Just a quick clarification of something that I think needs some explanation because this does come up from time-to-time and yes, it can be confusing.
On our Azure Sentinel pricing page, in the FAQ, there’s this section titled:
“What data can be ingested at no cost with Azure Sentinel?”
I’m sure you’ve seen this before. But, there’s a piece of the answer that needs some explanation. The following represents what can be ingested at no additional cost into both Azure Sentinel, and Azure Monitor Log Analytics.
Log files from the following two Connectors:
- Azure Activity
- Office 365 Audit Logs
Alerts (only alerts) from the following seven Data Connectors:
- Azure Defender
- Microsoft 365 Defender
- Microsoft Defender for Office 365
- Microsoft Defender for Identity
- Microsoft Defender for Endpoint
- Microsoft Cloud App Security
- Azure Information Protection
However, a couple of those in the Alerts list of actually have log “options” in addition to enabling just the alerting.
The Data Connectors with log “options” are:
- Microsoft 365 Defender – Logs option
- Microsoft Cloud App Security – Logs option
For clarity, see the following screen captures that show how to enable just the alerts (1) and then how to enable the logs options (2).
[Subscribe to the RSS feed for this blog]
[Subscribe to the Weekly Azure Sentinel Newsletter]