cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

Sentinel Ingestion From Office 365 Defender and Billing

stevenherman
Copper Contributor

‎Jun 11 2021 02:54 PM

‎Jun 11 2021 02:54 PM

Sentinel Ingestion From Office 365 Defender and Billing

The FAQ on the pricing page for sentinel has a section entitled "What data can be ingested at no cost with Azure Sentinel?".  The response is:

"Azure Activity Logs, Office 365 Audit Logs (all SharePoint activity and Exchange admin activity) and alerts from Microsoft Defender products (Azure Defender, Microsoft 365 Defender, Microsoft Defender for Office 365, Microsoft Defender for Identity, Microsoft Defender for Endpoint), Azure Security Center and Microsoft Cloud App Security can be ingested at no additional cost into both Azure Sentinel and Azure Monitor Log Analytics."

 

I have turned up an instance of Sentinel and checked off only products described in the answer above.  However, my account is being billed for the data ingested to Log Analytics, but not Sentinel, as far as I can tell.  Can anyone help me understand what it is i'm being charged for?  

2,606 Views
0 Likes
3 Replies
Reply
3 Replies
best response confirmed by stevenherman (Copper Contributor)
CliveWatson

‎Jun 14 2021 05:44 AM

‎Jun 14 2021 05:44 AM

Solution

Re: Sentinel Ingestion From Office 365 Defender and Billing

Azure Sentinel is free for the first 30days, hence if this is new you wont be billed yet. The word "Alerts" is key - "and alerts from Microsoft Defender products " - as Raw data isn't free, just the Alerts,

These queries can help you identify billable vs. free data in your Workspace,
https://azurecloudai.blog/2020/07/15/visualizing-azure-sentinel-billable-data-by-solution-and-data-t...
1 Like
Reply
stevenherman

‎Jun 14 2021 06:15 AM

‎Jun 14 2021 06:15 AM

Re: Sentinel Ingestion From Office 365 Defender and Billing

Thank you, this is very helpful. With that logic, it would seem that the connecter called "Microsoft 365 Defender (Preview)" has many DataTypes to check off and I had them all checked. If not the entirety of my billable data, it's probably the source of most of it, as the other connectors that I enabled only appear to have alerts as data types.
0 Likes
Reply
CliveWatson

‎Jun 14 2021 06:25 AM

‎Jun 14 2021 06:25 AM

Re: Sentinel Ingestion From Office 365 Defender and Billing

That's probably it, like you say. Also you can set up an Alert for this in the future https://techcommunity.microsoft.com/t5/azure-sentinel/ingestion-cost-alert-playbook/ba-p/2006003
1 Like
Reply
1 best response

Accepted Solutions
best response confirmed by stevenherman (Copper Contributor)
CliveWatson

‎Jun 14 2021 05:44 AM

‎Jun 14 2021 05:44 AM

Solution

Re: Sentinel Ingestion From Office 365 Defender and Billing

Azure Sentinel is free for the first 30days, hence if this is new you wont be billed yet. The word "Alerts" is key - "and alerts from Microsoft Defender products " - as Raw data isn't free, just the Alerts,

These queries can help you identify billable vs. free data in your Workspace,
https://azurecloudai.blog/2020/07/15/visualizing-azure-sentinel-billable-data-by-solution-and-data-t...

View solution in original post

1 Like
Reply