From bec0a9d00ac34fecc24205323f057e5d4833b06e Mon Sep 17 00:00:00 2001
From: valemieux <98555474+valemieux@users.noreply.github.com>
Date: Mon, 20 Jun 2022 13:19:42 -0700
Subject: [PATCH] 40012854 - Clarify LogAnalytics may extract MI logs after
 opt-in

---
 .../event-id-explanations.md                                   | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md
index 1b9d67ff10..0c3579cf09 100644
--- a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md
+++ b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md
@@ -52,6 +52,9 @@ A Windows Defender Application Control (WDAC) policy logs events locally in Wind
 
 ## Diagnostic events for Intelligent Security Graph (ISG) and Managed Installer (MI)
 
+> [!NOTE]
+> When Managed Installer is enabled, customers using LogAnalytics should be aware that Managed Installer may fire many 3091 events.  Customers may need to filter out these events to avoid high LogAnalytics costs.
+
 Events 3090, 3091 and 3092 prove helpful diagnostic information when the ISG or MI option is enabled by any WDAC policy. These events can help you debug why something was allowed/denied based on managed installer or ISG. These events do not necessarily indicate a problem but should be reviewed in context with other events like 3076 or 3077 described above.
 
 | Event ID | Explanation |