Share via

Extending Event Log Size for Defender for Identity ?

EnterpriseArchitect 6,041 Reputation points
2025-06-15T13:36:19.5766667+00:00

People,

When using MDI https://learn.microsoft.com/en-us/defender-for-identity/zero-trust do I have to extend the Maximum Event Log size in all Windows Servers to 4 GB by using this https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/limit-eventlog?view=powershell-5.1 ?

Or, This may not be necessary as all events will be streamed free of charge to the Cloud under the MDI license.

Any help would be greatly appreciated.

Microsoft Security Microsoft Defender Microsoft Defender for Identity
0 comments
Accepted answer
  1. Marcin Policht 49,640 Reputation points MVP Volunteer Moderator
    2025-06-15T21:24:08.8433333+00:00

    AFAIK, there are no additional costs for streaming security events from Microsoft Defender for Identity (MDI) sensors to Microsoft Defender XDR; this functionality is included with the MDI license. The MDI sensor collects and streams relevant events directly to Defender XDR for analysis, independent of traditional event ingestion costs like those associated with Microsoft Sentinel or Log Analytics.

    Microsoft does recommend increasing the Security event log size on monitored domain controllers to at least 4 GB. This ensures that critical events are not overwritten too quickly, which could result in missed detections by MDI sensors.

    If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

    hth

    Marcin

    2 people found this answer helpful.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.