meters doesn't carry over. For more information on pricing, see [Microsoft Sentinel pricing](https://azure.microsoft.com/pricing/details/microsoft-sentinel/).
-
-For customers that haven't onboarded to Microsoft Sentinel data lake and are currently using auxiliary or basic logs, see [Manage data retention in a Log Analytics workspace](/azure/azure-monitor/logs/data-retention-archive) and [Azure Monitor pricing](https://azure.microsoft.com/pricing/details/monitor/) for relevant information.
-
-### Simplified pricing tiers
-
-Simplified pricing tiers combine the data analysis costs for Microsoft Sentinel and ingestion storage costs of Log Analytics into a single pricing tier. The following screenshot shows the simplified pricing tier that all new workspaces use.
-
-:::image type="content" source="media/billing/simplified-pricing-tier.png" alt-text="Screenshot shows simplified pricing tier." lightbox="media/billing/simplified-pricing-tier.png":::
-
-Switch any workspace configured with classic pricing tiers to the simplified pricing tiers. For more information on how to **Switch to new pricing**, see [Enroll in a simplified pricing tier](enroll-simplified-pricing-tier.md).
-
-Combining the pricing tiers offers a simplification to the overall billing and cost management experience. This includes visualization in the pricing page, and fewer steps estimating costs in the Azure calculator. To add further value to the new simplified tiers, the current Microsoft Defender for Servers P2 benefit granting 500 MB of security data ingestion into Log Analytics is extended to the simplified pricing tiers. This change greatly increases the financial benefit of bringing eligible data ingested into Microsoft Sentinel for each virtual machine (VM) protected in this manner. For more information, see [FAQ - Microsoft Defender for Servers P2 benefit granting 500 MB](/azure/defender-for-cloud/faq-defender-for-servers#is-the-500-mb-of-free-data-ingestion-allowance-applied-per-workspace-or-per-machine-).
-
 ### Understand your Microsoft Sentinel bill
 
 Billable meters are the individual components of your service that appear on your bill and are shown in Microsoft Cost Management. At the end of your billing cycle, the charges for each meter are summed. Your bill or invoice shows a section for all Microsoft Sentinel costs. There's a separate line item for each meter.
 
 To see your Azure bill, select **Cost Analysis** in the left navigation of **Cost Management**. On the **Cost analysis** screen, find and select the **Invoice details** from **All views**. To understand the access level required to view billing information, see [Manage access to billing information for Azure](/azure/cost-management-billing/manage/manage-billing-access).
 
-The costs shown in the following image are for example purposes only. They're not intended to reflect actual costs. Starting July 1, 2023, legacy pricing tiers are prefixed with **Classic**. 
+The costs shown in the following image are for example purposes only. They're not intended to reflect actual costs. Starting July 1, 2023, legacy pricing tiers are prefixed with **Classic**.
 
 :::image type="content" source="media/billing/sample-bill-classic.png" alt-text="Screenshot showing the Microsoft Sentinel section of a sample Azure bill, to help you estimate costs." lightbox="media/billing/sample-bill-classic.png":::
 
-Microsoft Sentinel and Log Analytics charges might appear on your Azure bill as separate line items based on your selected pricing plan. Simplified pricing tiers are represented as a single `sentinel` line item for the pricing tier. Ingestion and analysis are billed on a daily basis. If your workspace exceeds its Commitment tier usage allocation in any given day, the Azure bill shows one line item for the Commitment tier with its associated fixed cost, and a separate line item for the cost beyond the Commitment tier, billed at the same effective Commitment tier rate. 
+Microsoft Sentinel and Log Analytics charges might appear on your Azure bill as separate line items based on your selected pricing plan. Simplified pricing tiers are represented as a single `sentinel` line item for the pricing tier. Ingestion and analysis are billed on a daily basis. If your workspace exceeds its Commitment tier usage allocation in any given day, the Azure bill shows one line item for the Commitment tier with its associated fixed cost, and a separate line item for the cost beyond the Commitment tier, billed at the same effective Commitment tier rate.
 
 # [Simplified](#tab/simplified)
-The following tabs show how Microsoft Sentinel costs appear in the **Service name** and **Meter** columns of your Azure bill depending on your simplified pricing tier. 
+The following tabs show how Microsoft Sentinel costs appear in the **Service name** and **Meter** columns of your Azure bill depending on your simplified pricing tier.
 
 # [Classic](#tab/classic)
 The following tabs show how Microsoft Sentinel and Log Analytics costs appear in the **Service name** and **Meter** columns of your Azure bill depending on your classic pricing tier. 
@@ -198,11 +180,11 @@ Any other services you use might have associated costs.
 
 ## Interactive and total data retention costs
 
-After you enable Microsoft Sentinel on a Log Analytics workspace, consider these configuration options: 
+After you enable Microsoft Sentinel on a Log Analytics workspace, consider these configuration options:
 
 - Retain all data ingested into the workspace at no charge for the first 90 days. Retention beyond 90 days is charged per the standard [Log Analytics retention prices](https://azure.microsoft.com/pricing/details/monitor/).
-- Specify different retention settings for individual data types. Learn about [retention by data type](/azure/azure-monitor/logs/data-retention-configure#configure-table-level-retention). 
-- Extend retention of data with total retention so you have access to historical logs. The Microsoft Sentinel data lake is a low-cost retention state for the preservation of data for such things as regulatory compliance. It's charged based on the volume of data stored and scanned. Use **Data management > Tables** to adjust the Analytics and Total retention period and learn more in [What is Microsoft Sentinel data lake?](datalake/sentinel-lake-overview.md) 
+- Specify different retention settings for individual data types. Learn about [retention by data type](/azure/azure-monitor/logs/data-retention-configure#configure-table-level-retention).
+- Extend retention of data with total retention so you have access to historical logs. The Microsoft Sentinel data lake is a low-cost retention state for the preservation of data for such things as regulatory compliance. It's charged based on the volume of data stored and scanned. Use **Data management > Tables** to adjust the Analytics and Total retention period and learn more in [What is Microsoft Sentinel data lake?](datalake/sentinel-lake-overview.md)
 - Switch tables that contain secondary security data to **Lake tier**. This enables you to store high-volume, low-value logs at a low price, with querying capabilities built in. Use **Data management > Tables** to switch tables from **Analytics** to **Lake** tier.
 
 ## Other CEF ingestion costs
@@ -220,7 +202,7 @@ Removing Microsoft Sentinel doesn't remove the Log Analytics workspace Microsoft
 The following data sources are free with Microsoft Sentinel:
 
 - Azure Activity Logs
-- Microsoft Sentinel Health 
+- Microsoft Sentinel Health
 - Office 365 Audit Logs, including all SharePoint activity, Exchange admin activity, and Teams
 - Security alerts, including alerts from the following sources:
   - Microsoft Defender XDR
@@ -275,7 +257,4 @@ Learn more about how to [connect data sources](connect-data-sources.md), includi
 
 ## Next steps
 
-In this article, you learned how to plan costs and understand the billing for Microsoft Sentinel.
-
-> [!div class="nextstepaction"]
-> >[Deploy Microsoft Sentinel](deploy-overview.md)
+[Deploy Microsoft Sentinel](deploy-overview.md)