Forum Discussion
Microsoft 365 Defender into Sentinel
I've just started to look at onboarding devices into 365 Defender via the script provided and all works great. We do use an independent anti-virus product but I like the additional telemetry associated with onboarding.
We already have a POC Sentinel instance created with the M365 Defender connector turned on and I'm able to see it ingesting data from my onboarded device.
My question really is that what data is classed as free ingested data? I'd be happy to onboard our whole estate of devices into 365 Defender but I guess they will all start throwing data into Sentinel then?
I'm just concerned before we know it we could have costs spiralling out of control?
Is there a matrix or chart somewhere explaining the pricing for the different data connectors?
Also, is it possible to just onboard devices into the usual M365 defender without having it need to go into Sentinel?
I guess I could just turn off the M365 Defender data connector but would things still get ingested via any of the other connectors.
Thanks
Matt2023 from the sentinel portal click on setting and you check the pricing details based on the data ingested
Hi,
I did spot that but I just wanted to know that if we onboarded lots of devices into Microsoft 365 Defender for Endpoint would our sentinel costs spiral out of control.
Saying that I was just trying to get a bit more info on this and it looks like to use the Microsoft 365 Defender for Endpoint connector in Sentinel anyway you need to have an E5 licence.
We predominantly use E3's so I guess I can onboard away as the data shouldn't end up in Sentinel anyway if that's the case.
Hi Matt
Please check microsoft-sentinel Pricing here:
https://azure.microsoft.com/en-us/pricing/details/microsoft-sentinel/
Go to section "Microsoft Sentinel free data sources". That means for me also with your E3 license it should be working / should be free.
In the connecter page there is written:
License: M365 E5, M365 A5 or any other Microsoft 365 Defender eligible license.
There is also a volume-cap you can set to monitor your costs:
https://learn.microsoft.com/en-us/azure/sentinel/billing-monitor-costs
Regards,
Adii
