Over the past 18 months I've been used to discussing with customers that Defender for Servers (now Plan 2 of Defender for Servers) comes with a 500mb per day on Log Analytics ingestion charges. 

Microsoft Press’ Introduction to Azure Security Center previously published the same advice:

Microsoft staff in Tech Community forums have said the same as well.

It's a compelling message for adopting Defender on Servers as a way of reducing Sentinel costs.

I was surprised to recently discover that that message has been changed to being a credit toward a small subset of tables withing Log Analytics - namely:

I’m now uncertain if the simple message we have been giving customers over 500mb a day has ever been true or if this clarification on only crediting certain tables is a recent change from Microsoft.

I’m hoping that the recent advisory stating only some tables are credited is a mistake.  An obvious example from that list is Security Alerts (SecurityAlert table) which a Kusto query shows the table isn’t marked as a billable table anyway - so a suggestion that a 500mb credit for its use comes from Defender for Servers doesn’t make any sense.

We really need clarification over what the Defender 500mb Log Analytics ingestion discount really applies to.