Is it possible to take advantage of Microsoft log sources being free to ingest into Sentinel?
MS Sentinel gurus - Does anyone know if it's possible to take advantage of Microsoft log sources being <https://learn.microsoft.com/en-us/azure/sentinel/billing?tabs=free-data-meters#free-data-sources|free to ingest into Sentinel> (Such as Azure Activity Logs, Office 365 etc) while still sending the logs in via Cribl Stream? Obviously the preference would be to send everything via Cribl, but I presume the free ingestion of Microsoft logs will be calculated/only count via the built in Sentinel data connectors for each of those log sources - Whereas if you start ingesting those through Cribl, you'd have to send it through a log source like syslog in which case you then get billed for everything Anyone with experience using Cribl with Sentinel - Is that right, or is there a sneaky workaround?
Answers
-
Let me take a look and see what I can find.
0 -
Their docs are not clear on how the data comes in for the ‘free' data sources. I believe you still will need to pay for the retention of those logs. https://learn.microsoft.com/en-us/azure/sentinel/billing?tabs=commitment-tier#costs-and-pricing-for-other-services|https://learn.microsoft.com/en-us/azure/sentinel/billing?tabs=commitment-tier#costs-and-pricing-for-other-services see under the "Costs that might accrue after resource deletion" section.
0 -
I would consult with an Azure rep or SE to make sure.
0 -
Thanks Kam, I'll see if I can reach out to someone at MS :slightly_smiling_face:
0 -
Sounds good. I'll ask my contacts as well.
0
