SOLVED

Daily quota for Sentinel

%3CLINGO-SUB%20id%3D%22lingo-sub-3128882%22%20slang%3D%22en-US%22%3EDaily%20quota%20for%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3128882%22%20slang%3D%22en-US%22%3E%3CP%3EDo%20i%20understand%20the%20text%20highlighted%20in%20red%20correctly%2C%20if%20I%20assume%20that%20the%20daily%20cap%20has%20no%20effect%20for%20data%20ingested%20into%20sentinel%20from%20f.x.%20on-premise%20DC's%20and%20on-premise%20firewalls%3F%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Larssen92_0-1644243487037.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F345838iC4BF0D7618C4469C%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22Larssen92_0-1644243487037.png%22%20alt%3D%22Larssen92_0-1644243487037.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CBR%20%2F%3EIs%20there%20a%20way%20to%20enforce%20a%20hard%20cap%20for%20all%20ingested%20data%2C%20even%20in%20Sentinel%3F%3CBR%20%2F%3EOr%20is%20it%20not%20possible%20to%20make%20a%20setup%20where%20you%20are%20guaranteed%20a%20maximum%20ingestion%20volume%20pr%20day%20in%20Sentinel%3F%3CBR%20%2F%3E%3CBR%20%2F%3EI%20want%20to%20make%20sure%20that%20a%20customer%20does%20not%20end%20up%20in%20a%20scenario%20where%20they%20are%20billed%20for%20mulitple%20TB%20of%20data%2C%20because%20they%20accidently%20misconfigured%20the%20amount%20of%20incoming%20firewall%20data.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Contributor

Do i understand the text highlighted in red correctly, if I assume that the daily cap has no effect for data ingested into sentinel from f.x. on-premise DC's and on-premise firewalls?

Larssen92_0-1644243487037.png


Is there a way to enforce a hard cap for all ingested data, even in Sentinel?
Or is it not possible to make a setup where you are guaranteed a maximum ingestion volume pr day in Sentinel?

I want to make sure that a customer does not end up in a scenario where they are billed for mulitple TB of data, because they accidently misconfigured the amount of incoming firewall data.

1 Reply
best response confirmed by Larssen92 (Contributor)
Solution

You wouldn't want to be in a situation where you stopped logging during an attack, so whilst cost is a consideration, coverage is as well. The text above is correct, key sources will ignore the daily cap.
You can of course Alert when you are near the cap and then make a more informed decision to tune or switch off a data connector e.g. https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/ingestion-cost-spike-detection-playbo...

See the link (and warning box) here for more details:
Manage usage and costs for Azure Monitor Logs - Azure Monitor | Microsoft Docs

Clive_Watson_0-1644249191225.png