Technical details and integration

%3CLINGO-SUB%20id%3D%22lingo-sub-2136600%22%20slang%3D%22en-US%22%3ETechnical%20details%20and%20integration%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2136600%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20All%2C%3C%2FP%3E%3CP%3EI%20was%20wondering%20if%20you%20can%20help%20with%20the%20following%20questions%20please%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E-%20What%20datastore%20does%20Sentinel%20use%3F%3CBR%20%2F%3E-%20Does%20Sentinel%20allow%20to%20backup%20the%20data%20in%20Azure%20blob%20store%20and%20search%20it%20%3F%3CBR%20%2F%3E-%20Is%20it%20easy%20to%20get%20data%20out%20of%20Sentinel%20what%20is%20the%20cost%3F%3C%2FP%3E%3CP%3E-%20How%20do%20we%20can%20collect%20logs%20and%20audit%20logs%20from%20PASS%20services%20like%20API%20management%20services%20%2C%20Azure%20cosmos%20%2C%20Synapse%20workspace%20and%20PowerBI%20Embedded%3F%3CBR%20%2F%3E-%20Also%20how%20is%20the%20cost%20calculated%20if%20you%20increase%20the%20retention%20from%2031%20days%20to%2090%20days%20%3F%3CBR%20%2F%3EThanks%20I%20really%20appreciate%20your%20help.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMaxou%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2136722%22%20slang%3D%22en-US%22%3ERe%3A%20Technical%20details%20and%20integration%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2136722%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F440425%22%20target%3D%22_blank%22%3E%40Maxou%3C%2FA%3E%26nbsp%3BI%20could%20be%20able%20to%20answer%20few%20questions%20-%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E-%20What%20datastore%20does%20Sentinel%20use%3F%20%5B%3CEM%3ESentinel%20stores%20all%20logs%20which%20got%20ingested%2C%20in%20log%20analytics%3C%2FEM%3E%5D%3CBR%20%2F%3E-%20Does%20Sentinel%20allow%20to%20backup%20the%20data%20in%20Azure%20blob%20store%20and%20search%20it%20%3F%26nbsp%3B%3CBR%20%2F%3E-%20Is%20it%20easy%20to%20get%20data%20out%20of%20Sentinel%20what%20is%20the%20cost%3F%20%5B%3CEM%3Eyou%20can%20remove%20sentinel%20easily%2C%20pls%20go%20thru%20this%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsentinel%2Foffboard%3FWT.mc_id%3DPortal-Microsoft_Azure_Security_Insights%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3Elink%3C%2FA%3E%5D%3C%2FEM%3E%3C%2FP%3E%3CP%3E-%20How%20do%20we%20can%20collect%20logs%20and%20audit%20logs%20from%20PASS%20services%20like%20API%20management%20services%20%2C%20Azure%20cosmos%20%2C%20Synapse%20workspace%20and%20PowerBI%20Embedded%3F%20%5B%3CEM%3Eyou%20can%20easily%20collect%20any%20azure%20resource%20logs(in%20fact%2C%20a%20few%20non-Microsoft%20vendor%20logs%20too)%20through%20diagnostic%20settings.%20For%20example%2C%20if%20we%20consider%20APi%20managements%20service%2C%20go%20to%20Azure%20portal%20-%26gt%3BAPIM-%26gt%3B%20Diagnostic%20settings-%26gt%3B%20click%20on%20'%2B%20Add%20diagnostic%20settings'.%20Select%20appropriate%20logs%20and%20map%20the%20sentinel%20log%20analytic%20workspace%20there%20and%20save%20it)%3C%2FEM%3E%3CBR%20%2F%3E-%20Also%20how%20is%20the%20cost%20calculated%20if%20you%20increase%20the%20retention%20from%2031%20days%20to%2090%20days%20%3F%20%5B%3CEM%3EWith%20best%20of%20my%20knowledge%2C%20For%26nbsp%3BAzure%20Sentinel%20enabled%20workspaces%20the%20data%20is%20retained%20for%20free%20for%2090%20days%2C%20Retention%20beyond%2090%20days%20will%20be%20charged%20per%20the%20standard%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Feur01.safelinks.protection.outlook.com%2F%3Furl%3Dhttps%253A%252F%252Fazure.microsoft.com%252Fen-us%252Fpricing%252Fdetails%252Flog-analytics%252F%26amp%3Bdata%3D04%257C01%257Cnikitha.cheemati%2540kontex.com%257C23d170a576bb4fab535108d8951409bd%257C6bfdb47acb3e4b91854a9d201e501f6a%257C0%257C0%257C637423260585495280%257CUnknown%257CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%253D%257C1000%26amp%3Bsdata%3DQ%252FLqt1xpwedKpVN86sRb0WKrsXnsVwywQLNuAIhVOwg%253D%26amp%3Breserved%3D0%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3EAzure%20Monitor%20Log%20Analytics%3C%2FA%3E%26nbsp%3Bretention%20prices%20(as%20outlined%20%3CA%20href%3D%22https%3A%2F%2Feur01.safelinks.protection.outlook.com%2F%3Furl%3Dhttps%253A%252F%252Fazure.microsoft.com%252Fen-us%252Fpricing%252Fdetails%252Fazure-sentinel%252F%26amp%3Bdata%3D04%257C01%257Cnikitha.cheemati%2540kontex.com%257C23d170a576bb4fab535108d8951409bd%257C6bfdb47acb3e4b91854a9d201e501f6a%257C0%257C0%257C637423260585505235%257CUnknown%257CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%253D%257C1000%26amp%3Bsdata%3DdE1nVAQXu2Uy11pL5A4iyP4rHsqqG7OGIZOaowaouY4%253D%26amp%3Breserved%3D0%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3Ehere%3C%2FA%3E).