May 31 2023 08:22 AM
Hello,
I have one question regarding log ingestion.
If we already have logs in the log analytic workspace and later if we enable sentinel in the same workspace, then will that sentinel be able to read those logs or do we need to ingest those logs again through sentinel data connectors?
Thank you
May 31 2023 11:43 PM
Jun 01 2023 12:51 AM
Jun 01 2023 02:42 AM
Jun 01 2023 02:46 AM
Jun 01 2023 03:01 AM
Microsoft Sentinel has a similar billing, model to Log Analytics, please look up "Sentinel" in Pricing Calculator | Microsoft Azure
The total monthly price is for the Ingestion + Sentinel to analyse those same logs
"Microsoft Sentinel is billed for the volume of data stored in an Azure Monitor Log Analytics workspace and analyzed in Microsoft Sentinel."
Jun 01 2023 07:33 AM
Jun 02 2023 04:52 AM
@burasathi hi,
thank you for your earlier reply on the log source. @Clive_Watson is correct about the Sentinel + Log Analytics Workspace, but based on your last message I think you are confused.
Microsoft Sentinel is the environment where logs are being analyzed and all relevant blades can be used to bring value for security, this is where you can build detections, playbooks, perform threat hunting, investigate alerts and incidents etc.
Log Analytics Workspace is the environment that ingests logs, this is where your data from your sources are being stored in tables and you can go through them through the Logs blade using KQL.
In order to use Sentinel, you have to associate a Log Analytics Workspace, if you begin the creation of a new Sentinel, this is the first step, it is fundamental. Sentinel is not a logs repository, it is a logs analyzing environment. Having said that, if you choose to use Sentinel as @Clive_Watson demonstrated, you will be charged for:
In your case, you could associate a Sentinel with your current Log Analytics Workspace and given that Sentinel has a built-in connector along with all security goodies (detections etc), I would disconnect Azure AD with the Log Analytics Workspace and use Sentinel's connector.
PS1: Once you create a Sentinel instance and associate a Log Analytics Workspace, you don't need to pull any logs from anywhere, everything is in one place.
PS2: Again, once you create a Sentinel instance and associate a Log Analytics Workspace, you will be charged for the logs ingestion in Log Analytics Workspace, and the logs analyzed in Sentinel.
If I have answered your question, please mark your post as Solved
If you like my response, please consider giving it a like
Jun 05 2023 04:02 AM