Final

yelevin · yelevin · commit 9c22d4e207f3 · 2025-03-31T16:45:00.000+03:00
diff --git a/articles/sentinel/basic-logs-use-cases.md b/articles/sentinel/basic-logs-use-cases.md
@@ -1,10 +1,10 @@
 ---
 title: When to use Auxiliary Logs in Microsoft Sentinel
-description: Learn what log sources might be appropriate for Auxiliary Log ingestion.
+description: Learn what log sources might be appropriate for Auxiliary Log or Basic Log ingestion and what are the attributes to look for to decide about other sources.
 author: cwatson-cat
 ms.author: cwatson
 ms.topic: conceptual
-ms.date: 07/21/2024
+ms.date: 03/31/2025
 appliesto:
     - Microsoft Sentinel in the Azure portal
     - Microsoft Sentinel in the Microsoft Defender portal
@@ -16,7 +16,7 @@ ms.collection: usx-security
 ---
 # Log sources to use for Auxiliary Logs ingestion
 
-This article highlights log sources to consider configuring as Auxiliary Logs when they're stored in Log Analytics tables. Before choosing a log type for which to configure a given table, do the research to see which is most appropriate. For more information about data categories and log data plans, see [Log retention plans in Microsoft Sentinel](log-plans.md).
+This article highlights log sources to consider configuring as Auxiliary Logs (or Basic Logs) when they're stored in Log Analytics tables. Before choosing a log type for which to configure a given table, do the research to see which is most appropriate. For more information about data categories and log data plans, see [Log retention plans in Microsoft Sentinel](log-plans.md).
 
 [!INCLUDE [unified-soc-preview](includes/unified-soc-preview.md)]
 
diff --git a/articles/sentinel/billing-reduce-costs.md b/articles/sentinel/billing-reduce-costs.md
@@ -53,7 +53,7 @@ When hunting or investigating threats in Microsoft Sentinel, you might need to a
 
 ## Select low-cost log types for high-volume, low-value data
 
-While standard analytics logs are most appropriate for continuous, real-time threat detection, the [auxiliary logs](log-plans.md) type is more suited for ad-hoc querying and search of [verbose, high-volume, low-value logs](basic-logs-use-cases.md) that aren't frequently needed or accessed on demand. Enable auxiliary log data ingestion at a significantly reduced cost for eligible data tables. For more information, see [Microsoft Sentinel Pricing](https://azure.microsoft.com/pricing/details/microsoft-sentinel/).
+While standard analytics logs are most appropriate for continuous, real-time threat detection, two other log types&mdash;[basic logs and auxiliary logs](log-plans.md)&mdash;are more suited for ad-hoc querying and search of [verbose, high-volume, low-value logs](basic-logs-use-cases.md) that aren't frequently needed or accessed on demand. basic log data ingestion at a significantly reduced cost, or auxiliary log data ingestion at an even lower cost, for eligible data tables. For more information, see [Microsoft Sentinel Pricing](https://azure.microsoft.com/pricing/details/microsoft-sentinel/).
 
 - [Log retention plans in Microsoft Sentinel](log-plans.md)
 - [Log sources to use for Auxiliary Logs ingestion](basic-logs-use-cases.md)
diff --git a/articles/sentinel/billing.md b/articles/sentinel/billing.md
@@ -47,7 +47,7 @@ Use the [Microsoft Sentinel pricing calculator](https://azure.microsoft.com/pric
 
 For example, enter the GB of daily data you expect to ingest in Microsoft Sentinel, and the region for your workspace. The calculator provides the aggregate monthly cost across these components:
 
-- Microsoft Sentinel: Analytics logs and auxiliary logs
+- Microsoft Sentinel: Analytics logs and auxiliary/basic logs
 - Azure Monitor: Retention
 - Azure Monitor: Data Restore
 - Azure Monitor: Search Queries and Search Jobs
@@ -60,7 +60,7 @@ Microsoft Sentinel runs on Azure infrastructure that accrues costs when you depl
 
