For new and existing Microsoft Sentinel customers, there’s a free trial available that provides data ingestion and retention for a 31-day period. It’s easy to kick off the trial. You just create a new Log Analytics workspace and enable Microsoft Sentinel on the workspace.
But, how do you know when the trial starts and when it ends? And how can you tell if an existing workspace has already been enabled sometime in the past?
After you successfully enable the Microsoft Sentinel trial period by Sentinel-enabling a new Log Analytics Workspace, a notification will display, letting you know the clock has started.
Anytime you want to see how many days are left in the trial, jump to the News & Guides blade and tap or click on the Free Trial tab.
After the trial has expired for a Log Analytics workspace, the Free Trial tab retains and provides the expiration date.
Worth Knowing: In the past, customers could enable the 31-day trial on new workspaces to infinity. That has recently been changed in that the 31-day trial can only be enabled 20 times for a single Azure subscription.
Want to be reminded about when the 31-day trial expires? Use a KQL query. The following query can be used in a Microsoft Sentinel Playbook to send an email daily as a reminder that you need to take advantage of the free trial before time is up.
//This query reports on the end date and how many days left for the Sentinel 31-day trail. Modify "TrialTest" with your Log Analytics Workspace name. //One use case: You can use this in a Playbook to receive an email reminder every day of how many trial days are left. let workspace = "TrialTest"; let Trial = 31d; AzureActivity | where TimeGenerated >= ago(90d) | where OperationNameValue == "MICROSOFT.RESOURCES/DEPLOYMENTS/WRITE" | where ActivitySubstatusValue == "Created" | where Authorization contains workspace | extend End_Date = TimeGenerated + Trial | extend Date_Created = TimeGenerated | extend Created_By = Caller | project workspace, Date_Created, End_Date, Days_Left = End_Date - Date_Created, Created_By
The most current version of this query can always be found here: https://cda.ms/3N3
Not familiar with KQL? Start the Must Learn KQL series today! https://aka.ms/MustLearnKQL
[Subscribe to the RSS feed for this blog]
[Subscribe to the Weekly Microsoft Sentinel Newsletter]
[Subscribe to the Bi-Weekly Defender for Cloud Newsletter]
[Learn KQL with the Must Learn KQL series and book]