Merge pull request #296030 from yelevin/yelevin/aux-logs-ga

Auxiliary Logs to GA

Author: ttorble

articles/sentinel/basic-logs-use-cases.md

@@ -1,10 +1,10 @@
 ---
 title: When to use Auxiliary Logs in Microsoft Sentinel
-description: Learn what log sources might be appropriate for Auxiliary Log or Basic Log ingestion.
+description: Learn what log sources might be appropriate for Auxiliary Log or Basic Log ingestion and what are the attributes to look for to decide about other sources.
 author: cwatson-cat
 ms.author: cwatson
 ms.topic: conceptual
-ms.date: 07/21/2024
+ms.date: 03/31/2025
 appliesto:
     - Microsoft Sentinel in the Azure portal
     - Microsoft Sentinel in the Microsoft Defender portal
@@ -18,11 +18,7 @@ ms.collection: usx-security
 
 This article highlights log sources to consider configuring as Auxiliary Logs (or Basic Logs) when they're stored in Log Analytics tables. Before choosing a log type for which to configure a given table, do the research to see which is most appropriate. For more information about data categories and log data plans, see [Log retention plans in Microsoft Sentinel](log-plans.md).
 
-> [!IMPORTANT]
->
-> The **Auxiliary Logs** log type is currently in **PREVIEW**. See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
->
-> [!INCLUDE [unified-soc-preview](includes/unified-soc-preview-without-alert.md)]
+[!INCLUDE [unified-soc-preview](includes/unified-soc-preview.md)]
 
 ## Storage access logs for cloud providers
 
@@ -69,6 +65,6 @@ A new and growing source of log data is Internet of Things (IoT)-connected devic
 ## Next steps
 
 - [Select a table plan based on data usage in a Log Analytics workspace](/azure/azure-monitor/logs/logs-table-plans)
-- [Set up a table with the Auxiliary plan in your Log Analytics workspace (Preview)](/azure/azure-monitor/logs/create-custom-table-auxiliary)
+- [Set up a table with the Auxiliary plan in your Log Analytics workspace](/azure/azure-monitor/logs/create-custom-table-auxiliary)
 - [Manage data retention in a Log Analytics workspace](/azure/azure-monitor/logs/data-retention-configure)
 - [Start an investigation by searching for events in large datasets (preview)](investigate-large-datasets.md)

articles/sentinel/billing-reduce-costs.md

@@ -25,13 +25,13 @@ Costs for Microsoft Sentinel are only a portion of the monthly costs in your Azu
 ## Set or change pricing tier
 To optimize for highest savings, monitor your ingestion volume to ensure you have the Commitment Tier that aligns most closely with your ingestion volume patterns. Consider increasing or decreasing your Commitment Tier to align with changing data volumes.
 
-You can increase your Commitment Tier anytime, which restarts the 31-day commitment period. However, to move back to Pay-As-You-Go or to a lower Commitment Tier, you must wait until after the 31-day commitment period finishes. Billing for Commitment Tiers is on a daily basis.
+You can increase your Commitment Tier anytime, which restarts the 31-day commitment period. However, to move back to pay-as-you-go or to a lower Commitment Tier, you must wait until after the 31-day commitment period finishes. Billing for Commitment Tiers is on a daily basis.
 
 To see your current Microsoft Sentinel pricing tier, select **Settings** in the Microsoft Sentinel left navigation, and then select the **Pricing** tab. Your current pricing tier is marked **Current tier**.
 
 To change your pricing tier commitment, select one of the other tiers on the pricing page, and then select **Apply**. You must have **Contributor** or **Owner** for the Microsoft Sentinel workspace to change the pricing tier.
 
-:::image type="content" source="media/billing-reduce-costs/simplified-pricing-tier.png" alt-text="Screenshot of pricing page in Microsoft Sentinel settings, with Pay-As-You-Go selected as current pricing tier." lightbox="media/billing-reduce-costs/simplified-pricing-tier.png":::
+:::image type="content" source="media/billing-reduce-costs/simplified-pricing-tier.png" alt-text="Screenshot of pricing page in Microsoft Sentinel settings, with pay-as-you-go selected as current pricing tier." lightbox="media/billing-reduce-costs/simplified-pricing-tier.png":::
 
 To learn more about how to monitor your costs, see [Manage and monitor costs for Microsoft Sentinel](billing-monitor-costs.md).
 
