Sentniel free data sources

AdamBudziski-8216 16

Hi,

quoting from https://learn.microsoft.com/en-us/azure/sentinel/billing?tabs=commitment-tier#free-data-sources

"The following data sources are free with Microsoft Sentinel:

Azure Activity Logs.
Office 365 Audit Logs, including all SharePoint activity, Exchange admin activity, and Teams.
Security alerts, including alerts from Microsoft Defender for Cloud, Microsoft 365 Defender, Microsoft Defender for Office 365, Microsoft Defender for Identity, and Microsoft Defender for Endpoint.
Microsoft Defender for Cloud and Microsoft Defender for Cloud Apps alerts.
Although alerts are free, the raw logs for some Microsoft 365 Defender, Defender for Cloud Apps, Azure Active Directory (Azure AD), and Azure Information Protection (AIP) data types are paid."

I have few questions:

Free in what sense? Meaning I’ll be charged for the Log Analytics costs, but no Sentinel related costs will apply ? Is there a document from Microsoft that’s addressing this in detail?
What about the raw logs for the mentioned services such as Microsoft 365 Defender, Defender for Cloud Apps? I’m confused, since looking at the Data Connectors for each it shows tables related to alerts

Thanks!

1 answer

Clive Watson 5,951 Reputation points MVP

2022-09-13T15:34:08.813+00:00
Free in what sense? Meaning I’ll be charged for the Log Analytics costs, but no Sentinel related costs will apply ? Is there a document from Microsoft that’s addressing this in detail?

A1. Data that is free is marked in Log Analytics (IsBillable=false), if its "false" then its the same for Log Analytics and Sentinel. If you decide to retain it after the first 3months, then you have to pay for extra retention or archive.

"2." What about the raw logs for the mentioned services such as Microsoft 365 Defender, Defender for Cloud Apps? I’m confused, since looking at the Data Connectors for each it shows tables related to alerts
A2. RAW data is billable, the important part is the word Alerts "...Security alerts, including alerts from Microsoft Defender for Cloud, Microsoft 365 Defender...". Alerts go into the SecurityAlert/SecurtityIncident tables.

e.g. If you enable the RAW data for DeviceEvents within Defender for Cloud, the Alerts are free, but the Table DeviceEvents would be billable.

Please "Accept the answer" if it was helpful
Please sign in to rate this answer.

5 people found this answer helpful.
AdamBudziski-8216 16 Reputation points

2022-09-13T17:20:27.07+00:00

Thank you for looking into this, but I must say I’m still confused.

From what I understand, there are 3 charges that make up the actual cost of Sentinel:

Sentinel data ingress billing

Log Analytics data ingress billing

Log Analytics data retention billing beyond 90 days

Looking at https://learn.microsoft.com/en-us/azure/azure-monitor/logs/analyze-usage#log-queries

So, what you are saying, is that with free data sources such as Azure Activity, I’m not paying for any of the 3 costs, unless I want to keep the data for longer than 90 days, and if I do I’m basically charged for the 3rd cost, that is retention as configured on the Log Analytics workspace, correct?

For the RAW data part, https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/deviceevents seams

Seams that DeviceEvents are part of Defender for Endpoints not Defender for Cloud (unless its kinda the same?). Looking at the data connector, I can still only see the alert table, please see below:

Could you, please elaborate on the points above?

I appreciate your help !

Clive Watson 5,951 Reputation points MVP

2022-09-13T17:29:02.023+00:00

This is correct "So, what you are saying, is that with free data sources such as Azure Activity, I’m not paying for any of the 3 costs, unless I want to keep the data for longer than 90 days, and if I do I’m basically charged for the 3rd cost, that is retention as configured on the Log Analytics workspace, correct?"

Also remember the free Trial period: https://learn.microsoft.com/en-us/azure/sentinel/billing?tabs=commitment-tier#free-trial

"2". That was mistype I meant the M365 Defender (preview) connector, which has many Defender products and allows you to select specific Raw data tables

if you scroll down, you'll see the other Tables

AdamBudziski-8216 16 Reputation points

2022-09-13T18:53:28.227+00:00

Thank you Clive! Please allow me a closing question. The Microsoft 365 Defender data connector would basically allow me to ingest raw data from different Defender products, such as Defender for Endpoint – that I would do if I be in the need of writing my own KQL queries to hunt through the data, correct ?

However, if I’d like to ingest alerts generated by say Defender for Endpoint, I’d still do this through the Microsoft Defender for Endpoint data connector, correct?

Clive Watson 5,951 Reputation points MVP

2022-09-13T19:10:56.717+00:00

Hi,

That is correct, using KQL on that data is one use, you can also correlate that data with other data in Sentinel (i.e. use AAD with the Devicennnn Tables in your KQL). You may also sync the raw data to Sentinel if you needed to retain it longer (maybe for a compliance reason, or for KQL over a greater time span that Defender allows)

When you enable the Microsoft 365 Defender (preview) it enables the relevant connector anyway. The (Preview) one has (at least) two advantages,

it allows for Alerts and Raw data (if/when you require it)

it also allows Alerts to bi-directionally sync between the Defender product and Sentinel e.g. You close a Alert in Defender for Endpoint and it will sync and close in Sentinel and vice versa. If you use the stand-alone connector you would have to close the Alert in both portals (which you could automate but its an extra step to consider).

EnterpriseArchitect 5,036 Reputation points

2024-02-16T10:30:52.51+00:00

Hi @Clive Watson - MSFT ,
Can you confirm if the ingestion of the data from these logs will not incur an additional cost? |Microsoft Sentinel data connector|Free data type| | -------- | -------- | |Azure Activity Logs|AzureActivity| |Azure Activity Logs|AzureActivity| |Microsoft Entra ID Protection|SecurityAlert (IPC)| |Office 365|OfficeActivity (SharePoint)| ||OfficeActivity (Exchange)| ||OfficeActivity (Teams)| |Microsoft Defender for Cloud|SecurityAlert (Defender for Cloud)| |Microsoft Defender for IoT|SecurityAlert (Defender for IoT)| |Microsoft Defender XDR|SecurityIncident| ||SecurityAlert| |Microsoft Defender for Endpoint|SecurityAlert (MDATP)| |Microsoft Defender for Identity|SecurityAlert (AATP)| |Microsoft Defender for Cloud Apps|SecurityAlert (Defender for Cloud Apps)|

Rafał Fitt 6 Reputation points

2024-07-08T15:23:36.51+00:00

@Clive Watson
"Office 365 Audit Logs, including all SharePoint activity, Exchange admin activity, and Teams"

all o365 audit logs (AIP, D365, Endpoint DLP, MS Forms, etc etc) will not incur an additional cost, yes or no?
Sign in to comment

Share via

Sentniel free data sources

1 answer