Re: O365 and Azure AD - estimation of volume of da...

jimmoriarty · ‎09-15-2019

I've been asked to estimate how much license is needed to ingest Office 365 (and Azure AD) logs.

Not sure what variables are in place - but there are about 1200 users. Does anyone have a ballpark estimate on the size of raw ingestion for that (e,g, 10GB a day)?

Thanks in advance for any insights.

keithevanscdcr · ‎07-13-2021

Sizing for O365 is typically not a clear cut exercise. There are so many different variables that can affect the volume. A couple of examples:

O365 Subscription type: E1, E3, A5, .. (Will affect the apps they have and the apps that are logged)
OneDrive - If customer is redirecting home drives to OneDrive, this creates audit events for every read/write to home directories
Customer size
Use cases and inputs they turn on\
Customers SSO / federation configuration

My preference is to encourage the customer to turn it on for a few hours/days to get a baseline as the inputs will go back and retrieve 30+ days (depending on size of tenant). This can be done on a dev box etc if customer is worried about prod impact. I normally scope for 500kb > 1mb per user per day (again depending on their usage).

In terms of very rough numbers based on a couple of customers:

5000 users: 3-4GB per day
20000 users: 9GB per day
500,000 users: 40GB per day

O365 and Azure AD - estimation of volume of data

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

.conf24 | Session Scheduler is Live!!

Introducing the Splunk Community Dashboard Challenge!