Forum Discussion
JasonCohen1994
Jul 07, 2022Brass Contributor
New Blog Post | Alert When Microsoft Sentinel Daily Ingestion Reaches a Threshold
I just wanted to take a quick moment to highlight the efforts of a community member and to make everyone aware of this potential solution.
Ashok Krishna Vemuri wrote a KQL query that reports when the daily data ingestion volume is more than 200GB. This number can be modified to fit your needs and can be used in an Analytics Rules with automation (Playbook, Automation Rule) to send an alert through email, text, or any means to the team responsible for monitoring ingestion and costs.
The query is located here: https://github.com/le0li9ht/Microsoft-Sentinel-Queries/blob/main/SuddenSpikeInDataIngestion.kql
No RepliesBe the first to reply