Merge pull request #280430 from austinmccollum/austinmc-sentinel-p3

create prepurchase plan article for Sentinel

Author: AnnaMHuff

articles/cost-management-billing/reservations/prepare-buy-reservation.md

@@ -93,6 +93,7 @@ You can purchase reservations from Azure portal, APIs, PowerShell, CLI. Read the
 - [Defender for Cloud - Pre-Purchase](/azure/defender-for-cloud/prepurchase-plan?toc=/azure/cost-management-billing/reservations/toc.json)
 - [Disk Storage](/azure/virtual-machines/disks-reserved-capacity)
 - [Microsoft Fabric](fabric-capacity.md)
+- [Microsoft Sentinel - Pre-Purchase](../../sentinel/billing-pre-purchase-plan.md?toc=/azure/cost-management-billing/reservations/toc.json)
 - [SAP HANA Large Instances](prepay-hana-large-instances-reserved-capacity.md)
 - [Software plans](/azure/virtual-machines/linux/prepay-suse-software-charges?toc=/azure/cost-management-billing/reservations/toc.json)
 - [SQL Database](/azure/azure-sql/database/reserved-capacity-overview?toc=/azure/cost-management-billing/reservations/toc.json)

articles/cost-management-billing/reservations/toc.yml

@@ -120,12 +120,14 @@
       href: /azure/data-explorer/pricing-reserved-capacity
     - name: Dedicated Host
       href: /azure/virtual-machines/prepay-dedicated-hosts-reserved-instances?toc=/azure/cost-management-billing/reservations/toc.json
-    - name: Defender for Cloud - Prepurchase
+    - name: Defender for Cloud - Pre-Purchase
       href: /azure/defender-for-cloud/prepurchase-plan?toc=/azure/cost-management-billing/reservations/toc.json
     - name: Disk Storage
       href: /azure/virtual-machines/disks-reserved-capacity?toc=/azure/cost-management-billing/reservations/toc.json
     - name: Microsoft Fabric
       href: fabric-capacity.md
+    - name: Microsoft Sentinel - Pre-Purchase
+      href: /azure/sentinel/billing-prepurchase-plan?toc=/azure/cost-management-billing/reservations/toc.json
     - name: SAP HANA Large Instances
       href: prepay-hana-large-instances-reserved-capacity.md
     - name: Software plans

articles/sentinel/TOC.yml

@@ -476,8 +476,8 @@
       href: data-connectors/crowdstrike-falcon-data-replicator.md
     - name: Crowdstrike Falcon Data Replicator V2 (using Azure Functions)
       href: data-connectors/crowdstrike-falcon-data-replicator-v2.md
-    - name: Cyber Blind Spot Intergration (using Azure Functions)
-      href: data-connectors/cyber-blind-spot-intergration.md
+    - name: Cyber Blind Spot Integration (using Azure Functions)
+      href: data-connectors/cyber-blind-spot-integration.md
     - name: CyberArkAudit (using Azure Functions)
       href: data-connectors/cyberarkaudit.md
     - name: CyberArkEPM (using Azure Functions)
@@ -516,8 +516,8 @@
       href: data-connectors/eset-protect.md
     - name: Exabeam Advanced Analytics
       href: data-connectors/exabeam-advanced-analytics.md
-    - name: Exchange Security Insights On-Premise Collector
-      href: data-connectors/exchange-security-insights-on-premise-collector.md
+    - name: Exchange Security Insights On-Premises Collector
+      href: data-connectors/exchange-security-insights-on-premises-collector.md
     - name: Exchange Security Insights Online Collector (using Azure Functions)
       href: data-connectors/exchange-security-insights-online-collector.md
     - name: F5 BIG-IP
@@ -624,7 +624,7 @@
       href: data-connectors/microsoft-entra-id-protection.md
     - name: Microsoft Exchange Logs and Events
       href: data-connectors/microsoft-exchange-logs-and-events.md
-    - name: Microsoft PowerBI
+    - name: Microsoft Power BI
       href: data-connectors/microsoft-powerbi.md
     - name: Microsoft Project
       href: data-connectors/microsoft-project.md
@@ -1183,6 +1183,8 @@
       href: billing-reduce-costs.md
     - name: Switch to simplified pricing tiers
       href: enroll-simplified-pricing-tier.md
+    - name: Optimize costs with pre-purchase plan
+      href: billing-pre-purchase-plan.md
     - name: Tutorial - Configure data retention policy
       href: configure-data-retention.md
     - name: Auxiliary logs use cases

