Defender for Cloud DCR

Hey edwaro3​ ,

The reason you're seeing that is due to how that 500 MB data grant is applied to specific tables within your Log Analytics Workspace and Microsoft pushing you to better practices. You can find that list of tables here: Use the data ingestion benefit in Microsoft Defender for Cloud - Microsoft Defender for Cloud

Now as you can see the WindowsEvents table is a supported table. Assuming that you created a DCR from scratch I'll also assume you chose "Windows Event Logs" from the data source drop-down list and checked the boxes for Application, Security and System. This will work as this uses the Microsoft-Events data stream which drops logs into the WindowsEvent table. Though you may want to uncheck the Security logs in this DCR and follow below for Microsoft's recommended way of getting those logs.

For Windows Security Events, this banner is telling you to specifically use the "Windows Security Events via AMA" data connector which you can install in your Sentinel workspace from the Content Hub. Once installed, open the data connector page and use the built-in "+Create a data collection rule". This wizard is very easy to configure, only gathers the more relevant events ids, and furthermore uses the Microsoft-SecurityEvent stream to drop logs into the SecurityEvent table. For most folks, collecting 'Common' is good enough though some fall back to 'Minimal' if some events are too noisy.

That 500 MB/server/day is a pooled grant. Meaning that even if one computer is noisier than others, as long as the total ingest from all servers for the day is below the daily total grant, you're fine. Just keep in mind that the more logs you ingest, the thinner the spread of that 500 MB. Since you have MDE on these devices think about how you can collect event logs via DCRs to compliment or bridge any gaps from what you're already collecting.

Best regards,

Dylan