- Free in what sense? Meaning I’ll be charged for the Log Analytics costs, but no Sentinel related costs will apply ? Is there a document from Microsoft that’s addressing this in detail?
A1. Data that is free is marked in Log Analytics (IsBillable=false), if its "false" then its the same for Log Analytics and Sentinel. If you decide to retain it after the first 3months, then you have to pay for extra retention or archive.
"2." What about the raw logs for the mentioned services such as Microsoft 365 Defender, Defender for Cloud Apps? I’m confused, since looking at the Data Connectors for each it shows tables related to alerts
A2. RAW data is billable, the important part is the word Alerts "...Security alerts, including alerts from Microsoft Defender for Cloud, Microsoft 365 Defender...". Alerts go into the SecurityAlert/SecurtityIncident tables.
e.g. If you enable the RAW data for DeviceEvents within Defender for Cloud, the Alerts are free, but the Table DeviceEvents would be billable.
Please "Accept the answer" if it was helpful