Sentinel analytics rules costs

Question

Hi,

The details regarding pricing for rules execution are not clear enough from the documentation,

According to the main pricing document (details), costs are applied for data analyzed in Sentinel in addition to storage in a log analytics workspace.

There is no direct relation between analytics rules and price calculation which is missing.

Doesn't scheduled rules execution mean data ingestion?

There is a feature called Search Jobs which sounds similar to the active rules schedules, so should I assume that scheduled rule execution causes an amount of data to be scanned, hence possible cost?

There are also the free data sources (details) which are free from data ingestion charges, does that mean that scheduled rules execution on these tables will not incur any charge? What does the "data ingestion" action mean?

Answer 1

There is no additional cost for analytic rules (alert rules) or automation rules. Sentinel price is a combination of ingestion (log analytics and Sentinel billed separately) and extended data retention/archival.

Unlike some monitoring tools like SCOM, data ingestion is defined separately using data connectors in Sentinel (not by the alert rules). So you ingest the data first using a connector and the analytic rule queries the collected data.

There are several data connectors or sources that are free to ingest. Mainly Office activity, Azure activity, and alerts from other security solutions. These sources are free to ingest and alert (though extended archival beyond 90 days does incur archival pricing).