%20Only%20if%20you%20do%26nbsp%3Bconfigure%20some%20changes%20in%20sentinel%20settings%2C%20you%20will%20find%20an%20option%20to%20increase%20data%20ingestion%5D%3C%2FEM%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20hop%20it%20helps.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2136885%22%20slang%3D%22en-US%22%3ERe%3A%20Technical%20details%20and%20integration%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2136885%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F440425%22%20target%3D%22_blank%22%3E%40Maxou%3C%2FA%3E%26nbsp%3BSome%20of%20these%20answers%20are%20the%20same%20as%20what%26nbsp%3B%3Ca%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F923986%22%3E%40printscreen%3C%2Fa%3E%20listed%20and%20some%20are%20new.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E-%20What%20datastore%20does%20Sentinel%20use%3F%3C%2FP%3E%3CP%3EIt%20uses%20Log%20Analytics%20Workspaces%20to%20store%20all%20the%20data%2C%20hence%20why%20there%20is%20a%20Azure%20Sentinel%20ingestion%20fee%20and%20a%20Log%20Analytics%20ingestion%20fee%20as%20part%20of%20the%20price.%3CBR%20%2F%3E-%20Does%20Sentinel%20allow%20to%20backup%20the%20data%20in%20Azure%20blob%20store%20and%20search%20it%20%3F%3C%2FP%3E%3CP%3EYes.%20but%20it%20isn't%20easy.%26nbsp%3B%20You%20would%20need%20to%20use%20the%20%22externdata%22%20command%20and%20know%20exactly%20where%20the%20data%20is%20located.%26nbsp%3B%20There%20was%20a%20blog%20post%20recently%20about%20pushing%20old%20data%20into%20Azure%20Data%20Explorer%20which%2C%20while%20it%20costs%20more%20than%20Blob%20storage%2C%20allows%20you%20to%20easily%20query%20it%3CBR%20%2F%3E-%20Is%20it%20easy%20to%20get%20data%20out%20of%20Sentinel%20what%20is%20the%20cost%3F%3C%2FP%3E%3CP%3EDefine%20easy%20%3B)%3C%2Fimg%3E%26nbsp%3B%20%26nbsp%3BYou%20can%20extract%20data%20without%20too%20much%20hassle%20and%20the%20charge%20would%20be%20the%20data%20egress%20charge%20if%20the%20data%20leaves%20the%20region.%3C%2FP%3E%3CP%3E-%20How%20do%20we%20can%20collect%20logs%20and%20audit%20logs%20from%20PASS%20services%20like%20API%20management%20services%20%2C%20Azure%20cosmos%20%2C%20Synapse%20workspace%20and%20PowerBI%20Embedded%3F%3C%2FP%3E%3CP%3EMost%20Azure%20services%2C%20although%20not%20all%2C%20allow%20you%20to%20setup%20monitoring%20which%20you%20can%20send%20to%20the%20Log%20Analytics%20workspace.%26nbsp%3B%20I%20am%20unsure%20if%20all%20of%20those%20can%20do%20it.%26nbsp%3B%20Plus%20there%20are%20more%20and%20more%20data%20connectors%20coming%20out%20all%20the%20time%20so%20it%20is%20possible%20that%20there%20will%20be%20a%20direct%20connector%20for%20those%20in%20the%20future.%3CBR%20%2F%3E-%20Also%20how%20is%20the%20cost%20calculated%20if%20you%20increase%20the%20retention%20from%2031%20days%20to%2090%20days%20%3F%3C%2FP%3E%3CP%3EAzure%20Sentinel%20gives%20you%2090%20days%20of%20data%20retention%20for%20free%20so%20there%20is%20no%20additional%20cost%20going%20from%2031%20to%2090%20days.%26nbsp%3B%20%26nbsp%3BAfter%2090%20days%20there%20is%20a%20per%20gigabyte%20per%20month%20charge%20which%20varies%20depending%20on%20the%20region.%26nbsp%3B%20I%20suggest%20using%20the%20Azure%20price%20calculator%20web%20site%20(%3CA%20href%3D%22https%3A%2F%2Fazure.microsoft.com%2Fen-us%2Fpricing%2Fcalculator%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EPricing%20Calculator%20%7C%20Microsoft%20Azure%3C%2FA%3E)%20to%20determine%20your%20costs.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