 ### How you're charged for Microsoft Sentinel
 
-Pricing is based on the types of logs ingested into a workspace. Analytics logs typically make up most of your high value security logs and support all data types offering full analytics, alerts and no query limits. Auxiliary logs tend to be verbose with low security value. It's important to note that billing is done per workspace on a daily basis for all log types and tiers.
+Pricing is based on the types of logs ingested into a workspace. Analytics logs typically make up most of your high value security logs and support all data types offering full analytics, alerts and no query limits. Auxiliary logs and Basic logs tend to be verbose with low security value. It's important to note that billing is done per workspace on a daily basis for all log types and tiers.
 
 #### Analytics logs
 
@@ -90,6 +90,8 @@ This log type is best suited for use in playbook automation, ad-hoc querying, in
 - [Log retention plans in Microsoft Sentinel](log-plans.md)
 - [Log sources to use for Auxiliary Logs ingestion](basic-logs-use-cases.md)
 
+Basic logs are a similar option, but less cost-effective.
+
 To learn more about the difference between **interactive retention** and **long-term retention** (formerly known as archive), see [Manage data retention in a Log Analytics workspace](/azure/azure-monitor/logs/data-retention-archive).
 
 ### Simplified pricing tiers
@@ -160,8 +162,10 @@ If you're billed at classic pay-as-you-go rate, this table shows how Microsoft S
 |--|--|--|
 | Pay-as-you-go | `Sentinel` | **Classic Pay-as-you-go Analysis** |
 | Pay-as-you-go | `Log Analytics` | **Pay-as-you-go Data Ingestion** |
-| Auxiliary logs data analysis | `Sentinel` | **???** |
-| Auxiliary logs data ingestion | `Azure Monitor` | **???** |
+| Basic logs data analysis| `Sentinel` | **Classic Basic Logs Analysis** |
+| Basic logs data ingestion| `Azure Monitor` | **Basic Logs Data Ingestion** |
+| Auxiliary logs data analysis | `Sentinel` | **Classic Auxiliary Logs Analysis** |
+| Auxiliary logs data ingestion | `Azure Monitor` | **Basic Auxiliary Data Ingestion** |
 
 
 # [Free data meters](#tab/free-data-meters/simplified)
diff --git a/articles/sentinel/log-plans.md b/articles/sentinel/log-plans.md
@@ -62,6 +62,8 @@ Some examples of secondary data log sources are cloud storage access logs, NetFl
 
 Logs containing secondary security data should be stored using the [**Auxiliary logs**](#auxiliary-logs-plan) plan described later in this article.
 
+(The existing **Basic logs** plan also serves this purpose, but it costs more and is not recommended for new instances.)
+
 ## Log management plans
 
 Microsoft Sentinel provides two different log storage plans, or types, to accommodate these categories of ingested data.
diff --git a/articles/sentinel/soc-optimization/soc-optimization-reference.md b/articles/sentinel/soc-optimization/soc-optimization-reference.md
@@ -43,7 +43,7 @@ The following table lists the available types of data value SOC optimization rec
 
 | Type of observation | Action |
 |---------|---------|
-| The table wasn’t used by analytics rules or detections in the last 30 days but was used by other sources, such as workbooks, log queries, hunting queries.     | Turn on analytics rule templates <br>OR<br>Move to [auxiliary logs](../billing.md#auxiliary-logs) if the table is eligible.   |
+| The table wasn't used by analytics rules or detections in the last 30 days but was used by other sources, such as workbooks, log queries, hunting queries.     | Turn on analytics rule templates <br>OR<br>Move the table to a [basic logs plan](../billing.md#auxiliary-logs) if the table is eligible.   |
 | The table wasn’t used at all in the last 30 days.     | Turn on analytics rule templates <br>OR<br> Stop data ingestion and remove the table or move the table to long term retention.       |
 | The table was only used by Azure Monitor.     | Turn on any relevant analytics rule templates for tables with security value <br>OR<br>Move to a non-security Log Analytics workspace.       |
 
