After the initial onboarding of Microsoft Sentinel, connectors can be used for ingesting data. Microsoft invested in pre-build connectors which can be used for adding data/events correctly in Microsoft Sentinel.

Blog information:

Blog published: November 3, 2022
Blog latest updated: November 3, 2022

For a large set of Microsoft products; there are connectors available. With the use of CEF/ REST API’s there are many options for ingesting custom data into Sentinel.

In this blog the answer to the question; “which data is free in Sentinel”. Currently, there is some confusion focused on the free connectors. Some of the free connectors contain sources that are not part of the free offering.

Trial pricing

Microsoft Sentinel is ‘free’ for the first 31 days. Microsoft Sentinel can be enabled at no extra cost for the first 31 days up to 10 GB/day for the first 31 days.

More information can be found here: Microsoft Sentinel Free trial

Free data sources

Some of the Microsoft data connectors are free and can be connected without additional cost. Log files are only free from the Azure Activity and Office 365 Audit logs. All other free sources are only for alerts/incidents.

The following connectors are free to use:

  • Azure AD Identity Protection
  • Azure Activity Logs
  • Office 365
  • Microsoft Defender for Cloud
  • Microsoft Defender for IoT
  • Microsoft 365 Defender
  • Microsoft Defender for Endpoint
  • Microsoft Defender for Identity
  • Microsoft Defender for Cloud Apps
IMPORTANT: Alerts and some of the activity events are free. Additional logs for some data connectors are not free. In Microsoft 365 Defender/ Defender for Cloud there are multiple options and checkboxes. More information later in this blog.

Multiple connectors for the same product, conflicts?

The Microsoft 365 Defender connecter contains multiple products which are part of the incident/ alert creation:

  • Microsoft Defender for Endpoint
  • Microsoft Defender for Identity
  • Microsoft Defender for Office 365
  • Microsoft Defender for Cloud Apps
  • Microsoft Defender Alert Evidence
  • Microsoft Defender Vulnerability Management

When using Microsoft 365 Defender there is some overlap with the Microsoft Defender for Endpoint, Microsoft Defender for Identity, and Microsoft Defender for Cloud Apps connectors.

Each product contains an individual connector. Microsoft 365 Defender is based on the Microsoft 365 Defender instance and brings all incidents from the sources. The advantage of the new Microsoft 365 Defender connector is the possibility of enabling more telemetry, all this is not free.

Bi-directional connector

The Microsoft 365 Defender connector is bi-directional meaning it closes the alert/incident in Sentinel and the Microsoft security products. The new connectors enable streaming based on the incident. The specific standalone connectors are not bi-directional and sync only the alerts.

Recommendation: Use the new Microsoft 365 Defender connector for alert creation. There is always the option for collecting additional raw telemetry/ data.

Connect data sources in Microsoft Sentinel

Connecting data connectors in Microsoft Sentinel is easy and can be enabled with some clicks via the Microsoft Sentinel portal. For enabling a data connector:

  • Open Microsoft Sentinel and select Data connectors
  • Select the connector you want to connect, and then select Open connector page.
  • Complete the prerequisites and follow the instructions for each specific connector
  • After completing there is more content available for the specific data type; Sample queries, workbooks, and analytics rule templates. Content is available in the connector wizard or after connecting via the tab; Next steps

The below part explains for each ‘free’ connector the requirements, information, and additional prerequisites.


Azure AD Identity Protection

Azure Active Directory Identity Protection imports data from Azure AD Identity Protection and is available for Azure AD Premium P2 subscriptions.

Prerequisites

  • Global Administrator’ or ‘Security Administrator’ on the workspace’s tenant.
  • Azure AD Premium P2

Free data type

The SecurityAlert (IPC) data type is part of the free offering.

New integration

Since October 2022 there is a new improvement in Microsoft 365 Defender; where alerts from Azure AD Identity Protection are directly visible in Microsoft 365 Defender.

When using the Microsoft 365 Defender connector Azure AD Identity Protection alerts will be synced into Sentinel. Enable the Azure AD Identity Protection connector without any analytics rule enabled for the Azure AD Identity protection connector.

The new integration can’t be disabled and is part of the Microsoft 365 Defender portal.

More information: Microsoft 365 Defender now integrates Azure Active Directory Identity Protection (AADIP)

How to connect

Open the Azure Active Direction Identity Protection connector page in Sentinel and press Connect. Don’t enable alert synchronization; where the alerts are part of the Microsoft 365 Defender connector.


Azure Activity

Azure Activity data connector for Microsoft Sentinel provides subscription-level events.

Prerequisites

  • Owner role permission on the relevant subscription
  • Owner role assigned for each policy assignment scope.

Free data type

The AzureActivity data type is part of the free offering.

The Azure Activity connector is changed and is now using the diagnostics settings back-end pipeline. Deployment is possible using the Azure Policy Assignment wizard. With the use of the Policy there is a subscription log streaming configuration applied.

