Forum Discussion

M0nk3yOo's avatar
M0nk3yOo
Copper Contributor
Apr 17, 2025
Solved

Sentinel Log Volume vs Defender Log Volume

Dear community, we're currently building up our first SOC service and wondering about the costs (not realy, we know that SIEM is expencive, but we don't understand the log volumes). We started with...
cost management
siem
  • ITProfessor's avatar
    ITProfessor
    Apr 21, 2025

    The volume reported in Microsoft Defender is only an estimate of raw telemetry size, not the actual amount that gets ingested and billed in Sentinel.
    Sentinel adds overhead, normalization, indexing, and data duplication (from multiple connectors), leading to much higher volume than raw Defender estimates.

     

    Data Normalization:

    Defender’s estimate data size may exclude bits like metadata and unused columns. Sentinel ingestion includes all fields.

ITProfessor's avatar
ITProfessor
Brass Contributor
Apr 21, 2025

The volume reported in Microsoft Defender is only an estimate of raw telemetry size, not the actual amount that gets ingested and billed in Sentinel.
Sentinel adds overhead, normalization, indexing, and data duplication (from multiple connectors), leading to much higher volume than raw Defender estimates.

 

Data Normalization:

Defender’s estimate data size may exclude bits like metadata and unused columns. Sentinel ingestion includes all fields.

Resources