Site icon STARK ON SECURITY

Estimating Defender 365 Event Size

If you are planning on exporting raw events from Defender 365 to your SIEM you can easily estimate the table sizes and number of entries in Defender 365 Advanced Hunting.

Estimate All Table Sizes

// All Tables
union withsource = TableName *
| summarize totalTableEntries = count(), TableSizeInGB = sum(estimate_data_size(*))/1000/1000/1000., TableSizeInMB = sum(estimate_data_size(*))/1000/1000. by TableName

Estimated Sentinel Price

Update the price variable based on your region from the Azure pricing calculator.

Price = Sentinel + Log Analytics Ingestion 
let Price = 3.0;
union withsource = TableName *
| summarize totalTableEntries = count(), TableSizeInGB = sum(estimate_data_size(*))/1000/1000/1000., TableSizeInMB = sum(estimate_data_size(*))/1000/1000., estimatedSentinelprice = round(sum(estimate_data_size(*)) / (1000 * 1000 * 1000.) * Price, 2)
by TableName
For an updated list of all KQL queries for estimating table sizes please refer to Defender-365/Estimated Table Size.txt at main · seanstark/Defender-365 (github.com)
Exit mobile version