articles/sentinel/billing-pre-purchase-plan.md

@@ -0,0 +1,93 @@
+---
+title: Optimize costs with a pre-purchase plan
+titleSuffix: Microsoft Sentinel
+description: Learn how to save costs and buy a Microsoft Sentinel pre-purchase plan
+author: austinmccollum
+ms.topic: how-to
+ms.date: 07/10/2024
+ms.author: austinmc
+ms.collection: usx-security
+#customerintent: As a SOC administrator or a billing specialist, I want to know how to buy a pre-purchase plan and whether commit units will benefit us financially.
+---
+
+# Optimize Microsoft Sentinel costs with a pre-purchase plan
+
+Save on your Microsoft Sentinel costs when you buy a pre-purchase plan. Pre-purchase plans are commit units (CUs) bought at discounted tiers in your purchasing currency for a specific product. The more you buy, the greater the discount. Purchased CUs pay down qualifying costs in US dollars (USD). So, if Microsoft Sentinel generates a retail cost of $100, then 100 Sentinel CUs (SCUs) are consumed. 
+
+Any eligible Microsoft Sentinel retail costs automatically deduct first from your SCUs over the course of its one year term or until they are depleted. Your pre-purchase plan SCUs start paying for your Microsoft Sentinel workspace costs without needing to redeploy or reassign the plan, and by default automatically renew to ensure you continue saving.
+
+## Prerequisites
+
+To buy a pre-purchase plan, you must have one of the following Azure subscriptions and roles:
+- For an Azure subscription, the owner role or reservation purchaser role is required.
+- For an Enterprise Agreement (EA) subscription, the [**Reserved Instances** policy option](../cost-management-billing/manage/direct-ea-administration.md#view-and-manage-enrollment-policies) must be enabled. To enable that policy option, you must be an EA administrator of the subscription.
+- For a Cloud Solution Provider (CSP) subscription, follow one of these articles:
+   - [Buy Azure reservations on behalf of a customer](/partner-center/customers/azure-reservations-buying)
+   - [Allow the customer to buy their own reservations](/partner-center/customers/give-customers-permission)
+
+>[!NOTE]
+> Microsoft Sentinel Commit Units are different from Security Compute Units in Copilot for Security. Customers cannot use Sentinel Commit Units to run Copilot workloads and vice versa.
+
+## Determine the right size to buy
+
+Pre-purchase plans pair nicely with Microsoft Sentinel commitment tiers. Once you plan your Microsoft Sentinel ingestion volume, choose an appropriate commitment tier. Then it's easier to decide on the size of a pre-purchase plan to buy. Microsoft Sentinel pre-purchase plans have a term agreement of one year.
+
+Here's an example of the decision making and cost savings for a pre-purchase plan. If you have a commitment tier of 200 GB/day, there's an associated monthly estimated cost for both the ingestion to the workspace and the analysis for Microsoft Sentinel. For example purposes, let's say that monthly cost is $20,000 USD with simplified pricing and provides a 39% savings over the pay-as-you-go tier with the same 200 GB/day.
+
+A $100,000 USD pre-purchase plan covers five months of that commitment tier but is valid for paying Microsoft Sentinel costs for 12 months. That pre-purchase plan is bought at a 22% discount for $78,000 USD. 
+
+The savings for the commitment tier and the pre-purchase plan combine. The original pay-as-you-go price for five months of 200 GB/day ingestion and analysis costs is about $160,000 USD. With an accurate commitment tier and a pre-purchase plan, the cost is reduced to $78,000 USD for a combined savings of over 51%.
+
+For more information, see the following articles:
+- [Switch to simplified pricing](enroll-simplified-pricing-tier.md)
+- [Set or change commitment tier](billing-reduce-costs.md#set-or-change-pricing-tier)
+
+>[!IMPORTANT]
+> The prices mentioned are for example purposes only. To determine the latest commitment tier prices, see [Microsoft Sentinel pricing](https://azure.microsoft.com/pricing/details/microsoft-sentinel/).
+
