agent · 01security copilot
A Microsoft Security Copilot agent that itemises your Microsoft Sentinel ingestion — what you ingest, what it costs after your E5/A5 grant, and which pricing tier is cheapest. It reports strictly from your own usage data, and leaves every change to you.
01what it does
Microsoft Sentinel ingestion is powerful and, left unchecked, expensive. The agent itemises exactly what you ingest, what it costs after your E5/A5 grant, and where the spend concentrates — strictly from the usage telemetry already in your workspace. It describes what's there; it does not guess causes or prescribe changes.
Breaks Sentinel spend down by data type and table — top cost drivers, billable volume, and per-column size — with dedicated deep-dives into the usual heavy hitters like Syslog and sign-in logs.
Takes your E5/A5 licence count, works out the Sentinel free-data grant it earns, and shows billable cost after the grant — plus whether more grant-eligible licensing would actually pay for itself.
Models your actual billable volume against pay-as-you-go and the commitment tiers, and names the cheapest option for your workspace. The one recommendation it makes — and it's pure arithmetic.
Flags tables whose ingestion surged against the prior window, and surfaces connectors that have failed to fetch data — so a cost spike or a silent gap doesn't wait for the invoice.
Reads each top table's retention plan and analyst query usage, and flags verbose, large-column, low-query tables as data-lake-suitability indicators — surfaced as facts to weigh, not instructions to follow.
Quantifies Defender XDR data sitting in Sentinel (your USOP readiness), then rolls the findings into a workspace efficiency score and a per-table tuning-need indicator — all descriptive.
02inputs · tasks · outputs
The same inputs, tasks, and outputs declared on the Microsoft Security Store listing — so what you read here matches what you deploy. It is a goal-oriented agent that orchestrates a fixed set of analytical skills in order, with human oversight, not a single canned prompt.
03install & use
Get the agent from the Microsoft Security Store, the Security Copilot portal, Microsoft Defender, or the Microsoft Entra admin center. The flow below starts from the Security Store and ends with a cost & usage report.
A Microsoft Entra tenant and Azure subscription, Security Copilot provisioned with SCU capacity, and at least one Microsoft Sentinel workspace on Log Analytics for the agent to analyse.
In the Security Store, open the agent and select get agent. Choose the Azure billing subscription, resource group, and Sentinel workspace, review the terms and privacy policy, then place the order to deploy.
A Global Administrator approves the agent's requested least-privilege read access once, via the start-approval flow, before setup continues.
In Security Copilot → Agents, select set up. Create a scoped Microsoft Entra Agent ID (or connect a user account) and grant it read access to the Sentinel workspace and Log Analytics.
Give the agent its inputs: subscription id, resource group, workspace name, tenant id, and your E5/A5 licence count for grant modelling. Save — it appears under agents → active.
In securitycopilot.microsoft.com → agents, open the cost & usage analyst and select run. It runs on demand — working through its queries and reporting back: summary, per-table cost, cheapest tier, spikes, efficiency score. Roughly 0.5–1.0 SCU per run in our testing.
Published by glacierr as a Security Copilot agent, integrated with Microsoft Sentinel. Once live, get it, deploy it to your tenant, and it's yours to run.
04prerequisites & permissions
The agent only needs to read. Read-only access is enough to itemise cost; the rights to change a tier, a table plan, or retention stay with the human who acts on the findings — never the agent.
05pricing & licensing
You acquire the agent through the Microsoft Security Store. The compute it uses to run is billed by Microsoft as Security Compute Units, independently of any licence fee — so cost is transparent and metered to actual runs.
The agent is listed and acquired through the Microsoft Security Store, governed by glacierr's terms of use and privacy policy shown at checkout. Tuned to your tenant on deployment, transferred to you — no recurring licence to glacierr.
Each run is powered by Security Compute Units, billed by Microsoft to your capacity — distinct from the Sentinel cost the agent analyses. A report consumes a fraction of an SCU; the certified estimate is published on the Security Store listing. Cap overage or right-size provisioned capacity from the usage dashboard.
06data, privacy & responsible ai
The agent introduces no new data store. It reads usage telemetry already in your tenant, as the identity you configure, and never sees more than that identity is permitted to.
See glacierr's privacy notice and terms of use. Cost figures are estimates for decision-support, derived from list price and your usage data — they don't reflect commitment discounts, reservations, or private pricing.
Get the cost & usage analyst from the Microsoft Security Store, or talk to us first about tuning it to your tenant and the wider posture work around it.