Daily quota for Sentinel


Do i understand the text highlighted in red correctly, if I assume that the daily cap has no effect for data ingested into sentinel from f.x. on-premise DC's and on-premise firewalls?


Is there a way to enforce a hard cap for all ingested data, even in Sentinel?
Or is it not possible to make a setup where you are guaranteed a maximum ingestion volume pr day in Sentinel?

I want to make sure that a customer does not end up in a scenario where they are billed for mulitple TB of data, because they accidently misconfigured the amount of incoming firewall data.

1 Reply
best response confirmed by Larssen92 (Contributor)

You wouldn't want to be in a situation where you stopped logging during an attack, so whilst cost is a consideration, coverage is as well. The text above is correct, key sources will ignore the daily cap.
You can of course Alert when you are near the cap and then make a more informed decision to tune or switch off a data connector e.g.

See the link (and warning box) here for more details:
Manage usage and costs for Azure Monitor Logs - Azure Monitor | Microsoft Docs