@@ -53,7 +53,7 @@ When hunting or investigating threats in Microsoft Sentinel, you might need to a
 
 ## Select low-cost log types for high-volume, low-value data
 
-While standard analytics logs are most appropriate for continuous, real-time threat detection, two other log types—[basic logs and auxiliary logs](/azure/azure-monitor/logs/basic-logs-configure)—are more suited for ad-hoc querying and search of verbose, high-volume, low-value logs that aren't frequently needed or accessed on demand. Enable basic log data ingestion at a significantly reduced cost, or auxiliary log data ingestion (now in Preview) at an even lower cost, for eligible data tables. For more information, see [Microsoft Sentinel Pricing](https://azure.microsoft.com/pricing/details/microsoft-sentinel/).
+While standard analytics logs are most appropriate for continuous, real-time threat detection, two other log types—[basic logs and auxiliary logs](log-plans.md)—are more suited for ad-hoc querying and search of [verbose, high-volume, low-value logs](basic-logs-use-cases.md) that aren't frequently needed or accessed on demand. basic log data ingestion at a significantly reduced cost, or auxiliary log data ingestion at an even lower cost, for eligible data tables. For more information, see [Microsoft Sentinel Pricing](https://azure.microsoft.com/pricing/details/microsoft-sentinel/).
 
 - [Log retention plans in Microsoft Sentinel](log-plans.md)
 - [Log sources to use for Auxiliary Logs ingestion](basic-logs-use-cases.md)
@@ -88,7 +88,7 @@ Microsoft Sentinel security data might lose some of its value after a few months
 
 To help you reduce Microsoft Sentinel data retention costs, Azure Monitor now offers long-term retention. Data that ages out of its interactive retention state can still be retained for up to twelve years, at a much-reduced cost, and with limitations on its usage. For more information, see [Manage data retention in a Log Analytics workspace](/azure/azure-monitor/logs/data-retention-configure).
 
-You can reduce costs even further by enrolling tables that contain secondary security data in the **Auxiliary logs** plan (now in Preview). This plan allows you to store high-volume, low-value logs at a low price, with a lower-cost 30-day interactive retention period at the beginning to allow for summarization and basic querying. To learn more about the Auxiliary logs plan and other plans, see [Log retention plans in Microsoft Sentinel](log-plans.md). While the auxiliary logs plan remains in Preview, you also have the option of enrolling these tables in the **Basic logs** plan. Basic logs offers similar functionality to auxiliary logs, but with less of a cost savings.
+You can reduce costs even further by enrolling tables that contain secondary security data in the **Auxiliary logs** plan. This plan allows you to store high-volume, low-value logs at a low price, with a lower-cost 30-day interactive retention period at the beginning to allow for summarization and basic querying. To learn more about the Auxiliary logs plan and other plans, see [Log retention plans in Microsoft Sentinel](log-plans.md).
 
 ## Use data collection rules for your Windows Security Events
 

articles/sentinel/billing.md

@@ -60,7 +60,7 @@ Microsoft Sentinel runs on Azure infrastructure that accrues costs when you depl
 
 ### How you're charged for Microsoft Sentinel
 
-Pricing is based on the types of logs ingested into a workspace. Analytics logs typically make up most of your high value security logs and support all data types offering full analytics, alerts and no query limits. Basic logs tend to be verbose with low security value. It's important to note that billing is done per workspace on a daily basis for all log types and tiers.
+Pricing is based on the types of logs ingested into a workspace. Analytics logs typically make up most of your high value security logs and support all data types offering full analytics, alerts and no query limits. Auxiliary logs and Basic logs tend to be verbose with low security value. It's important to note that billing is done per workspace on a daily basis for all log types and tiers.
 
 #### Analytics logs
 
@@ -76,23 +76,23 @@ There are two ways to pay for the analytics logs: **Pay-As-You-Go** and **Commit
 
     To set and change your Commitment tier, see [Set or change pricing tier](billing-reduce-costs.md#set-or-change-pricing-tier). Switch any workspaces older than July 2023 to the simplified pricing tiers experience to unify billing meters. Or, continue to use the classic pricing tiers that separate out the Log Analytics pricing from the classic Microsoft Sentinel classic pricing. For more information, see [simplified pricing tiers](#simplified-pricing-tiers).
 
