Back

Free Microsoft Sentinel Benefits for Microsoft 365 E5

As you deploy Microsofts cloudnative SIEM platform Microsoft Sentinel you want to employ best practices to support a costeffective yet operationa...

5 min read
Published on Sep 23, 2022
Free Microsoft Sentinel Benefits for Microsoft 365 E5

As you deploy Microsoft’s cloud-native SIEM platform, Microsoft Sentinel, you want to employ best practices to support a cost-effective yet operationally effective implementation. A great way to optimize costs is to take advantage of some of the free Microsoft Sentinel benefits for Microsoft 365 E5.

Microsoft Sentinel Benefits for Microsoft 365 E5, A5, F5, and G5 Customers

As per earlier announcements from Microsoft, Microsoft 365 E5, A5, F5, and G5 and Microsoft 365 E5, A5, F5, and G5 Security customers are eligible for a data grant of up to 5 MB per user/ day. This is a welcomed offer seeing as previously, this was offered as a limited promotion.

Other than enabling clients to ingest data for free, this offer enables organizations to better evaluate their platform at a reduced cost. The consequence includes reduced monthly data costs.

The data sources included in the offer include:

Azure Active Directory (Azure AD) Sign-In and Audit Logs

Without accruing any costs, you can use Microsoft Sentinel’s built-in connector to collect data from Azure Active Directory. The connector will allow you to stream the following log types into Microsoft Sentinel.

Sign-in Logs

These logs contain information on interactive user sign-ins where the user had provided their authentication factor. Additional Azure AD connectors that you could connect to Microsoft Sentinel still in preview include non-interactive user sign-in logs, managed identity sign-in logs, and service principal sign-in logs.

Audit Logs

You can also connect to audit logs which contain all information surrounding system activity relating to the user and group management, directory activities, and managed applications.

Provisioning Logs 

An additional category of sign-in logs still in preview is provisioning logs. The latter contains system activity information for users, groups, and roles provided by the Azure AD provisioning service.

Note that an Azure Active Directory p1 or p2 license is required for you to ingest these sign-in logs.

Microsoft Defender for Cloud Apps Shadow IT Discovery Logs

Also included as a benefit of Microsoft Sentinel is the ability to configure Microsoft Defender for Cloud Apps connectors “Alerts” and “Discovery” logs. This should enable your IT security staff to easily identify any unsanctioned applications and users who’ve been using or trying to access prohibited applications within your ecosystem. The idea is to provide a baseline for further investigation and analysis. Note that you can create custom alerts once configured into Microsoft Sentinel.

Microsoft Information Protection Logs

Microsoft Information Protection, now referred to as Microsoft Purview Information Protection, enables organizations to protect sensitive documents and emails. This occurs by applying sensitive labels to each. That way, the compliance administrators can restrict user access.

For busy users, MIP tends to generate mountains of audit events which translates to an influx of information that administrators are expected to review and detect anomalies from. Fortunately, you can combine Information Protection with Microsoft Sentinel. The benefits include data visualization using Microsoft Sentinel’s Workbooks and execution of automatic responses with Microsoft Sentinel Playbooks. Further, the administrator receives prompt notifications when certain events happen.

Typically, you will need a paid Azure subscription to gain access to this benefit. This means you will be billed per MB ingested.

Microsoft 365 Advanced Hunting Data

An additional benefit your organization should yield is Microsoft 365’s Defender connectors letting users stream advanced hunting events into Microsoft Sentinel. You are now able to collect all the advanced hunting events from all Microsoft 365 Defender components and stream them right away into purpose-built tables within the Microsoft Sentinel workspace.

Administrators can also copy existing Microsoft Defender advanced hunting queries right into Microsoft Sentinel. By having access to the raw event logs, it is possible to not only pick up alerts and investigate but also correlate these to other data sources already within the workspace.

Microsoft Sentinel Free Data Sources  

Business people working with Microsoft Sentinel Benefits.

As highlighted, the Microsoft 365 data sources named above require a paid Azure license. On the other hand, the following data sources are always free for all Microsoft Sentinel users as an ongoing Microsoft Sentinel benefit.

