After the initial onboarding of Microsoft Sentinel, connectors can be used for ingesting data. Microsoft invested in pre-build connectors which can be used for adding data/events correctly in Microsoft Sentinel.
For a large set of Microsoft products; there are connectors available. With the use of CEF/ REST API’s there are many options for ingesting custom data into Sentinel.
This blog answers the question; “which data is free in Sentinel”. Currently, there is some confusion focused on the free connectors. Some of the free connectors contain sources that are not part of the free offering.
Blog information Blog published: November 3, 2022 Blog latest updated: January 26, 2023 Changelog: – 26 January 2023: Added 500MB sentinel allowance information |
Trial pricing
Microsoft Sentinel is ‘free’ for the first 31 days. Microsoft Sentinel can be enabled at no extra cost for the first 31 days up to 10 GB/day for the first 31 days.
More information can be found here: Microsoft Sentinel Free trial
Free data sources
Some of the Microsoft data connectors are free and can be connected without additional cost. Log files are only free from the Azure Activity and Office 365 Audit logs. All other free sources are only for alerts/incidents.
The following connectors are free to use:
- Azure AD Identity Protection
- Azure Activity Logs
- Office 365
- Microsoft Defender for Cloud
- Microsoft Defender for IoT
- Microsoft 365 Defender
- Microsoft Defender for Endpoint
- Microsoft Defender for Identity
- Microsoft Defender for Cloud Apps
IMPORTANT: Alerts and some of the activity events are free. Additional logs for some data connectors are not free. In Microsoft 365 Defender/ Defender for Cloud there are multiple options and checkboxes. More information later in this blog. |
Multiple connectors for the same product, conflicts?
The Microsoft 365 Defender connecter contains multiple products which are part of the incident/ alert creation:
- Microsoft Defender for Endpoint
- Microsoft Defender for Identity
- Microsoft Defender for Office 365
- Microsoft Defender for Cloud Apps
- Microsoft Defender Alert Evidence
- Microsoft Defender Vulnerability Management
When using Microsoft 365 Defender there is some overlap with the Microsoft Defender for Endpoint, Microsoft Defender for Identity, and Microsoft Defender for Cloud Apps connectors.
Each product contains an individual connector. Microsoft 365 Defender is based on the Microsoft 365 Defender instance and brings all incidents from the sources. The advantage of the new Microsoft 365 Defender connector is the possibility of enabling more telemetry, all this is not free.
Bi-directional connector
The Microsoft 365 Defender connector is bi-directional meaning it closes the alert/incident in Sentinel and the Microsoft security products. The new connectors enable streaming based on the incident. The specific standalone connectors are not bi-directional and sync only the alerts.
Recommendation: Use the new Microsoft 365 Defender connector for alert creation. There is always the option for collecting additional raw telemetry/ data. |
Connect data sources in Microsoft Sentinel
Connecting data connectors in Microsoft Sentinel is easy and can be enabled with some clicks via the Microsoft Sentinel portal. For enabling a data connector:
- Open Microsoft Sentinel and select Data connectors
- Select the connector you want to connect, and then select Open connector page.
- Complete the prerequisites and follow the instructions for each specific connector
- After completing there is more content available for the specific data type; Sample queries, workbooks, and analytics rule templates. Content is available in the connector wizard or after connecting via the tab; Next steps
The below part explains for each ‘free’ connector the requirements, information, and additional prerequisites.
Azure AD Identity Protection
Azure Active Directory Identity Protection imports data from Azure AD Identity Protection and is available for Azure AD Premium P2 subscriptions.
Prerequisites
- Global Administrator’ or ‘Security Administrator’ on the workspace’s tenant.
- Azure AD Premium P2
Free data type
The SecurityAlert (IPC) data type is part of the free offering.
New integration
Since October 2022 there is a new improvement in Microsoft 365 Defender; where alerts from Azure AD Identity Protection are directly visible in Microsoft 365 Defender.
When using the Microsoft 365 Defender connector Azure AD Identity Protection alerts will be synced into Sentinel. Enable the Azure AD Identity Protection connector without any analytics rule enabled for the Azure AD Identity protection connector.
The new integration can’t be disabled and is part of the Microsoft 365 Defender portal.
More information: Microsoft 365 Defender now integrates Azure Active Directory Identity Protection (AADIP)
How to connect
Open the Azure Active Direction Identity Protection connector page in Sentinel and press Connect. Don’t enable alert synchronization; where the alerts are part of the Microsoft 365 Defender connector.
Azure Activity
Azure Activity data connector for Microsoft Sentinel provides subscription-level events.
Prerequisites
- Owner role permission on the relevant subscription
- Owner role assigned for each policy assignment scope.
Free data type
The AzureActivity data type is part of the free offering.
The Azure Activity connector is changed and is now using the diagnostics settings back-end pipeline. Deployment is possible using the Azure Policy Assignment wizard. With the use of the Policy there is a subscription log streaming configuration applied.
How to connect
Open the Azure Activity connector page in Sentinel and press Launch Azure Policy Assignment wizard.
Important: Don’t forget to disable all existing subscriptions when using the legacy method.
Use as Scope the location of the Sentinel workspaces and configure the correct primary workspace under the Parameters tab.
Under the remediation tab you have to create a remediation task, which will check and make the Subscription compliant with the policy. Based on my test environment it takes about 15 minutes before the remediation task is completed.
