Microsoft
microsoft.com › en-us › security › business › siem-and-xdr › microsoft-sentinel
Microsoft Sentinel—AI-Ready Platform | Microsoft Security
Discover Microsoft Sentinel, an AI-ready cloud SIEM platform that unifies data, automates threat response, and gives insights with a cost-effective data lake.
Microsoft Learn
learn.microsoft.com › en-us › azure › sentinel › quickstart-onboard
Onboard to Microsoft Sentinel | Microsoft Learn
To onboard to Microsoft Sentinel by using the API, see the latest supported version of Sentinel Onboarding States. Active Azure Subscription. If you don't have one, create a free account before you begin.
Videos
54:46
Microsoft Sentinel: Step by Step Full Tutorial (follow along) - ...
Getting started with Microsoft Sentinel (Cloud Native SIEM) - YouTube
36:20
Microsoft Sentinel in just 30 minutes - YouTube
Sentinel in Azure - Free Security Lab Tutorial
Setup Microsoft Sentinel | Tutorial
Microsoft
aka.ms › microsoftazuresentinel
Microsoft Azure
We cannot provide a description for this page right now
MS.Codes
ms.codes › blogs › microsoft-office › how-to-access-microsoft-sentinel
How To Access Microsoft Sentinel
March 1, 2024 - Accessing Microsoft Sentinel itself is free, but there are costs associated with the underlying Azure services that support Sentinel.
Microsoft Azure
azure.microsoft.com › en-ca › products › microsoft-sentinel
Microsoft Sentinel - Cloud-native SIEM Solution | Microsoft Azure
It provides a fully integrated experience in the Azure portal to augment your existing services, such as Azure Security Center and Azure Machine Learning. Create your Azure free account to get started.
Microsoft Learn
learn.microsoft.com › en-us › azure › sentinel › microsoft-sentinel-defender-portal
Microsoft Sentinel in the Microsoft Defender portal | Microsoft Learn
Microsoft Sentinel is generally available in the Microsoft Defender portal, either with Microsoft Defender XDR, or on its own, delivering a unified experience across SIEM and XDR for faster and more accurate threat detection and response, simplified workflows, and enhanced operational efficiency.
Microsoft Community Hub
techcommunity.microsoft.com › microsoft community hub › communities › products › microsoft security › microsoft sentinel › microsoft sentinel
Azure Sentinel User Access Page | Microsoft Community Hub
Rather having users navigate to portal.azure.com, sign in, and then browse for the Sentinel resource, I would like to provide them with a URL that has the user sign in and then reaches Sentinel directly.
Microsoft Learn
learn.microsoft.com › en-us › azure › sentinel
Microsoft Sentinel documentation | Microsoft Learn
Microsoft Sentinel provides attack detection, threat visibility, proactive hunting, and threat response to help you stop threats before they cause harm.
Azurealan
azurealan.ie › 2023 › 03 › 15 › getting-started-with-microsoft-sentinel
Getting started with Microsoft Sentinel
March 14, 2023 - As mentioned there are literally hundreds of pre-built Microsoft Sentinel solutions available for deployment nowadays. The process of setting these up is the same as what I have covered in this post. I do recommend to make use of the various Microsoft solutions if your organisation is using these services. Remember, many of these will have free log ingestion costs especially if you are using Microsoft 365 E5 licenses.
Microsoft Learn
learn.microsoft.com › en-us › azure › sentinel › billing
Plan costs and understand pricing and billing - Microsoft Sentinel | Microsoft Learn
This free trial is subject to a 20 workspace limit per Azure tenant. See the Microsoft Sentinel pricing page for information on how usage beyond these limits is charged.
TechTarget
techtarget.com › searchwindowsserver › tip › How-to-use-Microsoft-Sentinel-with-Office-365-to-find-risks
How to use Microsoft Sentinel with Office 365 to find risks | TechTarget
As you can see, Microsoft Sentinel provides excellent tooling to help you not only ingest log files from multiple sources but also run queries, get notifications, and take action against security threats and events. It is highly recommended to take advantage of the free Microsoft Sentinel trial ...
Microsoft Learn
learn.microsoft.com › en-us › unified-secops › microsoft-sentinel-onboard
Connect Microsoft Sentinel to the Microsoft Defender portal - Unified security operations | Microsoft Learn
If you're working with multiple tenants, note that granular delegated admin privileges (GDAP) with Azure Lighthouse isn't supported for Microsoft Sentinel data in the Defender portal. Instead, use Microsoft Entra B2B authentication.
BlueVoyant
bluevoyant.com › home › what is azure sentinel (renamed to microsoft sentinel)?
What Is Azure Sentinel (Renamed to Microsoft Sentinel)?
June 13, 2023 - Free data sources—certain Microsoft 365 data sources are always free for Microsoft Sentinel users.
Microsoft Learn
learn.microsoft.com › en-us › azure › sentinel › overview
What is Microsoft Sentinel SIEM? | Microsoft Learn
Starting July, 2025, such new customers who also have the permissions of a subscription Owner or a User access administrator, and are not Azure Lighthouse-delegated users, have their workspaces automatically onboarded to the Defender portal together with onboarding to Microsoft Sentinel.
Microsoft Learn
learn.microsoft.com › en-us › azure › sentinel › connect-azure-active-directory
Send Microsoft Entra ID data to Microsoft Sentinel | Microsoft Learn
A Microsoft Entra ID P1 or P2 license is required to ingest sign-in logs into Microsoft Sentinel. Any Microsoft Entra ID license (Free/O365/P1 or P2) is sufficient to ingest the other log types.
