Sentinel log ingestion

burasathi hi,

thank you for your earlier reply on the log source. Clive_Watson is correct about the Sentinel + Log Analytics Workspace, but based on your last message I think you are confused.

Microsoft Sentinel is the environment where logs are being analyzed and all relevant blades can be used to bring value for security, this is where you can build detections, playbooks, perform threat hunting, investigate alerts and incidents etc.

Log Analytics Workspace is the environment that ingests logs, this is where your data from your sources are being stored in tables and you can go through them through the Logs blade using KQL.

In order to use Sentinel, you have to associate a Log Analytics Workspace, if you begin the creation of a new Sentinel, this is the first step, it is fundamental. Sentinel is not a logs repository, it is a logs analyzing environment. Having said that, if you choose to use Sentinel as Clive_Watson demonstrated, you will be charged for:

1. The data ingested in Log Analytics Workspace
2. The data analyzed by Sentinel

In your case, you could associate a Sentinel with your current Log Analytics Workspace and given that Sentinel has a built-in connector along with all security goodies (detections etc), I would disconnect Azure AD with the Log Analytics Workspace and use Sentinel's connector.

PS1: Once you create a Sentinel instance and associate a Log Analytics Workspace, you don't need to pull any logs from anywhere, everything is in one place.

PS2: Again, once you create a Sentinel instance and associate a Log Analytics Workspace, you will be charged for the logs ingestion in Log Analytics Workspace, and the logs analyzed in Sentinel.

If I have answered your question, please mark your post as Solved

If you like my response, please consider giving it a like