Home

Pricing for Security Events Ingestion

%3CLINGO-SUB%20id%3D%22lingo-sub-942018%22%20slang%3D%22en-US%22%3EPricing%20for%20Security%20Events%20Ingestion%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-942018%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20All%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EJust%20wondering%20if%20someone%20can%20provide%20any%20idea%20how%20the%20logs%20from%20Security%20Center%20a%20billed%3F%20The%20connector%20is%20not%20enabled%20but%20we%20are%20seeing%20the%20Security%20Events%20schema%20being%20filled.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERunning%20a%20query%20against%20_IsBillable%20%3D%3D%20True%20shows%20this%20data%20as%20billable.%20How%20does%20this%20data%20get%20billed%3F%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOn%20the%20connector%20we%20see%20the%20informational%20notice%3A%3C%2FP%3E%3CP%3E%22%3CSPAN%3ESecurity%20Events%20tier%20configuration%20is%20shared%20with%20Azure%20Security%20Center%20and%20was%20already%20configured%20there%20for%20this%20workspace.%20Change%20the%20tier%20in%20Azure%20Security%20Center%20and%20it%20will%20apply%20for%20Azure%20Sentinel%20as%20well.%20Note%20that%20Security%20events%20will%20be%20collected%20once%20and%20used%20in%20both%20solutions.%22%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EIt%20says%20once%20and%20used%20for%20both%20-%20is%20it%20billed%20twice%20or%20just%20once%3F%20If%20it's%20billed%20once%20is%20billed%20against%20the%20Data%20Analytics%20pricing%20or%20the%20Sentinel%20pricing%3F%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-942018%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ECost%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ECost%20Management%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EPricing%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-948712%22%20slang%3D%22en-US%22%3ERe%3A%20Pricing%20for%20Security%20Events%20Ingestion%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-948712%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F432347%22%20target%3D%22_blank%22%3E%40anthony_wagov%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EASC%20collect%20security%20events.%26nbsp%3B%20ASC%20gives%20you%20500MB%20per%20node%20of%20data%20ingestion.%26nbsp%3B%20if%20the%20data%20goes%20over%20that%20500MB%20you%20will%20pay%20for%20the%20extra.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAzure%20Sentinel%20can%20also%20collect%20security%20events.%26nbsp%3B%20since%20you%20have%20ASC%20and%20sentinel%20using%20the%20same%20workspace.%20we%20ingest%20the%20data%20once.%26nbsp%3B%20The%20above%20still%20applies.%26nbsp%3B%20any%20ingestion%20over%20the%20500MB%20is%20charged%20for%20Log%20A%20ingestion.%20Azure%20Sentinel%20also%20charges%20for%20data%20ingestion.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3Eexample.%26nbsp%3B%20lets%20say%20you%20have%201%20node%20and%20it%20sends%201000MB%20per%20day.%3C%2FP%3E%0A%3CP%3Eyou%20pay%20for%201%20ASC%20node.%3C%2FP%3E%0A%3CP%3Eyou%20pay%20for%20500%20MB%20of%20Log%20A%20(500MB%20is%20free)%3C%2FP%3E%0A%3CP%3Eyou%20pay%20foe%201000MB%20of%20Azure%20Sentinel.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
anthony_wagov
Regular Visitor

Hi All,

 

Just wondering if someone can provide any idea how the logs from Security Center a billed? The connector is not enabled but we are seeing the Security Events schema being filled.

 

Running a query against _IsBillable == True shows this data as billable. How does this data get billed? 

 

On the connector we see the informational notice:

"Security Events tier configuration is shared with Azure Security Center and was already configured there for this workspace. Change the tier in Azure Security Center and it will apply for Azure Sentinel as well. Note that Security events will be collected once and used in both solutions."

 

It says once and used for both - is it billed twice or just once? If it's billed once is billed against the Data Analytics pricing or the Sentinel pricing?

1 Reply
Highlighted

@anthony_wagov 

ASC collect security events.  ASC gives you 500MB per node of data ingestion.  if the data goes over that 500MB you will pay for the extra.

 

Azure Sentinel can also collect security events.  since you have ASC and sentinel using the same workspace. we ingest the data once.  The above still applies.  any ingestion over the 500MB is charged for Log A ingestion. Azure Sentinel also charges for data ingestion.

 

example.  lets say you have 1 node and it sends 1000MB per day.

you pay for 1 ASC node.

you pay for 500 MB of Log A (500MB is free)

you pay foe 1000MB of Azure Sentinel.