Alerts Versus Logs for the Azure Sentinel “Free” Connectors

Just a quick clarification of something that I think needs some explanation because this does come up from time-to-time and yes, it can be confusing.

On our Azure Sentinel pricing page, in the FAQ, there’s this section titled:

“What data can be ingested at no cost with Azure Sentinel?”

I’m sure you’ve seen this before. But, there’s a piece of the answer that needs some explanation. The following represents what can be ingested at no additional cost into both Azure Sentinel, and Azure Monitor Log Analytics.

Log files from the following two Connectors:

  • Azure Activity
  • Office 365 Audit Logs

Alerts (only alerts) from the following seven Data Connectors:

  • Azure Defender
  • Microsoft 365 Defender
  • Microsoft Defender for Office 365
  • Microsoft Defender for Identity
  • Microsoft Defender for Endpoint
  • Microsoft Cloud App Security
  • Azure Information Protection

However, a couple of those in the Alerts list of actually have log “options” in addition to enabling just the alerting.

The Data Connectors with log “options” are:

  • Microsoft 365 Defender – Logs option
  • Microsoft Cloud App Security – Logs option

For clarity, see the following screen captures that show how to enable just the alerts (1) and then how to enable the logs options (2).

M365 Defender – Alerts and Logs
MCAS – Alerts and Logs


[Want to discuss this further? Hit me up on Twitter or LinkedIn]

[Subscribe to the RSS feed for this blog]

[Subscribe to the Weekly Azure Sentinel Newsletter]