Forum Discussion

M0nk3yOo's avatar
M0nk3yOo
Copper Contributor
Apr 17, 2025
Solved

Sentinel Log Volume vs Defender Log Volume

Dear community, we're currently building up our first SOC service and wondering about the costs (not realy, we know that SIEM is expencive, but we don't understand the log volumes). We started with...
cost management
siem
  • ITProfessor's avatar
    ITProfessor
    Apr 21, 2025

    The volume reported in Microsoft Defender is only an estimate of raw telemetry size, not the actual amount that gets ingested and billed in Sentinel.
    Sentinel adds overhead, normalization, indexing, and data duplication (from multiple connectors), leading to much higher volume than raw Defender estimates.

     

    Data Normalization:

    Defender’s estimate data size may exclude bits like metadata and unused columns. Sentinel ingestion includes all fields.

Clive_Watson's avatar
Clive_Watson
Bronze Contributor
Apr 23, 2025

btw, you could have saved some typing and made sure all Tables were included, you can group with the union for example all tables that start with DEVICE or even multiple groups, as per this example 

union Device* , Email*

| summarize RecordCount = count(), MDETotalSizeMB = round(sum(estimate_data_size(*))/pow(1024,2),2)


You also have to assess if you need all the Tables duplicated in Sentinel, you normally do it for one of two reasons:  
1. You need to retain the data for a longer period for ad-hoc Hunting/reporting or to meet a compliance obligation 

2. You have Analytics that need the data in Sentinel - so make sure you are using the data you are syncing 

Resources