Forum Discussion

edwaro3's avatar
edwaro3
Icon for Microsoft rankMicrosoft
Jul 28, 2025

Defender for Cloud DCR

 Enabling Defender for Servers Plan 2 and creating a custom DCR to enable the 500MB ingestion into log analytics. The workspace I am sending the logs to is connected to Sentinel. When I looked at cre...
Surya_Narayana's avatar
Surya_Narayana
MCT
Jul 29, 2025

hi edwaro3​ the short answer would be:

If you use both a custom DCR and the Sentinel connector to collect the same logs (e.g., Windows Security Events), you will be billed twice — once by Defender for ingesting into Log Analytics, and again by Sentinel if you configure its native connector for the same logs.

 

Explanation: When you're using:

  • Defender for Servers Plan 2: It includes built-in DCR-based log collection of security events and performance counters. It can be configured to ingest up to 500MB per node per day at no extra cost into Log Analytics (beyond which overage is billed).
  • Microsoft Sentinel: Adds analytics, investigation, and response capabilities. It reads logs from the same Log Analytics workspace, but also has its own connectors to bring in data from Windows machines.

When you:

  • Enable the Windows Security Events connector in Sentinel, it sets up a data collection rule (DCR) behind the scenes to collect logs.
  • Create your own custom DCR (or use Defender’s), and configure it to collect the same logs (like SecurityEvent), then you'll have duplication.

What You Get Charged For

  1. Data Ingestion Charges
    • You pay for any data ingested into Log Analytics (LA) once.
    • If two DCRs send the same event (e.g., from same source machine), that data is ingested twice, so you pay twice.
  2. Sentinel Charges
    • Sentinel charges for data stored in the Log Analytics workspace it's connected to (by GB per day).
    • You don’t pay separately for using a connector — but you pay for the data ingested because of that connector.

Recommended Setup to Avoid Duplication

Since you're using Defender for Servers Plan 2, follow this best practice:

Let Defender for Servers handle log collection via its built-in DCR.

Do not enable the Sentinel connector for Windows Security Events, unless:

  • You need a different log level or custom event filtering
  • You're not using Defender for Servers

Microsoft recommends that when Defender for Cloud is in use, you should not enable the Sentinel Windows Security Events connector, because it causes duplication and increases cost.

 

Resources