+All Microsoft Sentinel pricing tiers qualify for Microsoft Sentinel pre-purchase plans. From your Microsoft Sentinel bill, these costs are the entries with the **Sentinel** service name in the invoice details. These costs don't include Azure Monitor tiers, retention, restore and search costs. Eligible Microsoft Sentinel usage is deducted from the pre-purchased Microsoft Sentinel CUs automatically. 
+
+For more information on how to view Microsoft Sentinel simplified or classic pricing tiers in your invoice details, see [Understand your Microsoft Sentinel bill](billing.md#understand-your-microsoft-sentinel-bill).
+
+Keep in mind, Microsoft Sentinel integrates with many other Azure services that have separate costs not eligible to use with the pre-purchase SCUs. For more information, see [Costs and pricing for other services](billing.md#costs-and-pricing-for-other-services).
+
+## Purchase Microsoft Sentinel commit units
+
+Purchase Microsoft Sentinel pre-purchase plans in the [Azure portal reservations](https://portal.azure.com/#view/Microsoft_Azure_Reservations/ReservationsBrowseBlade/productType/Reservations). 
+
+1. Go to the [Azure portal](https://portal.azure.com)
+1. Navigate to the **Reservations** service.
+1. On the **Purchase reservations page**, select **Microsoft Sentinel Pre-Purchase Plan**.
+1. On the **Select the product you want to purchase** page, select a subscription. Use the **Subscription** list to select the subscription used to pay for the reserved capacity. The payment method of the subscription is charged the upfront costs for the reserved capacity. Charges are deducted from the enrollment's Azure Prepayment (previously called monetary commitment) balance or charged as overage.
+1. Select a scope.
+   - **Single resource group scope** - Applies the reservation discount to the matching resources in the selected resource group only.
+   - **Single subscription scope** - Applies the reservation discount to the matching resources in the selected subscription.
+   - **Shared scope** - Applies the reservation discount to matching resources in eligible subscriptions that are in the billing context. For Enterprise Agreement customers, the billing context is the enrollment.
+   - **Management group** - Applies the reservation discount to the matching resource in the list of subscriptions that are a part of both the management group and billing scope.
+1. Select how many Microsoft Sentinel commit units you want to purchase.
+
+   `Need Sentinel screenshot here`
+   :::image type="content" source="media/sentinel-pre-purchase-plan.png" alt-text="Screenshot showing Microsoft Sentinel pre-purchase plan discount tiers and their term lengths." lightbox="media/sentinel-pre-purchase-plan.png":::
+
+1. Choose to automatically renew the pre-purchase reservation. *The setting is configured to renew automatically by default*. For more information, see [Renew a reservation](../cost-management-billing/reservations/reservation-renew.md).
+
+## Change scope and ownership
+
+You can make the following types of changes to a reservation after purchase:
+
+- Update reservation scope
+- Update who can view or manage the reservation. For more information, see [Who can manage a reservation by default](../cost-management-billing/reservations/manage-reserved-vm-instance.md#who-can-manage-a-reservation-by-default).
+
+You can't split or merge a **Microsoft Sentinel Pre-Purchase Plan**. For more information about managing reservations, see [Manage reservations after purchase](../cost-management-billing/reservations/manage-reserved-vm-instance.md).
+
+## Cancellations and exchanges
+
+Cancel and exchange isn't supported for **Microsoft Sentinel Pre-Purchase Plans**. All purchases are final.
+
+## Related content
+
+To learn more about Azure Reservations, see the following articles:
+- [What are Azure Reservations?](../cost-management-billing/reservations/save-compute-costs-reservations.md)
+- [Manage Azure Reservations](../cost-management-billing/reservations/manage-reserved-vm-instance.md)
+
+To learn more about Microsoft Sentinel costs, see [Plan costs and understand Microsoft Sentinel pricing and billing](billing.md).

