That is correct you enable those data connectors from the [Content Hub]in Microsoft Sentinel. Workbooks like "Workspace Usage" will show you that a Table is billable or not just to confirm during the trial period. https://video2.skills-academy.com/en-us/azure/sentinel/quickstart-onboard#install-a-solution-from-the-content-hub
Steps and procedure to setup Azure Sentinel with free data sources for KQL Query ?
![](https://techprofile.blob.core.windows.net/images/WsWYoGdWukeBW66msAr6qQ.png?8D8128)
EnterpriseArchitect
5,036
Reputation points
I need some help and assistance in configuring my current Azure Entra ID Premium P2 tenant to allow Azure Sentinel to ingest logs and query using KQL with no additional or monthly cost.
I can see the below article mentioning there is no data charged when ingesting these alerts and logs to Sentinel:
Microsoft Sentinel data connector | Free data type |
---|---|
Azure Activity Logs | AzureActivity |
Azure Activity Logs | AzureActivity |
Microsoft Entra ID Protection | SecurityAlert (IPC) |
Office 365 | OfficeActivity (SharePoint) |
OfficeActivity (Exchange) | |
OfficeActivity (Teams) | |
Microsoft Defender for Cloud | SecurityAlert (Defender for Cloud) |
Microsoft Defender for IoT | SecurityAlert (Defender for IoT) |
Microsoft Defender XDR | SecurityIncident |
SecurityAlert | |
Microsoft Defender for Endpoint | SecurityAlert (MDATP) |
Microsoft Defender for Identity | SecurityAlert (AATP) |
Microsoft Defender for Cloud Apps | SecurityAlert (Defender for Cloud Apps) |
However, I am not sure where to start to configure the Azure Sentinel part.
I assume this https://azure.microsoft.com/en-au/pricing/details/microsoft-sentinel/ pricing is only applicable when I am ingesting some data sources, other than the above.
Thank you in advance.