SOLVED

Sentinel Ingestion From Office 365 Defender and Billing

New Contributor

The FAQ on the pricing page for sentinel has a section entitled "What data can be ingested at no cost with Azure Sentinel?".  The response is:

"Azure Activity Logs, Office 365 Audit Logs (all SharePoint activity and Exchange admin activity) and alerts from Microsoft Defender products (Azure Defender, Microsoft 365 Defender, Microsoft Defender for Office 365, Microsoft Defender for Identity, Microsoft Defender for Endpoint), Azure Security Center and Microsoft Cloud App Security can be ingested at no additional cost into both Azure Sentinel and Azure Monitor Log Analytics."

 

I have turned up an instance of Sentinel and checked off only products described in the answer above.  However, my account is being billed for the data ingested to Log Analytics, but not Sentinel, as far as I can tell.  Can anyone help me understand what it is i'm being charged for?  

3 Replies
best response confirmed by stevenherman (New Contributor)
Solution
Azure Sentinel is free for the first 30days, hence if this is new you wont be billed yet. The word "Alerts" is key - "and alerts from Microsoft Defender products " - as Raw data isn't free, just the Alerts,

These queries can help you identify billable vs. free data in your Workspace,
https://azurecloudai.blog/2020/07/15/visualizing-azure-sentinel-billable-data-by-solution-and-data-t...
Thank you, this is very helpful. With that logic, it would seem that the connecter called "Microsoft 365 Defender (Preview)" has many DataTypes to check off and I had them all checked. If not the entirety of my billable data, it's probably the source of most of it, as the other connectors that I enabled only appear to have alerts as data types.
That's probably it, like you say. Also you can set up an Alert for this in the future https://techcommunity.microsoft.com/t5/azure-sentinel/ingestion-cost-alert-playbook/ba-p/2006003