Query Details
Defender Xdr Table Sizes
Query
// M365 E5 Benefit - Table Sizes by Product
// Shows all M365 E5 benefit-eligible tables (Defender XDR + Entra ID) with
// size in GB, event count, and estimated cost if they were billable.
// M365 E5 customers get these for free - this shows the benefit value.
// =====================================================================
let Price = 3.0;
union withsource=TableName
// Entra ID (formerly Azure AD)
SigninLogs, AuditLogs, AADNonInteractiveUserSignInLogs,
AADServicePrincipalSignInLogs, AADManagedIdentitySignInLogs,
AADProvisioningLogs, ADFSSignInLogs,
// Defender for Endpoint (MDE)
DeviceEvents, DeviceFileEvents, DeviceLogonEvents, DeviceNetworkEvents,
DeviceProcessEvents, DeviceRegistryEvents, DeviceImageLoadEvents,
DeviceNetworkInfo, DeviceInfo, DeviceFileCertificateInfo,
// Defender for Identity (MDI)
IdentityLogonEvents, IdentityQueryEvents, IdentityDirectoryEvents,
// Defender Alerts
AlertEvidence,
// Defender for Office 365 (MDO)
EmailEvents, EmailUrlInfo, EmailAttachmentInfo, EmailPostDeliveryEvents,
// Defender for Cloud Apps (MCA)
CloudAppEvents
| where TimeGenerated > ago(30d)
| summarize
TotalEvents = count(),
SizeInGB = round(sum(estimate_data_size(*)) / 1000.0 / 1000.0 / 1000.0, 2),
SizeInMB = round(sum(estimate_data_size(*)) / 1000.0 / 1000.0, 2),
FirstEvent = min(TimeGenerated),
LastEvent = max(TimeGenerated)
by TableName
| extend
DailyAvgMB = round(SizeInMB / 30.0, 2),
IfBillableCostUSD = round(SizeInGB * Price, 2),
DefenderProduct = case(
TableName has "Signin" or TableName has "Audit" or TableName startswith "AAD" or TableName == "ADFSSignInLogs", "Microsoft Entra ID",
TableName startswith "Device", "Microsoft Defender for Endpoint (MDE)",
TableName startswith "Identity", "Microsoft Defender for Identity (MDI)",
TableName startswith "Email", "Microsoft Defender for Office 365 (MDO)",
TableName startswith "CloudApp", "Microsoft Defender for Cloud Apps (MCA)",
TableName startswith "Alert", "Microsoft 365 Defender (Alerts)",
"Other M365 E5 Benefit"
)
| project
DefenderProduct, TableName, SizeInGB, SizeInMB, DailyAvgMB,
TotalEvents, IfBillableCostUSD,
FirstEvent, LastEvent
| order by DefenderProduct asc, SizeInGB desc
Explanation
This query is designed to analyze and summarize the usage of various Microsoft 365 E5 benefit-eligible tables, specifically those related to Defender XDR and Entra ID. Here's a simple breakdown of what the query does:
-
Price Setting: It sets a hypothetical price of $3.00 per GB for data storage, which is used to estimate costs if the data were billable.
-
Data Collection: It gathers data from multiple tables related to different Microsoft Defender products and Entra ID (formerly Azure AD). These tables include logs and events from various security and identity services.
-
Time Filter: It filters the data to include only events generated in the last 30 days.
-
Data Summarization: For each table, it calculates:
- Total number of events.
- Total size of the data in gigabytes (GB) and megabytes (MB).
- The date and time of the first and last events.
-
Additional Calculations:
- Average daily data size in MB.
- Estimated cost in USD if the data were billable, based on the set price.
-
Product Categorization: It categorizes each table under a specific Microsoft Defender product or Entra ID based on the table name.
-
Data Presentation: It selects and orders the results by product category and data size, showing the product name, table name, data sizes, average daily size, total events, estimated cost, and event date range.
The purpose of this query is to demonstrate the value of the Microsoft 365 E5 benefits by showing the amount of data that customers get for free and what it would cost if it were not included in their subscription.
Details
David Alonso
Released: April 8, 2026
Tables
Keywords
Operators