Forum Discussion
Defender advanced hunting, data-grant from Defender for Servers licensing.
Hi,
when configuring Defender for Servers P2 in Defender for Cloud it states that you would be granted a 500 MB per day free ingestion to a log analytics workspace, such as in Sentinel.
However, when looking into the supported data sources I do not find the advanced hunting data that would be my first go-to data source when setting up Sentinel, how come?
Here is a screenshot of how data-ingestion changed once i turned on the XDR connector, am I to understand that the 500MB ingestion per device we're paying for will do nothing to cover this cost? The E5 grant of 5MB/user/day is nowhere near this amount of data.
Is there a way to utilize the 500MB ingestion per device grant for the advanced hunting data?
- The two different grants (500mb and 5mb) are seperate products, so one wont cover the other. For Advanced Hunting as you say you will get a grant for the first 5MB per day per user for that data.
- That's fair enough, but what I am trying to understand is why advanced hunting isn't also covered through the Defender for Servers P2 license considering its the P2 license that gives you access to this data in the first place? It doesn't make sense, but then again, Microsoft works in mysterious ways.
For example, if you had a tenant only used for cloud workloads, with many servers but limited users, you could set up Defender for Cloud to install Server P2 license and send advanced hunting data to Sentinel, but the 500 MB per server per day won't cover any of the costs for data since only E5 licenses covers that data. Makes no sense to me, hence trying to shed some light on this.
