Home

Pricing for Security Events Ingestion

%3CLINGO-SUB%20id%3D%22lingo-sub-942018%22%20slang%3D%22en-US%22%3EPricing%20for%20Security%20Events%20Ingestion%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-942018%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20All%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EJust%20wondering%20if%20someone%20can%20provide%20any%20idea%20how%20the%20logs%20from%20Security%20Center%20a%20billed%3F%20The%20connector%20is%20not%20enabled%20but%20we%20are%20seeing%20the%20Security%20Events%20schema%20being%20filled.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERunning%20a%20query%20against%20_IsBillable%20%3D%3D%20True%20shows%20this%20data%20as%20billable.%20How%20does%20this%20data%20get%20billed%3F%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOn%20the%20connector%20we%20see%20the%20informational%20notice%3A%3C%2FP%3E%3CP%3E%22%3CSPAN%3ESecurity%20Events%20tier%20configuration%20is%20shared%20with%20Azure%20Security%20Center%20and%20was%20already%20configured%20there%20for%20this%20workspace.%20Change%20the%20tier%20in%20Azure%20Security%20Center%20and%20it%20will%20apply%20for%20Azure%20Sentinel%20as%20well.%20Note%20that%20Security%20events%20will%20be%20collected%20once%20and%20used%20in%20both%20solutions.%22%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EIt%20says%20once%20and%20used%20for%20both%20-%20is%20it%20billed%20twice%20or%20just%20once%3F%20If%20it's%20billed%20once%20is%20billed%20against%20the%20Data%20Analytics%20pricing%20or%20the%20Sentinel%20pricing%3F%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-942018%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ECost%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ECost%20Management%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EPricing%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-948712%22%20slang%3D%22en-US%22%3ERe%3A%20Pricing%20for%20Security%20Events%20Ingestion%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-948712%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F432347%22%20target%3D%22_blank%22%3E%40anthony_wagov%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EASC%20collect%20security%20events.%26nbsp%3B%20ASC%20gives%20you%20500MB%20per%20node%20of%20data%20ingestion.%26nbsp%3B%20if%20the%20data%20goes%20over%20that%20500MB%20you%20will%20pay%20for%20the%20extra.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAzure%20Sentinel%20can%20also%20collect%20security%20events.%26nbsp%3B%20since%20you%20have%20ASC%20and%20sentinel%20using%20the%20same%20workspace.%20we%20ingest%20the%20data%20once.%26nbsp%3B%20The%20above%20still%20applies.%26nbsp%3B%20any%20ingestion%20over%20the%20500MB%20is%20charged%20for%20Log%20A%20ingestion.%20Azure%20Sentinel%20also%20charges%20for%20data%20ingestion.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3Eexample.%26nbsp%3B%20lets%20say%20you%20have%201%20node%20and%20it%20sends%201000MB%20per%20day.%3C%2FP%3E%0A%3CP%3Eyou%20pay%20for%201%20ASC%20node.%3C%2FP%3E%0A%3CP%3Eyou%20pay%20for%20500%20MB%20of%20Log%20A%20(500MB%20is%20free)%3C%2FP%3E%0A%3CP%3Eyou%20pay%20foe%201000MB%20of%20Azure%20Sentinel.%3C%2FP%3E%3C%2FLINGO-BODY%3E
anthony_wagov
Regular Visitor

Hi All,

 

Just wondering if someone can provide any idea how the logs from Security Center a billed? The connector is not enabled but we are seeing the Security Events schema being filled.

 

Running a query against _IsBillable == True shows this data as billable. How does this data get billed? 

 

On the connector we see the informational notice:

"Security Events tier configuration is shared with Azure Security Center and was already configured there for this workspace. Change the tier in Azure Security Center and it will apply for Azure Sentinel as well. Note that Security events will be collected once and used in both solutions."

 

It says once and used for both - is it billed twice or just once? If it's billed once is billed against the Data Analytics pricing or the Sentinel pricing?

1 Reply

@anthony_wagov 

ASC collect security events.  ASC gives you 500MB per node of data ingestion.  if the data goes over that 500MB you will pay for the extra.

 

Azure Sentinel can also collect security events.  since you have ASC and sentinel using the same workspace. we ingest the data once.  The above still applies.  any ingestion over the 500MB is charged for Log A ingestion. Azure Sentinel also charges for data ingestion.

 

example.  lets say you have 1 node and it sends 1000MB per day.

you pay for 1 ASC node.

you pay for 500 MB of Log A (500MB is free)

you pay foe 1000MB of Azure Sentinel.

Related Conversations
Tabs and Dark Mode
cjc2112 in Discussions on
46 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies
Security Community Webinars
Valon_Kolica in Security, Privacy & Compliance on
13 Replies
How to Prevent Teams from Auto-Launch
chenrylee in Microsoft Teams on
29 Replies