Just wondering if someone can provide any idea how the logs from Security Center a billed? The connector is not enabled but we are seeing the Security Events schema being filled.
Running a query against _IsBillable == True shows this data as billable. How does this data get billed?
On the connector we see the informational notice:
"Security Events tier configuration is shared with Azure Security Center and was already configured there for this workspace. Change the tier in Azure Security Center and it will apply for Azure Sentinel as well. Note that Security events will be collected once and used in both solutions."
It says once and used for both - is it billed twice or just once? If it's billed once is billed against the Data Analytics pricing or the Sentinel pricing?
ASC collect security events. ASC gives you 500MB per node of data ingestion. if the data goes over that 500MB you will pay for the extra.
Azure Sentinel can also collect security events. since you have ASC and sentinel using the same workspace. we ingest the data once. The above still applies. any ingestion over the 500MB is charged for Log A ingestion. Azure Sentinel also charges for data ingestion.
example. lets say you have 1 node and it sends 1000MB per day.