The Microsoft 365 Defender Connector in Microsoft Sentinel is coming along nicely with all the table sources now available to select. The Connector is still in public preview, but the progress is a very welcome sight.
Even though ingesting the M365 Advanced logs is considered necessary, enabling them will cost something.
There are two primary data costs to Microsoft Sentinel and those are ingestion and retention. A Microsoft Sentinel environment gets 90 days of free retention for active data and there are methods and approaches to managing the data once it hits the 90-day threshold.
The cost that will have the most immediate effect on the M365 Advanced logs is ingestion. And, rightfully so, getting an estimation of the volume and cost of enabling the Advanced logs is important.
Here’s a KQL query you can use at https://security.microsoft.com in the Advanced Hunting blade to get the average EPS and estimated GB for your environment.
let bytes_ = 500; union withsource=MDTables* | where Timestamp > startofday(ago(1d)) | summarize count() by bin(Timestamp, 1m), MDTables | extend EPS = count_ /60 |summarize avg(EPS), estimatedGBytes = (avg(EPS) * bytes_ ) / (1024*1024*1024) by MDTables | sort by toint(estimatedGBytes) desc
Once you have the EPS and estimated GBs, you can plug them into the Microsoft Sentinel calculator.
Are you a Microsoft 365 E5, A5, F5, and G5, and Microsoft 365 E5, A5, F5, and G5 Security customer? Even for these Advanced logs you are eligible to receive a data grant of up to 5MB per user per day to ingest Microsoft 365 data.
[Subscribe to the RSS feed for this blog]
[Subscribe to the Weekly Microsoft Sentinel Newsletter]
[Subscribe to the Weekly Microsoft Defender Newsletter]
[Learn KQL with the Must Learn KQL series and book]