When planning the deployment of Microsoft Sentinel, it is important to understand how much data is likely to be ingested and the cost of that ingestion. The good news is that there are quite a few services that you can ingest for free and having a good handle on which Microsoft services are free and which will incur costs can help you plan more accurately and make decisions about what to ingest.
What can be ingested into Sentinel for free?
So what can we ingest for free?
Data Connector | Free Ingestion | Notes |
---|---|---|
Azure Activity | Log Only | Azure Activity Log is a subscription log that provides insight into subscription-level events that occur in Azure, including events from Azure Resource Manager operational data, service health events, write operations taken on the resources in your subscription, and the status of activities performed in Azure. |
Microsoft 365 (formerly, Office 365) | Logs Only | The Office 365 activity log connector provides insight into ongoing user activities. You will get details of operations such as file downloads, access requests sent, changes to group events, set-mailbox and details of the user who performed the actions. By connecting Office 365 logs into Microsoft Sentinel you can use this data to view dashboards, create custom alerts, and improve your investigation process. |
Microsoft Defender for Cloud | Alerts Only | Microsoft Defender for Cloud is a security management tool that allows you to detect and quickly respond to threats across Azure, hybrid, and multi-cloud workloads. This connector allows you to stream your security alerts from Microsoft Defender for Cloud into Microsoft Sentinel, so you can view Defender data in workbooks, query it to produce alerts, and investigate and respond to incidents. |
Microsoft 365 Defender | Incident and Alerts | Microsoft 365 Defender is a unified, natively integrated, pre- and post-breach enterprise defense suite that protects endpoint, identity, email, and applications and helps you detect, prevent, investigate, and automatically respond to sophisticated threats. NOTE: This connector includes Logs THAT ARE NOT FREE. (see below) |
Microsoft Defender for Office 365 | Alerts Only | Microsoft Defender for Office 365 safeguards your organization against malicious threats posed by email messages, links (URLs) and collaboration tools. By ingesting Microsoft Defender for Office 365 alerts into Microsoft Sentinel, you can incorporate information about email- and URL-based threats into your broader risk analysis and build response scenarios accordingly. |
Microsoft Defender for Identity | Alerts Only | Connect Microsoft Defender for Identity to gain visibility into the events and user analytics. Microsoft Defender for Identity identifies, detects, and helps you investigate advanced threats, compromised identities, and malicious insider actions directed at your organization. |
Microsoft Defender for Endpoint | Alerts Only | Microsoft Defender for Endpoint is a security platform designed to prevent, detect, investigate, and respond to advanced threats. The platform creates alerts when suspicious security events are seen in an organization. Fetch alerts generated in Microsoft Defender for Endpoint to Microsoft Sentinel so that you can effectively analyze security events. |
Microsoft Defender for Cloud Apps | Alerts Only | By connecting with Microsoft Defender for Cloud Apps you will gain visibility into your cloud apps, get sophisticated analytics to identify and combat cyberthreats, and control how your data travels. NOTE: This connector includes Logs THAT ARE NOT FREE. (see below) |
Beware Sentinel connectors that include Logs!
As mentioned in the table above, Microsoft 365 Defender and Microsoft Defender for Cloud Apps can ingest both Alerts and Logs.
Ingesting Alerts for free
Ingesting Logs (not free)
Sentinel Free Trail
New Microsoft Sentinel workspaces can ingest 10GB/day of log data for the first 31- days and no cost. Please note that this trail is limited to 20 workspaces per tenant.
Microsoft 365 E5, A5, F5 and G5 Sentinel Free Data Ingestion
Microsoft 365 E5, A5, F5 and G5 users and the equivalent security SKUs can receive free ingestion of up to 5MB per user/day. The data sources included in this offer include:
- Azure Active Directory (Azure AD) sign-in and audit logs
- Microsoft Defender for Cloud Apps shadow IT discovery logs
- Microsoft Information Protection logs
- Microsoft 365 advanced hunting data
Microsoft Defender for Server P2 Sentinel Free Data Ingestion
Defender for Servers Plan 2 comes with a 500MB of free data ingestion per day per node. It’s worth noting that the allowance is calculated and shared across all nodes.
Sentinel Data Retention
Finally, it’s important to remember that whilst the information outlines above can be ingested for free and retention for the first 90 days will also be free, beyond 90 days all this data will be charged at standard retention pricing.
References
Microsoft Sentinel Pricing | Microsoft Azure
Microsoft 365 E5 benefit offer with Microsoft Sentinel | Microsoft Azure
Please let me know if I have missed anything, or if you have any tips with regards to the monitoring of Microsoft products.