Sentinel log ingestion

Copper Contributor

@macd in Microsoft Sentinel



I have one question regarding log ingestion.

If we already have logs in the log analytic workspace and later if we enable sentinel in the same workspace, then will that sentinel be able to read those logs or do we need to ingest those logs again through sentinel data connectors?


Thank you

8 Replies

@burasathi hi,


What kind of logs do you ingest in Log Analytics Workspace now?

Logs are only ingested once, Sentinel reads them, so they will be available to you *after* you enable Sentinel
@cyb3rmik3 hi in log analytics there is Sign in logs from Azure Active Directory.
Hello, Thank you for the confirmation,. Will there be extra cost if sentinel reads the logs.



Microsoft Sentinel has a similar billing, model to Log Analytics, please look up "Sentinel" in Pricing Calculator | Microsoft Azure

The total monthly price is for the Ingestion + Sentinel to analyse those same logs 

"Microsoft Sentinel is billed for the volume of data stored in an Azure Monitor Log Analytics workspace and analyzed in Microsoft Sentinel."



Thank you @Clive_Watson,

That means if we need to pull logs from one sentinel workspace to other sentinel workspace then we will be paying charge of analysis by sentinel two times one in the sentinel where there is log and one in sentinel where we are pulled that log.

@burasathi hi,


thank you for your earlier reply on the log source. @Clive_Watson is correct about the Sentinel + Log Analytics Workspace, but based on your last message I think you are confused.


Microsoft Sentinel is the environment where logs are being analyzed and all relevant blades can be used to bring value for security, this is where you can build detections, playbooks, perform threat hunting, investigate alerts and incidents etc.


Log Analytics Workspace is the environment that ingests logs, this is where your data from your sources are being stored in tables and you can go through them through the Logs blade using KQL.


In order to use Sentinel, you have to associate a Log Analytics Workspace, if you begin the creation of a new Sentinel, this is the first step, it is fundamental. Sentinel is not a logs repository, it is a logs analyzing environment. Having said that, if you choose to use Sentinel as @Clive_Watson demonstrated, you will be charged for:

  1. The data ingested in Log Analytics Workspace
  2. The data analyzed by Sentinel

In your case, you could associate a Sentinel with your current Log Analytics Workspace and given that Sentinel has a built-in connector along with all security goodies (detections etc), I would disconnect Azure AD with the Log Analytics Workspace and use Sentinel's connector.


PS1: Once you create a Sentinel instance and associate a Log Analytics Workspace, you don't need to pull any logs from anywhere, everything is in one place.

PS2: Again, once you create a Sentinel instance and associate a Log Analytics Workspace, you will be charged for the logs ingestion in Log Analytics Workspace, and the logs analyzed in Sentinel.


If I have answered your question, please mark your post as Solved

If you like my response, please consider giving it a like

Thank you @cyb3rmik3 and @Clive_Watson for the explanation . That was really helpful.