Validate data
AzureActivity
| take 100
Office 365
Prerequisites
- Office 365 deployment configured on the same tenant as the Microsoft Sentinel workspace
- Global Administrator’ or ‘Security Administrator’ on the workspace’s tenant
Free data type
The OfficeActivity data type is part of the free offering for SharePoint, Exchange, and Teams.
How to connect
Open the Office 365 connector page in Sentinel and press Connect for the sources; Exchange, Sharepoint, and Teams.
Validate data
OfficeActivity
| where OfficeWorkload == "SharePoint" or OfficeWorkload == "OneDrive"
| take 100
OfficeActivity
| where OfficeWorkload == "Exchange"
| take 100
OfficeActivity
| where OfficeWorkload == "MicrosoftTeams"
| take 100
Microsoft Defender for Cloud
The Defender for Cloud connector streams alerts and incidents from Defender for Cloud into Microsoft Sentinel.
Prerequisites
- read and write permission on Microsoft Sentinel workspace
- Security reader role in the subscription
- At least one plan of Defender for Cloud-enabled in the subscription.
- For enabling bi-directional sync; the Contribution or Security Admin role is required for the relevant subscription.
More information: Prerequisites
Free data type
The SecurityAlert (Defender for Cloud) data type is part of the free offering.
Alert synchronization
When connecting Defender for Cloud to Microsoft Sentinel there is the option for enabling alert synchronization. When an alert is closed in Defender for Cloud; the alert will be closed in Microsoft Sentinel as well. Important: The incident status will not be changed in Sentinel; only that of the alert itself.
Bi-directional alert synchronization can be used to automatically sync the status bi-directional. When the incident is closed in Microsoft Sentinel; the alert will be closed in Microsoft Defender for Cloud.
How to connect
Open the Defender for Cloud connector page in Sentinel and enable the toggle for each subscription. Important: Be careful with the button; Enable Microsoft defender for all subscriptions and Enable All
Enable the Status to Connected and configure Bi-directional sync for automatically sync alerts
Validate data
SecurityAlert
| where ProductName == "Azure Security Center"
| take 100
More information: Connect to Microsoft Defender for Cloud
Microsoft Defender for IoT
Free data type
The SecurityAlert (Defender for IoT) data type is part of the free offering.
Prerequisites
- Contributor permissions to the subscription where the IoT hub is located
How to connect
Open the Defender for IoT connector page in Sentinel and enable the toggle for each subscription. Defender for IoT must be configured in the subscription.
Validate data
SecurityAlert
| where ProductName == "Azure Security Center for IoT"
| take 100
Microsoft 365 Defender
Free data type
The SecurityAlert & SecurityIncident data type is part of the free offering. All additional raw events which can be streamed from Microsoft 365 Defender to Sentinel are not part of the free data type. All additional RAW data is available in Advanced Hunting, all it costs money for ingesting the same data in Microsoft Sentinel.
Microsoft 365 Defender connector creates incidents in Microsoft Sentinel and syncs the status bi-directional back to the Microsoft 365 Defender products.
Validate data
SecurityIncident
| where ProviderName == "Microsoft 365 Defender"
| take 100
SecurityAlert
| where ProductName in("Microsoft Defender Advanced Threat Protection","Office 365 Advanced Threat Protection","Azure Advanced Threat Protection","Microsoft Cloud App Security","Microsoft 365 Defender")
| extend alertWasCustomized = bag_has_key(todynamic(ExtendedProperties), "OriginalProductName")
| where alertWasCustomized == false
| sort by TimeGenerated
Microsoft Defender for Endpoint
Ideally use the Microsoft 365 Defender connector for Defender for Endpoint alert creation.
Free data type
The SecurityAlert (MDATP) data type is part of the free offering.
Microsoft Defender for Identity
Ideally use the Microsoft 365 Defender connector for Defender for Identity alert creation.
Free data type
The SecurityAlert (AATP) data type is part of the free offering.
Microsoft Defender for Cloud Apps
Ideally use the Microsoft 365 Defender connector for Defender for Cloud Apps alert creation.
Free data type
The SecurityAlert (Defender for Cloud Apps) data type is part of the free offering. When using the Defender for Cloud Apps; check the Cloud Discovery Logs checkbox. When enabling the Cloud Discovery Logs additional events will be collected which are not part of the free offering.
Microsoft Defender for Servers data allowance
Microsoft Defender for Servers P2 provides a 500MB/server/day benefit for log ingestion in Log Analytics. The ingestion allowance benefit will result in a reduction of your security analytics cost for servers in Sentinel.
Not all tables are supported by the free daily allowance from Defender for Servers P2. The following tables are supported:
- SecurityAlert
- SecurityBaseline
- SecurityBaselineSummary
- SecurityDetection
- SecurityEvent
- WindowsFirewall
- SysmonEvent
- ProtectionStatus
- Update (when the Update Management solution isn’t running)
- UpdateSummary (when the Update Management solution isn’t running)
Important: tables part of the Defender 365 table are not supported in the free ingestion allowance when Defender for Servers P2 is enabled. Only the above tables. are supported.
More information: Basic and enhanced security features | Microsoft Defender for Cloud
Sources
Microsoft: Plan costs and understand Microsoft Sentinel pricing and billing
Microsoft: Data source schema reference