Azure Activity Logs 

The Azure Activity log is a platform that provides insight into subscription-level events. Information administrators gain from here includes that pertaining to which resources have been changed or the specific moment a virtual machine was booted up. All this information is available in the Azure portal. For additional functionality, you can have the activity log sent to Microsoft Sentinel. This means that your security personnel are better able to explore potential suspicious operations within your Azure environment, all for free. Besides, said team can proactively hunt for suspicious operations without you incurring any additional costs.

Office 365 Audit Logs 

Office 365 audit logs are instrumental in that they collect large quantities of data from all the different workloads. These audit logs come in especially handy when investigating all tenant activities. You can take advantage of the built-in and custom connectors available on Microsoft Sentinel. Then, onboard all of your Office 365 audit logs and related workloads.

The benefit herein is that you get extensive reporting capabilities that help with analyzing all the connected data. Besides, you can still customize and change the different built-in workbooks for custom reporting.

Alerts 

An additional free data source on Microsoft Sentinel includes alerts from Microsoft Defender for Cloud, Microsoft 365 Defender, Microsoft Defender for Office 365, Microsoft Defender for Identity, Microsoft Defender for Endpoint, and Microsoft Defender for Cloud Apps.

You can use the in-built rules within Microsoft Sentinel to automatically create incident reports in real-time, all for free. Further, you can edit the rules on filtering the different security alerts picked up by the different Microsoft security platforms. For instance, you can filter the alerts to create incidents by alert severity.

Additional information on Microsoft free data sources can be found on the plan costs for Microsoft Sentinel web page.

Learn More About Free Microsoft Sentinel Benefits for Microsoft 365 E5

Are you looking to reduce costs and risk by implementing Microsoft Sentinel or replacing your existing SIEM/SOAR platforms? Agile IT can help you understand pricing, implementation, and automation. Be sure to contact us.

Related Posts

Common Questions About Azure Migration Answered

Common Questions About Azure Migration Answered

Get answers to the most common Azure migration questions. Learn about costs, best practices, security, compliance, and troubleshooting cloud migration challenges.

Apr 29, 2025
3 min read
AVD vs W365 in GCC high reducing your CMMC scope

AVD vs W365 in GCC High Reducing Your CMMC Scope and Simplifying Compliance

Comparing AVD vs W365 for GCC High? Learn how each can reduce your CMMC assessment scope and simplify security and compliance management in government environments.

Apr 28, 2025
7 min read
Office 365 License Comparison: Business Plans Vs. E5, E3 and E1

Implementing Cybersecurity Policies for CMMC Compliance and Managing CUI

CMMC compliance requires well-documented cybersecurity policies. Learn how to implement security controls, create an SSP and POA&M, and manage Controlled Unclassified Information (CUI).

Apr 25, 2025
7 min read
CMMC compliance for DoD contractors

CMMC Compliance Requirements for DoD Contractors and Subcontractors in the Defense Industry

CMMC compliance is mandatory for DoD contractors and subcontractors. Learn about certification levels, requirements, and the consequences of failing to meet compliance.

Apr 24, 2025
6 min read
How to prepare for a CMMC compliance audit

CMMC Compliance Audit Preparation: A Complete Checklist for Small Businesses

Preparing for a CMMC compliance audit is critical for DoD contractors. Use this checklist to perform a gap analysis, assess CMMC readiness, and prepare for a Level 2 assessment.

Apr 23, 2025
8 min read
FAR CUI vs CMMC Understanding

FAR CUI vs CMMC Understanding the Differences and Overlaps

FAR CUI and CMMC both focus on protecting sensitive federal data, but they have key differences. Learn how they work together and whether FAR CUI compliance aligns with CMMC.

Apr 15, 2025
10 min read

Ready to Secure and Defend Your Data
So Your Business Can Thrive?

Fill out the form to see how we can protect your data and help your business grow.

Secure. Defend. Thrive.

Let's start a conversation

Discover more about Agile IT's range of services by reaching out.

Don't want to wait for us to get back to you?

Schedule a Free Consultation

Location

Agile IT Headquarters
4660 La Jolla Village Drive #100
San Diego, CA 92122