How to connect

Open the Azure Activity connector page in Sentinel and press Launch Azure Policy Assignment wizard.

Important: Don’t forget to disable all existing subscriptions when using the legacy method.

Use as Scope the location of the Sentinel workspaces and configure the correct primary workspace under the Parameters tab.

Under the remediation tab you have to create a remediation task, which will check and make the Subscription compliant with the policy. Based on my test environment it takes about 15 minutes before the remediation task is completed.

Validate data

AzureActivity 
| take 100

Office 365

Prerequisites

  • Office 365 deployment configured on the same tenant as the Microsoft Sentinel workspace
  • Global Administrator’ or ‘Security Administrator’ on the workspace’s tenant

Free data type

The OfficeActivity data type is part of the free offering for SharePoint, Exchange, and Teams.

How to connect

Open the Office 365 connector page in Sentinel and press Connect for the sources; Exchange, Sharepoint, and Teams.

Validate data

OfficeActivity
| where OfficeWorkload == "SharePoint" or OfficeWorkload == "OneDrive"
| take 100

OfficeActivity
| where OfficeWorkload == "Exchange"
| take 100

OfficeActivity
| where OfficeWorkload == "MicrosoftTeams"
| take 100

Microsoft Defender for Cloud

The Defender for Cloud connector streams alerts and incidents from Defender for Cloud into Microsoft Sentinel.

Prerequisites

  • read and write permission on Microsoft Sentinel workspace
  • Security reader role in the subscription
  • At least one plan of Defender for Cloud-enabled in the subscription.
  • For enabling bi-directional sync; the Contribution or Security Admin role is required for the relevant subscription.

More information: Prerequisites

Free data type

The SecurityAlert (Defender for Cloud) data type is part of the free offering.

Alert synchronization

When connecting Defender for Cloud to Microsoft Sentinel there is the option for enabling alert synchronization. When an alert is closed in Defender for Cloud; the alert will be closed in Microsoft Sentinel as well. Important: The incident status will not be changed in Sentinel; only that of the alert itself.

Bi-directional alert synchronization can be used to automatically sync the status bi-directional. When the incident is closed in Microsoft Sentinel; the alert will be closed in Microsoft Defender for Cloud.

How to connect

Open the Defender for Cloud connector page in Sentinel and enable the toggle for each subscription. Important: Be careful with the button; Enable Microsoft defender for all subscriptions and Enable All

Enable the Status to Connected and configure Bi-directional sync for automatically sync alerts

Validate data

SecurityAlert 
| where ProductName == "Azure Security Center"
| take 100

More information: Connect to Microsoft Defender for Cloud


Microsoft Defender for IoT

Free data type

The SecurityAlert (Defender for IoT) data type is part of the free offering.

Prerequisites

  • Contributor permissions to the subscription where the IoT hub is located

How to connect

Open the Defender for IoT connector page in Sentinel and enable the toggle for each subscription. Defender for IoT must be configured in the subscription.

Validate data

SecurityAlert
| where ProductName == "Azure Security Center for IoT"
| take 100

Microsoft 365 Defender

Free data type

The SecurityAlert & SecurityIncident data type is part of the free offering. All additional raw events which can be streamed from Microsoft 365 Defender to Sentinel are not part of the free data type. All additional RAW data is available in Advanced Hunting, all it costs money for ingesting the same data in Microsoft Sentinel.

Microsoft 365 Defender connector creates incidents in Microsoft Sentinel and syncs the status bi-directional back to the Microsoft 365 Defender products.

Validate data

SecurityIncident
| where ProviderName == "Microsoft 365 Defender"
| take 100


SecurityAlert 
| where ProductName in("Microsoft Defender Advanced Threat Protection","Office 365 Advanced Threat Protection","Azure Advanced Threat Protection","Microsoft Cloud App Security","Microsoft 365 Defender")
| extend alertWasCustomized = bag_has_key(todynamic(ExtendedProperties), "OriginalProductName")
| where alertWasCustomized == false
| sort by TimeGenerated

Microsoft Defender for Endpoint

Ideally use the Microsoft 365 Defender connector for Defender for Endpoint alert creation.

Free data type

The SecurityAlert (MDATP) data type is part of the free offering.


Microsoft Defender for Identity

Ideally use the Microsoft 365 Defender connector for Defender for Identity alert creation.

Free data type

The SecurityAlert (AATP) data type is part of the free offering.


Microsoft Defender for Cloud Apps

Ideally use the Microsoft 365 Defender connector for Defender for Cloud Apps alert creation.

Free data type

The SecurityAlert (Defender for Cloud Apps) data type is part of the free offering. When using the Defender for Cloud Apps; check the Cloud Discovery Logs checkbox. When enabling the Cloud Discovery Logs additional events will be sent which are not part of the free offering.


Sources

Microsoft: Plan costs and understand Microsoft Sentinel pricing and billing

Microsoft: Data source schema reference