Microsoft Azure
azure.microsoft.com › en-us › pricing › details › microsoft-sentinel
Microsoft Sentinel Pricing | Microsoft Security
Get up to 5 MB of free Microsoft Sentinel data ingestion daily per user for key security logs.
Reddit
reddit.com › r/azure › azure sentinel sign in logs free?
r/AZURE on Reddit: Azure Sentinel Sign in Logs Free?
May 16, 2021 -
Hi everyone,
I am looking at setting up sentinel but am having issues with my boss on pricing. I am hoping to set it up with the free logs at least.
There seems to be a lot of conflicting information on what logs are actually free. Can anyone answer if Azure Sign in logs are free? and what other others are actually free?
Top answer 1 of 2
4
Azure Activity Logs, Office 365 Audit Logs (all SharePoint activity and Exchange admin activity) and alerts from Microsoft Defender products (Azure Defender, Microsoft 365 Defender, Microsoft Defender for Office 365, Microsoft Defender for Identity, Microsoft Defender for Endpoint), Azure Security Center and Microsoft Cloud App Security can be ingested at no additional cost into both Azure Sentinel and Azure Monitor Log Analytics. Please Note: Azure Active Directory (AAD) audit data is not free and is billed for ingestion into both Azure Sentinel and Azure Monitor Log Analytics. From https://azure.microsoft.com/en-us/pricing/details/azure-sentinel/
2 of 2
3
Here you go. Please note Microsoft can change these at any time. https://techcommunity.microsoft.com/t5/azure-sentinel/categorizing-microsoft-alerts-across-data-sources-in-azure/ba-p/1503367
Tresorit
support.tresorit.com › hc › en-us › articles › 7743328659090-How-to-integrate-to-Microsoft-Sentinel
How to integrate to Microsoft Sentinel – Tresorit Knowledge Base
You will need to sign-in to your Microsoft account to be able provide the Workspace ID of your Sentinel and a shared key to create the integration. 1. Login with subscription owner to your Tresorit account and visit the Settings tab of the Admin Center.
Reddit
reddit.com › r/azuresentinel › running sentinel effectively for free
r/AzureSentinel on Reddit: Running Sentinel effectively for free
May 3, 2025 -
Hey guys apologies if this has been asked before. Is it theoretically possible to run Sentinel pretty much for free? If we were to only ingest the free log sources and alerts from other Defender products and stay within the default (free) retention period would there be any other costs that would catch us out?
Effectively would just be using Sentinel as a centralised M365 / Entra / etc audit log and location for all the different Defender alerts.
Is my understanding regarding Defender XDR correct in that we could ingest the alerts/incidents from the platform and then click through to the incident and look at the Defender logs in advanced hunting without needing to ingest these into Sentinel directly?
Are the free log sources still free if we had multiple O365 tenancies?
If the above works I could see this potentially being a good idea for an MSSP that manages smaller-medium businesses that are primarily Office 365/Azure based who use Business Prem / E3+EMS licenses in order to monitor alerts across multiple clients in a single place. I'm aware Lighthouse exists where we can view alerts across tenancies, but there is definitely value-add from Sentinel being able to run analytics rules against the audit logs etc. Unless there is anything I have not considered?
Top answer 1 of 4
6
Entra logs are not free. Otherwise you are correct in principle. Does not matter how many tenants you have. But every tenant needs to have it’s own data, you can’t consolidate the free data sources into a single Sentinel instance from multiple tenants. However you can create a separate management tenant to have a single view into all Sentinel instances with Lighthouse. https://learn.microsoft.com/en-us/azure/sentinel/billing
2 of 4
5
Things to watch our for... Notebooks are not free if you run them in an Azure Machine Learning Studio Workspace. However, if you run your notebooks with Jupyterlab on prem (vm, bare metal, docker, etc), or on your laptop, or some other locally hosted way, you can use them with Sentinel at no cost. Watch list are not free. They count as data ingestion. Pretty cheap, but still good to know. Threat intel ingestion is not free. Again, cheap, but good to know. Playbooks (AKA logic apps) are not free, even when running them with automation rules. The search tab in Sentinel cost money. Don't use it unless you are utilizing the other log tiers (basic and archive). UEBA is not free. Since it puts it's data into a table it counts as ingestion cost. If you retain the free data sources past 90 days you incur cost. Querying basic logs cost money What is free? Data Sources that are 100% free to ingest and retain up to 90 days: A. Azure Activity Logs B. Office 365 Audit logs for (Exchange, SharePoint, Teams) C. The alerts and incidents from Defender XDR Analytic rules Workbooks Automation rules (except if using them to run logic apps, which do have a cost). Hunting Queries / Livestream Incidents and Alerts MITRE Attack page Sentinel Audit and Health (turn on in the settings. Recommended) Querying Analytic logs via the "Logs" tab Integrating Sentinel into the security.microsoft.com portal. Which allows you to query Sentinel and defender logs in the same portal. If you have A5 for Faculty, E5, G5, or F5 licenses you get 5mb per license per day of data ingestion for free (for specific data sources! Such as entra sign-in and audit logs, defender xdr advanced hunting logs) If you have defender for servers p2 you get 500mb per computer per day of ingestion for free (For specific data sources!) If you have any questions just let me know. I work exclusively with Sentinel all day every day, so more than happy to answer any questions.
Azure Docs
docs.azure.cn › en-us › sentinel › billing
Plan costs and understand pricing and billing - Microsoft Sentinel | Azure Docs
Enable Microsoft Sentinel on an Azure Monitor Log Analytics workspace and the first 10 GB/day is free for 31 days. The cost for both Log Analytics data ingestion and Microsoft Sentinel analysis charges up to the 10 GB/day limit, are waived during ...