Clive Watson 5,876Reputation points • MVP
- Free in what sense? Meaning I’ll be charged for the Log Analytics costs, but no Sentinel related costs will apply ? Is there a document from Microsoft that’s addressing this in detail?
A1. Data that is free is marked in Log Analytics (IsBillable=false), if its "false" then its the same for Log Analytics and Sentinel. If you decide to retain it after the first 3months, then you have to pay for extra retention or archive.
"2." What about the raw logs for the mentioned services such as Microsoft 365 Defender, Defender for Cloud Apps? I’m confused, since looking at the Data Connectors for each it shows tables related to alerts
A2. RAW data is billable, the important part is the word Alerts "...Security alerts, including alerts from Microsoft Defender for Cloud, Microsoft 365 Defender...". Alerts go into the SecurityAlert/SecurtityIncident tables.
e.g. If you enable the RAW data for DeviceEvents within Defender for Cloud, the Alerts are free, but the Table DeviceEvents would be billable.
Please "Accept the answer" if it was helpful
See AlsoWhat Is Azure Sentinel (Microsoft Sentinel)? What Pricing Models Does It Have? What Is Azure Sentinel? Everything You Need to KnowMove Your Microsoft Sentinel Logs to Long-Term Storage with EaseMicrosoft Sentinel - Cloud-native SIEM Solution | Microsoft AzureAdamBudziski-8216 16Reputation points
2022-09-13T17:20:27.07+00:00 Thank you for looking into this, but I must say I’m still confused.
From what I understand, there are 3 charges that make up the actual cost of Sentinel:
- Sentinel data ingress billing
- Log Analytics data ingress billing
- Log Analytics data retention billing beyond 90 days
Looking at https://learn.microsoft.com/en-us/azure/azure-monitor/logs/analyze-usage#log-queries
So, what you are saying, is that with free data sources such as Azure Activity, I’m not paying for any of the 3 costs, unless I want to keep the data for longer than 90 days, and if I do I’m basically charged for the 3rd cost, that is retention as configured on the Log Analytics workspace, correct?For the RAW data part, https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/deviceevents seams
Seams that DeviceEvents are part of Defender for Endpoints not Defender for Cloud (unless its kinda the same?). Looking at the data connector, I can still only see the alert table, please see below:
Could you, please elaborate on the points above?
I appreciate your help !
Clive Watson 5,876Reputation points • MVP
See AlsoMicrosoft Sentinel documentation2022-09-13T17:29:02.023+00:00 - This is correct "So, what you are saying, is that with free data sources such as Azure Activity, I’m not paying for any of the 3 costs, unless I want to keep the data for longer than 90 days, and if I do I’m basically charged for the 3rd cost, that is retention as configured on the Log Analytics workspace, correct?"
Also remember the free Trial period: https://learn.microsoft.com/en-us/azure/sentinel/billing?tabs=commitment-tier#free-trial
"2". That was mistype I meant the M365 Defender (preview) connector, which has many Defender products and allows you to select specific Raw data tables
if you scroll down, you'll see the other Tables
AdamBudziski-8216 16Reputation points
2022-09-13T18:53:28.227+00:00 Thank you Clive! Please allow me a closing question. The Microsoft 365 Defender data connector would basically allow me to ingest raw data from different Defender products, such as Defender for Endpoint – that I would do if I be in the need of writing my own KQL queries to hunt through the data, correct ?
However, if I’d like to ingest alerts generated by say Defender for Endpoint, I’d still do this through the Microsoft Defender for Endpoint data connector, correct?
Clive Watson 5,876Reputation points • MVP
2022-09-13T19:10:56.717+00:00 Hi,
That is correct, using KQL on that data is one use, you can also correlate that data with other data in Sentinel (i.e. use AAD with the Devicennnn Tables in your KQL). You may also sync the raw data to Sentinel if you needed to retain it longer (maybe for a compliance reason, or for KQL over a greater time span that Defender allows)
When you enable the Microsoft 365 Defender (preview) it enables the relevant connector anyway. The (Preview) one has (at least) two advantages,
- it allows for Alerts and Raw data (if/when you require it)
- it also allows Alerts to bi-directionally sync between the Defender product and Sentinel e.g. You close a Alert in Defender for Endpoint and it will sync and close in Sentinel and vice versa. If you use the stand-alone connector you would have to close the Alert in both portals (which you could automate but its an extra step to consider).
EnterpriseArchitect 4,916Reputation points
2024-02-16T10:30:52.51+00:00 Hi @Clive Watson - MSFT ,
Can you confirm if the ingestion of the data from these logs will not incur an additional cost?|Microsoft Sentinel data connector|Free data type|| -------- | -------- ||Azure Activity Logs|AzureActivity||Azure Activity Logs|AzureActivity||Microsoft Entra ID Protection|SecurityAlert (IPC)||Office 365|OfficeActivity (SharePoint)|||OfficeActivity (Exchange)|||OfficeActivity (Teams)||Microsoft Defender for Cloud|SecurityAlert (Defender for Cloud)||Microsoft Defender for IoT|SecurityAlert (Defender for IoT)||Microsoft Defender XDR|SecurityIncident|||SecurityAlert||Microsoft Defender for Endpoint|SecurityAlert (MDATP)||Microsoft Defender for Identity|SecurityAlert (AATP)||Microsoft Defender for Cloud Apps|SecurityAlert (Defender for Cloud Apps)|
Sign in to comment
