Do i understand the text highlighted in red correctly, if I assume that the daily cap has no effect for data ingested into sentinel from f.x. on-premise DC's and on-premise firewalls?
Is there a way to enforce a hard cap for all ingested data, even in Sentinel?
Or is it not possible to make a setup where you are guaranteed a maximum ingestion volume pr day in Sentinel?
I want to make sure that a customer does not end up in a scenario where they are billed for mulitple TB of data, because they accidently misconfigured the amount of incoming firewall data.
You wouldn't want to be in a situation where you stopped logging during an attack, so whilst cost is a consideration, coverage is as well. The text above is correct, key sources will ignore the daily cap.
You can of course Alert when you are near the cap and then make a more informed decision to tune or switch off a data connector e.g. https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/ingestion-cost-spike-detection-playbo...
See the link (and warning box) here for more details:
Manage usage and costs for Azure Monitor Logs - Azure Monitor | Microsoft Docs
Accepted Solutions
You wouldn't want to be in a situation where you stopped logging during an attack, so whilst cost is a consideration, coverage is as well. The text above is correct, key sources will ignore the daily cap.
You can of course Alert when you are near the cap and then make a more informed decision to tune or switch off a data connector e.g. https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/ingestion-cost-spike-detection-playbo...
See the link (and warning box) here for more details:
Manage usage and costs for Azure Monitor Logs - Azure Monitor | Microsoft Docs