articles/sentinel/billing-reduce-costs.md

@@ -1,11 +1,11 @@
 ---
 title: Reduce costs for Microsoft Sentinel
 description: Learn how to reduce costs for Microsoft Sentinel by using different methods in the Azure portal.
-author: cwatson-cat
-ms.author: cwatson
+author: austinmccollum
+ms.author: austinmc
 ms.custom: subject-cost-optimization
 ms.topic: conceptual
-ms.date: 03/07/2024
+ms.date: 07/09/2024
 appliesto:
     - Microsoft Sentinel in the Azure portal
     - Microsoft Sentinel in the Microsoft Defender portal
@@ -33,6 +33,14 @@ To learn more about how to monitor your costs, see [Manage and monitor costs for
 
 For workspaces still using classic pricing tiers, the Microsoft Sentinel pricing tiers don't include Log Analytics charges. For more information, see [Simplified pricing tiers](billing.md#simplified-pricing-tiers).
 
+## Buy a pre-purchase plan
+
+Save on your Microsoft Sentinel costs when you pre-purchase Microsoft Sentinel commit units (CUs). Use the pre-purchased CUs at any time during the one year purchase term.
+
+Any eligible Microsoft Sentinel costs deduct first from the pre-purchased CUs automatically. You don't need to redeploy or assign a pre-purchased plan to your Microsoft Sentinel workspaces for the CU usage to get the pre-purchase discounts.
+
+For more information, see [Optimize Microsoft Sentinel costs with a pre-purchase plan](billing-pre-purchase-plan.md).
+
 ## Separate non-security data in a different workspace
 
 Microsoft Sentinel analyzes all the data ingested into Microsoft Sentinel-enabled Log Analytics workspaces. It's best to have a separate workspace for non-security operations data, to ensure it doesn't incur Microsoft Sentinel costs.

articles/sentinel/data-connectors-reference.md

@@ -484,7 +484,7 @@ For more information about the codeless connector platform, see [Create a codele
 - [[Recommended] Forcepoint NGFW via AMA](data-connectors/recommended-forcepoint-ngfw-via-ama.md)
 - [Barracuda CloudGen Firewall](data-connectors/barracuda-cloudgen-firewall.md)
 - [Exchange Security Insights Online Collector (using Azure Functions)](data-connectors/exchange-security-insights-online-collector.md)
-- [Exchange Security Insights On-Premise Collector](data-connectors/exchange-security-insights-on-premise-collector.md)
+- [Exchange Security Insights On-Premises Collector](data-connectors/exchange-security-insights-on-premises-collector.md)
 - [Microsoft Exchange Logs and Events](data-connectors/microsoft-exchange-logs-and-events.md)
 - [Forcepoint DLP](data-connectors/forcepoint-dlp.md)
 - [MISP2Sentinel](data-connectors/misp2sentinel.md)

articles/sentinel/data-connectors/cyber-blind-spot-intergration.md renamed to articles/sentinel/data-connectors/cyber-blind-spot-integration.md

@@ -1,6 +1,6 @@
 ---
-title: "Cyber Blind Spot Intergration (using Azure Functions) connector for Microsoft Sentinel"
-description: "Learn how to install the connector Cyber Blind Spot Intergration (using Azure Functions) to connect your data source to Microsoft Sentinel."
+title: "Cyber Blind Spot Integration (using Azure Functions) connector for Microsoft Sentinel"
+description: "Learn how to install the connector Cyber Blind Spot Integration (using Azure Functions) to connect your data source to Microsoft Sentinel."
 author: cwatson-cat
 ms.topic: how-to
 ms.date: 04/26/2024
@@ -9,7 +9,7 @@ ms.author: cwatson
 ms.collection: sentinel-data-connector
 ---
 
-# Cyber Blind Spot Intergration (using Azure Functions) connector for Microsoft Sentinel
+# Cyber Blind Spot Integration (using Azure Functions) connector for Microsoft Sentinel
 
 Through the API integration, you have the capability to retrieve all the issues related to your CBS organizations via a RESTful interface.
 