-#### Auxiliary logs and Basic logs
+<a name=auxiliary-logs-and-basic-logs></a>
 
-Basic logs are a low-cost option, and Auxiliary logs a super-low-cost option, for ingesting high-volume, low-value data sources. They are charged at a flat, low rate per GB. They have the following limitations, among others:
+#### Auxiliary logs
+
+Auxiliary logs are a super-low-cost option for ingesting high-volume, low-value data sources. They are charged at a flat, low rate per GB. They have the following limitations, among others:
 
 - Reduced querying capabilities
 - 30-day interactive retention
 - No support for scheduled alerts
 
-These two log types are best suited for use in playbook automation, ad-hoc querying, investigations, and search. For more information, see:
+This log type is best suited for use in playbook automation, ad-hoc querying, investigations, and search. For more information, see:
 - [Log retention plans in Microsoft Sentinel](log-plans.md)
 - [Log sources to use for Auxiliary Logs ingestion](basic-logs-use-cases.md)
 
-To learn more about the difference between **interactive retention** and **long-term retention** (formerly known as archive), see [Manage data retention in a Log Analytics workspace](/azure/azure-monitor/logs/data-retention-archive).
+Basic logs are a similar option, but less cost-effective.
 
-> [!IMPORTANT]
->
-> The **Auxiliary Logs** log type is currently in **PREVIEW**. See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
+To learn more about the difference between **interactive retention** and **long-term retention** (formerly known as archive), see [Manage data retention in a Log Analytics workspace](/azure/azure-monitor/logs/data-retention-archive).
 
 ### Simplified pricing tiers
 
@@ -131,7 +131,7 @@ If you're billed at the simplified Commitment tier rate, this table shows how Mi
 | Cost description | Service name | Meter |
 |--|--|--|
 | Microsoft Sentinel Commitment tier | `Sentinel` | **`n` GB Commitment Tier** |
-| Microsoft Sentinel Commitment tier overage | `Sentinel` |**Analysis**|
+| Microsoft Sentinel Commitment tier overage | `Sentinel` | **Analysis** |
 
 # [Commitment tiers](#tab/commitment-tiers/classic)
 
@@ -141,18 +141,18 @@ If you're billed at the classic Commitment tier rate, this table shows how Micro
 |--|--|--|
 | Microsoft Sentinel Commitment tier | `Sentinel` | **Classic `n` GB commitment tier** |
 | Log Analytics Commitment tier | `Azure Monitor` | **`n` GB commitment tier** |
-| Microsoft Sentinel Commitment tier overage | `Sentinel` |**Classic Analysis**|
-| Log Analytics over the Commitment tier| `Log Analytics` |**Data Ingestion**|
+| Microsoft Sentinel Commitment tier overage | `Sentinel` | **Classic Analysis** |
+| Log Analytics over the Commitment tier | `Log Analytics` | **Data Ingestion** |
 
 # [Pay-as-you-go](#tab/pay-as-you-go/simplified)
 
 If you're billed at the simplified pay-as-you-go rate, this table shows how Microsoft Sentinel costs appear in the **Service name** and **Meter** columns of your Azure bill.
 
 | Cost description | Service name | Meter |
 |--|--|--|
-| pay-as-you-go| `Sentinel` |**Pay-as-You-Go Analysis**|
+| Pay-as-you-go | `Sentinel` | **Pay-as-you-go Analysis** |
 | Basic logs data analysis| `Sentinel` |**Basic Logs Analysis**|
-| Auxiliary logs data analysis| `Sentinel` |**???**|
+| Auxiliary logs data analysis | `Sentinel` | **Auxiliary Logs Analysis** |
 
