Microsoft Sentinel Cost workbook

AdamBudzinskiAZA-0329 96 Reputation points
2024-01-10T13:57:06.87+00:00

Hi,

 

Started with the Sentinel 31 days trial 2,3 days ago. Had a quick look at the Microsoft Sentinel Cost workbook, as it looked promising. As noted in the description “it provides insight about possible impact of the Microsoft 365 E5 offer”.

User's image

According to https://azure.microsoft.com/en-us/pricing/offers/sentinel-microsoft-365-offer/ the E5 entitles for a 5 MB per user per day grant including Microsoft 365/XDR (or whatever it may be called now, tomorrow lol) advanced hunting data:

User's image

Now here’s the problem. Providing the value of the E5 license has absolutely no impact on the output … xd

User's image

User's image

And, yes, I’m ingesting the advanced hunting tables as shown below:

User's image

Anyone ? Additionally, are you Guys aware of any other method to calculate or include the grant into the overall calculation?

Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
1,219 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. David Broggy 6,101 Reputation points MVP
    2024-01-10T14:14:11.62+00:00

    Hi Adam,

    I'm not aware of a way for the workbook to calculate any per-user discounts.

    The same point would apply to the credit for windows events stored for each of your Defender for Servers assets.

    https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/defender-500mb-log-analytics-allowance-clarification/m-p/3390369

    I would just look at Cost Management to verify you're getting the credit.

    Personally I don't recommend enabling the non-alert based logging for Defender for Endpoint unless my clients have corporate backing/compliance needs and are willing to pay for it.

    From a security perspective I use the Defender portal for deeper threat hunts - I appreciate that if an investigation goes beyond 30 days you might need those logs.

    There is a cost threshold where I recommend ADX if a customer needs those logs and the montly cost justifies the long term ingestion.

    Hope that helps.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.