Sentinel "no cost" tier

Frequent Visitor

Hi All,

While surfing Sentinel's FAQ (, I saw this:

"Azure Activity Logs, Office 365 Audit Logs (all SharePoint activity and Exchange admin activity) and alerts from Microsoft Defender products (Azure Defender, Microsoft 365 Defender, Microsoft Defender for Office 365, Microsoft Defender for Identity, Microsoft Defender for Endpoint), Azure Security Center, Microsoft Cloud App Security, and Azure Information Protection can be ingested at no additional cost into both Azure Sentinel, and Azure Monitor Log Analytics."

I'm marking in bold the O365 portion because I was looking at that particular connector and what I see in the connector´s description is: 
"The Office 365 activity log connector provides insight into ongoing user activities. You will get details of operations such as file downloads, access requests sent, changes to group events, set-mailbox and details of the user who performed the actions.​ By connecting Office 365 logs into Azure Sentinel you can use this data to view dashboards, create custom alerts, and improve your investigation process.​"

A few questions here:

  1. Is this the same connector that is being mentioned in that FAQ? Asking mostly because wording doesn´t match, it says O365 Audit Logs vs O365 Activity Log (could be an obvious answer, but we are talking about money here... so... didn't want to risk it)
  2. When I open the "how to" connector's page I see 3 checkboxes to enable data ingestion: Exchange, Sharepoint and Teams. Since the FAQ mentions only "Sharepoint" and "Exchange", does this means that Teams data ingested will be charged in both Sentinel and Log Analytics and Sharepoint and Exchange data ingested will not be charged in both Sentinel and Log Analytics? Assuming I click on the three checkboxes.




0 Replies