Hi All,

I was wondering if you can help with the following questions please?

 

- What datastore does Sentinel use?
- Does Sentinel allow to backup the data in Azure blob store and search it ?
- Is it easy to get data out of Sentinel what is the cost?

- How do we can collect logs and audit logs from PASS services like API management services , Azure cosmos , Synapse workspace and PowerBI Embedded?
- Also how is the cost calculated if you increase the retention from 31 days to 90 days ?
Thanks I really appreciate your help.

 

Maxou

4 Replies

@Maxou I could be able to answer few questions - 

 

- What datastore does Sentinel use? [Sentinel stores all logs which got ingested, in log analytics]
- Does Sentinel allow to backup the data in Azure blob store and search it ? 
- Is it easy to get data out of Sentinel what is the cost? [you can remove sentinel easily, pls go thru this link]

- How do we can collect logs and audit logs from PASS services like API management services , Azure cosmos , Synapse workspace and PowerBI Embedded? [you can easily collect any azure resource logs(in fact, a few non-Microsoft vendor logs too) through diagnostic settings. For example, if we consider APi managements service, go to Azure portal ->APIM-> Diagnostic settings-> click on '+ Add diagnostic settings'. Select appropriate logs and map the sentinel log analytic workspace there and save it)
- Also how is the cost calculated if you increase the retention from 31 days to 90 days ? [With best of my knowledge, For Azure Sentinel enabled workspaces the data is retained for free for 90 days, Retention beyond 90 days will be charged per the standard Azure Monitor Log Analytics retention prices (as outlined here). Only if you do configure some changes in sentinel settings, you will find an option to increase data ingestion]

 

I hop it helps.

@Maxou Some of these answers are the same as what @printscreen listed and some are new.

 

- What datastore does Sentinel use?

It uses Log Analytics Workspaces to store all the data, hence why there is a Azure Sentinel ingestion fee and a Log Analytics ingestion fee as part of the price.
- Does Sentinel allow to backup the data in Azure blob store and search it ?

Yes. but it isn't easy.  You would need to use the "externdata" command and know exactly where the data is located.  There was a blog post recently about pushing old data into Azure Data Explorer which, while it costs more than Blob storage, allows you to easily query it
- Is it easy to get data out of Sentinel what is the cost?

Define easy ;)   You can extract data without too much hassle and the charge would be the data egress charge if the data leaves the region.

- How do we can collect logs and audit logs from PASS services like API management services , Azure cosmos , Synapse workspace and PowerBI Embedded?

Most Azure services, although not all, allow you to setup monitoring which you can send to the Log Analytics workspace.  I am unsure if all of those can do it.  Plus there are more and more data connectors coming out all the time so it is possible that there will be a direct connector for those in the future.
- Also how is the cost calculated if you increase the retention from 31 days to 90 days ?

Azure Sentinel gives you 90 days of data retention for free so there is no additional cost going from 31 to 90 days.   After 90 days there is a per gigabyte per month charge which varies depending on the region.  I suggest using the Azure price calculator web site (Pricing Calculator | Microsoft Azure) to determine your costs.

@printscreen: Thanks a lots appreciate it :)
@Gary Bushey: This is awesome. thanks greatly :)