Defender 500mb Log Analytics allowance clarification

Copper Contributor


Over the past 18 months I've been used to discussing with customers that Defender for Servers (now Plan 2 of Defender for Servers) comes with a 500mb per day on Log Analytics ingestion charges. 

Microsoft Press’ Introduction to Azure Security Center previously published the same advice:



Microsoft staff in Tech Community forums have said the same as well.



It's a compelling message for adopting Defender on Servers as a way of reducing Sentinel costs.

I was surprised to recently discover that that message has been changed to being a credit toward a small subset of tables withing Log Analytics - namely:



I’m now uncertain if the simple message we have been giving customers over 500mb a day has ever been true or if this clarification on only crediting certain tables is a recent change from Microsoft.

I’m hoping that the recent advisory stating only some tables are credited is a mistake.  An obvious example from that list is Security Alerts (SecurityAlert table) which a Kusto query shows the table isn’t marked as a billable table anyway - so a suggestion that a 500mb credit for its use comes from Defender for Servers doesn’t make any sense.

We really need clarification over what the Defender 500mb Log Analytics ingestion discount really applies to.


2 Replies
Our official documentation has been reviewed and updated to reflect the current billing model:
best response confirmed by Laurie_Rhodes (Copper Contributor)
Thanks Stanislav,

Can you tell me when the billing model changed please? I have advised multiple clients in the past of the flat 500mb credit with Log Analytics (which was Microsoft's advertised billing model). They deserve to know when that billing model changed.... or alternately, if they never received the discount they were promised in the first place!

Can we at least say with certainty that customers did once get a flat 500mb daily credit on Log Analytics ingestion due to Defender?