@@ -38,7 +38,7 @@ CBSLog_Azure_1_CL
 
 ## Prerequisites
 
-To integrate with Cyber Blind Spot Intergration (using Azure Functions) make sure you have: 
+To integrate with Cyber Blind Spot Integration (using Azure Functions) make sure you have: 
 
 - **Microsoft.Web/sites permissions**: Read and write permissions to Azure Functions to create a Function App is required. [See the documentation to learn more about Azure Functions](/azure/azure-functions/).
 

articles/sentinel/data-connectors/exchange-security-insights-on-premise-collector.md renamed to articles/sentinel/data-connectors/exchange-security-insights-on-premises-collector.md

@@ -1,6 +1,6 @@
 ---
-title: "Exchange Security Insights On-Premise Collector connector for Microsoft Sentinel"
-description: "Learn how to install the connector Exchange Security Insights On-Premise Collector to connect your data source to Microsoft Sentinel."
+title: "Exchange Security Insights On-Premises Collector connector for Microsoft Sentinel"
+description: "Learn how to install the connector Exchange Security Insights On-Premises Collector to connect your data source to Microsoft Sentinel."
 author: cwatson-cat
 ms.topic: how-to
 ms.date: 04/26/2024
@@ -9,7 +9,7 @@ ms.author: cwatson
 ms.collection: sentinel-data-connector
 ---
 
-# Exchange Security Insights On-Premise Collector connector for Microsoft Sentinel
+# Exchange Security Insights On-Premises Collector connector for Microsoft Sentinel
 
 Connector used to push Exchange On-Premises Security configuration for Microsoft Sentinel Analysis
 
@@ -36,7 +36,7 @@ ESIExchangeConfig_CL
 
 ## Prerequisites
 
-To integrate with Exchange Security Insights On-Premise Collector make sure you have: 
+To integrate with Exchange Security Insights On-Premises Collector make sure you have: 
 
 - **Service Account with Organization Management role**: The service Account that launch the script as scheduled task needs to be Organization Management to be able to retrieve all the needed security Information.
 
@@ -67,8 +67,8 @@ In 'Run as Administrator' mode, launch the 'setup.ps1' script to configure the c
 3. Schedule the ESI Collector Script (If not done by the Install Script due to lack of permission or ignored during installation)
 
 The script needs to be scheduled to send Exchange configuration to Microsoft Sentinel.
- We recommend to schedule the script once a day.
- The account used to launch the Script needs to be member of the group Organization Management
+ We recommend scheduling the script once a day.
+ The account used to launch the Script needs to be a member of the group Organization Management
 
 
 

articles/sentinel/enroll-simplified-pricing-tier.md

@@ -154,8 +154,9 @@ Keep in mind, the simplified effective per GB price for a Microsoft Sentinel ena
 A Log Analytics workspace automatically configures its pricing tier to match the simplified pricing tier if Microsoft Sentinel is removed from a workspace while simplified pricing is enabled. For example, if the simplified pricing was configured for 100 GB/day Commitment tier in Microsoft Sentinel, the pricing tier of the Log Analytics workspace changes to 100 GB/day Commitment tier once Microsoft Sentinel is removed from the workspace.
 
 ### Will switching reduce my costs?
-Though the goal of the experience is to merely simplify the pricing and cost management experience without impacting actual costs, two primary scenarios exist for a cost reduction when switching to a simplified pricing tier.
+Though the goal of the experience is to merely simplify the pricing and cost management experience without impacting actual costs, three primary scenarios exist for a cost reduction when switching to a simplified pricing tier.
 
+- Reduce Microsoft Sentinel costs with a [pre-purchase plan](billing-pre-purchase-plan.md). Commit units of a pre-purchase plan don't apply to Log Analytics costs in the classic pricing tier. Since the entire simplified pricing tier is categorized as a Microsoft Sentinel cost, your effective spend with the simplified pricing tier is reduced with a pre-purchase plan that approaches your commitment tier. 
 - The combined [Defender for Servers](/azure/defender-for-cloud/faq-defender-for-servers#is-the-500-mb-of-free-data-ingestion-allowance-applied-per-workspace-or-per-machine-) benefit results in a total cost savings if utilized by the workspace. 
 - If one of the separate pricing tiers for Log Analytics or Microsoft Sentinel was inappropriately mismatched, the simplified pricing tier could result in cost saving.