Defender for Cloud DCR

Hey edwaro3​ ,

The reason you're seeing that is due to how that 500 MB data grant is applied to specific tables within your Log Analytics Workspace and Microsoft pushing you to better practices. You can find that list of tables here: Use the data ingestion benefit in Microsoft Defender for Cloud - Microsoft Defender for Cloud

Now as you can see the WindowsEvents table is a supported table. Assuming that you created a DCR from scratch I'll also assume you chose "Windows Event Logs" from the data source drop-down list and checked the boxes for Application, Security and System. This will work as this uses the Microsoft-Events data stream which drops logs into the WindowsEvent table. Though you may want to uncheck the Security logs in this DCR and follow below for Microsoft's recommended way of getting those logs.

For Windows Security Events, this banner is telling you to specifically use the "Windows Security Events via AMA" data connector which you can install in your Sentinel workspace from the Content Hub. Once installed, open the data connector page and use the built-in "+Create a data collection rule". This wizard is very easy to configure, only gathers the more relevant events ids, and furthermore uses the Microsoft-SecurityEvent stream to drop logs into the SecurityEvent table. For most folks, collecting 'Common' is good enough though some fall back to 'Minimal' if some events are too noisy.

That 500 MB/server/day is a pooled grant. Meaning that even if one computer is noisier than others, as long as the total ingest from all servers for the day is below the daily total grant, you're fine. Just keep in mind that the more logs you ingest, the thinner the spread of that 500 MB. Since you have MDE on these devices think about how you can collect event logs via DCRs to compliment or bridge any gaps from what you're already collecting.

Best regards,

Dylan

hi edwaro3​ the short answer would be:

If you use both a custom DCR and the Sentinel connector to collect the same logs (e.g., Windows Security Events), you will be billed twice — once by Defender for ingesting into Log Analytics, and again by Sentinel if you configure its native connector for the same logs.

Explanation: When you're using:

• Defender for Servers Plan 2: It includes built-in DCR-based log collection of security events and performance counters. It can be configured to ingest up to 500MB per node per day at no extra cost into Log Analytics (beyond which overage is billed).
• Microsoft Sentinel: Adds analytics, investigation, and response capabilities. It reads logs from the same Log Analytics workspace, but also has its own connectors to bring in data from Windows machines.

When you:

• Enable the Windows Security Events connector in Sentinel, it sets up a data collection rule (DCR) behind the scenes to collect logs.
• Create your own custom DCR (or use Defender’s), and configure it to collect the same logs (like SecurityEvent), then you'll have duplication.

What You Get Charged For

1. Data Ingestion Charges
• You pay for any data ingested into Log Analytics (LA) once.
• If two DCRs send the same event (e.g., from same source machine), that data is ingested twice, so you pay twice.
2. Sentinel Charges
• Sentinel charges for data stored in the Log Analytics workspace it's connected to (by GB per day).
• You don’t pay separately for using a connector — but you pay for the data ingested because of that connector.

Recommended Setup to Avoid Duplication

Since you're using Defender for Servers Plan 2, follow this best practice:

Let Defender for Servers handle log collection via its built-in DCR.

Do not enable the Sentinel connector for Windows Security Events, unless:

• You need a different log level or custom event filtering
• You're not using Defender for Servers

Microsoft recommends that when Defender for Cloud is in use, you should not enable the Sentinel Windows Security Events connector, because it causes duplication and increases cost.