Forum Discussion

burasathi's avatar
burasathi
Copper Contributor
May 31, 2023

Sentinel log ingestion

@macd in Microsoft Sentinel Hello,    I have one question regarding log ingestion. If we already have logs in the log analytic workspace and later if we enable sentinel in the same workspace, the...
analytics
Log Data
burasathi's avatar
burasathi
Copper Contributor
Jun 01, 2023
Clive_Watson.
Hello, Thank you for the confirmation,. Will there be extra cost if sentinel reads the logs.
Clive_Watson's avatar
Clive_Watson
Bronze Contributor
Jun 01, 2023

burasathi 

 

Microsoft Sentinel has a similar billing, model to Log Analytics, please look up "Sentinel" in Pricing Calculator | Microsoft Azure

The total monthly price is for the Ingestion + Sentinel to analyse those same logs 

"Microsoft Sentinel is billed for the volume of data stored in an Azure Monitor Log Analytics workspace and analyzed in Microsoft Sentinel."

 

  • burasathi's avatar
    burasathi
    Copper Contributor
    Jun 01, 2023
    Thank you Clive_Watson,

    That means if we need to pull logs from one sentinel workspace to other sentinel workspace then we will be paying charge of analysis by sentinel two times one in the sentinel where there is log and one in sentinel where we are pulled that log.
    • cyb3rmik3's avatar
      cyb3rmik3
      Icon for Microsoft rankMicrosoft
      Jun 02, 2023

      burasathi hi,

       

      thank you for your earlier reply on the log source. Clive_Watson is correct about the Sentinel + Log Analytics Workspace, but based on your last message I think you are confused.

       

      Microsoft Sentinel is the environment where logs are being analyzed and all relevant blades can be used to bring value for security, this is where you can build detections, playbooks, perform threat hunting, investigate alerts and incidents etc.

       

      Log Analytics Workspace is the environment that ingests logs, this is where your data from your sources are being stored in tables and you can go through them through the Logs blade using KQL.

       

      In order to use Sentinel, you have to associate a Log Analytics Workspace, if you begin the creation of a new Sentinel, this is the first step, it is fundamental. Sentinel is not a logs repository, it is a logs analyzing environment. Having said that, if you choose to use Sentinel as Clive_Watson demonstrated, you will be charged for:

      1. The data ingested in Log Analytics Workspace
      2. The data analyzed by Sentinel

      In your case, you could associate a Sentinel with your current Log Analytics Workspace and given that Sentinel has a built-in connector along with all security goodies (detections etc), I would disconnect Azure AD with the Log Analytics Workspace and use Sentinel's connector.

       

      PS1: Once you create a Sentinel instance and associate a Log Analytics Workspace, you don't need to pull any logs from anywhere, everything is in one place.

      PS2: Again, once you create a Sentinel instance and associate a Log Analytics Workspace, you will be charged for the logs ingestion in Log Analytics Workspace, and the logs analyzed in Sentinel.

       

      If I have answered your question, please mark your post as Solved

      If you like my response, please consider giving it a like

Resources