Latest costing/billing changes

Occasional Contributor

Dear team,

As of 18/9/22, i wanted to know the following things from Microsoft experts related to Microsoft sentinel

 

Are there any charges related to 

1) sending data to custom tables

2) use of custom parsers

3) use of kql( i saw some changes recently)

 

What is the procedure/ process to get data from on prem Siem solution to log analytics?

And also

What is the procedure/ process to get data from on sentienl/la to on prem solution?

 

 

2 Replies
Not sure of the 1 & 2 but KQL charges are as per the volume of data scanned per query. Check the "Search Job" Section of following https://azure.microsoft.com/en-us/pricing/details/microsoft-sentinel/

Now regarding the data forwarding to/from sentinel, it depends on the SIEM solution you're using. For splunk you need to use the following add-on: https://splunkbase.splunk.com/app/5312/
Refer to this link for more details: https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/how-to-export-data-from-splunk-to-azu...

1. There are no charges specifically for the use of custom tables.
You pay for Log analytics ingestion, Sentinel ingestion just like any other regular table that is not specifically designated as free such as Azure Activity.

2. Not to my knowledge.

3. There is no cost for running regular kql queries. The search job mentioned above only applies when you want to search large amounts of data and the search requires more than 10 minutes to continue etc.
https://learn.microsoft.com/en-us/azure/azure-monitor/logs/search-jobs?tabs=portal-1%2Cportal-2