 
 # [Pay-as-you-go](#tab/pay-as-you-go/classic)
@@ -161,12 +161,12 @@ If you're billed at classic pay-as-you-go rate, this table shows how Microsoft S
 
 | Cost description | Service name | Meter |
 |--|--|--|
-| pay-as-you-go| `Sentinel` |**Classic Pay-as-You-Go Analysis**|
-| pay-as-you-go| `Log Analytics` |**Pay-as-You-Go Data Ingestion**|
-| Basic logs data analysis| `Sentinel` |**Classic Basic Logs Analysis**|
-| Basic logs data ingestion| `Azure Monitor` |**Basic Logs Data Ingestion**|
-| Auxiliary logs data analysis| `Sentinel` |**???**|
-| Auxiliary logs data ingestion| `Azure Monitor` |**???**|
+| Pay-as-you-go | `Sentinel` | **Classic Pay-as-you-go Analysis** |
+| Pay-as-you-go | `Log Analytics` | **Pay-as-you-go Data Ingestion** |
+| Basic logs data analysis| `Sentinel` | **Classic Basic Logs Analysis** |
+| Basic logs data ingestion| `Azure Monitor` | **Basic Logs Data Ingestion** |
+| Auxiliary logs data analysis | `Sentinel` | **Classic Auxiliary Logs Analysis** |
+| Auxiliary logs data ingestion | `Azure Monitor` | **Basic Auxiliary Data Ingestion** |
 
 
 # [Free data meters](#tab/free-data-meters/simplified)
@@ -175,8 +175,8 @@ This table shows how Microsoft Sentinel and Log Analytics no charge costs appear
 
 | Cost description | Service name | Meter |
 |--|--|--|
-| Microsoft Sentinel Free Trial – Sentinel Analysis| `Sentinel` |**Free trial Analysis**|
-| Microsoft Defender XDR Benefit – Data Analysis| `Sentinel` |**Free Benefit - M365 Defender Analysis**|
+| Microsoft Sentinel Free Trial – Sentinel Analysis | `Sentinel` | **Free trial Analysis** |
+| Microsoft Defender XDR Benefit – Data Analysis | `Sentinel` | **Free Benefit - M365 Defender Analysis** |
 
 
 # [Free data meters](#tab/free-data-meters/classic)
@@ -185,10 +185,10 @@ This table shows how Microsoft Sentinel and Log Analytics no charge costs appear
 
 | Cost description | Service name | Meter |
 |--|--|--|
-| Microsoft Sentinel Free Trial – Log Analytics data ingestion| `Azure Monitor` |**Free Benefit - Az Sentinel Trial Data Ingestion**|
-| Microsoft Sentinel Free Trial – Sentinel Analysis| `Sentinel` |**Free trial Analysis**|
-| Microsoft Defender XDR Benefit – Data Ingestion| `Azure Monitor` |**Free Benefit - M365 Defender Data Ingestion**|
-| Microsoft Defender XDR Benefit – Data Analysis| `Sentinel` |**Free Benefit - M365 Defender Analysis**|
+| Microsoft Sentinel Free Trial – Log Analytics data ingestion | `Azure Monitor` | **Free Benefit - Az Sentinel Trial Data Ingestion** |
+| Microsoft Sentinel Free Trial – Sentinel Analysis | `Sentinel` | **Free trial Analysis** |
+| Microsoft Defender XDR Benefit – Data Ingestion | `Azure Monitor` | **Free Benefit - M365 Defender Data Ingestion** |
+| Microsoft Defender XDR Benefit – Data Analysis | `Sentinel` | **Free Benefit - M365 Defender Analysis** |
 
 ---
 

articles/sentinel/connect-azure-functions-template.md

@@ -20,7 +20,7 @@ This article describes how to configure Microsoft Sentinel for using Azure Funct
 > [!NOTE]
 > - Once ingested in to Microsoft Sentinel, data is stored in the geographic location of the workspace in which you're running Microsoft Sentinel.
 >
->     For long-term retention, you may also want to store data in log types such as *Auxiliary logs* or *Basic logs*. For more information, see [Log retention plans in Microsoft Sentinel](log-plans.md).
+>     For long-term retention, you may also want to store data in log types such as *Auxiliary logs*. For more information, see [Log retention plans in Microsoft Sentinel](log-plans.md).
 >
 > - Using Azure Functions to ingest data into Microsoft Sentinel may result in additional data ingestion costs. For more information, see the [Azure Functions pricing](https://azure.microsoft.com/pricing/details/functions/) page.