Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

EPS calculation and log size

Brass Contributor
Good evening!
We have some customers in the process of aligning about closing a partnership to obtain Azure Sentinel, however, now and then we are asked about the average expense that they may have through the acquisition of the solution so that the customer “projects” what average consumption they will have. I did some research on the web and found some content about average consumption of EPS by solutions and average log size of them, however, I did not feel "firm" with such information. I know it is subjective and depends on each solution / technology, among other variables, however, I would like to know if someone has / indicates some type of material / spreadsheet or something like that I can help “price” a new customer for Azure acquisition Sentinel. Ex: Knowing on average that the customer has X equipment and technologies, as well as the EPS and average size of the logs of these artifacts, they arrive at an approximate value of X, we can “stipulate” that they will be ingested in Sentinel “X GB”, which in turn , can result in “X” values.
1 Reply

@Luizao_f 

 

As you say there can be a large variance here.

 

union withsource=_TableName1 *
| where _TimeReceived  > ago(1d)
| summarize count() , Size = sum(_BilledSize) by bin(_TimeReceived, 1m), Type, _IsBillable, _BilledSize
| extend counttemp =count_ / 60
| summarize 
           ['Average Events per Second (eps)'] = avg(counttemp),
           ['Average Bytes']=avg(_BilledSize),
           //['Bytes']=avg(counttemp) * avg(_BilledSize),
           ['Minimum eps']=min (counttemp),
           ['Maximum eps']=max(counttemp)
  by ['Table Name']=Type
| order  by ['Average Events per Second (eps)'] desc

Here I run the above on the Microsoft demo data:

Go to Log Analytics and run query  (top 5 shown)

Table Name Average Events per Second (eps) Average Bytes Minimum eps Maximum eps
ContainerLog 1.6899142145116457 350.67232579315635 0 119
AzureNetworkAnalytics_CL 0.5160871447121628 681.2308469196364 0 227
W3CIISLog 0.10373542707589817 518.1744672172938 0 18
AppPageViews 0.06976744186046512 849.984952120383 0 2
AppMetrics 0.06423229212494501 763.9826849349506 0 33

 

What you can see is there is often a large difference between the min, avg and max eps.  And the average bytes varies as well.  You could use this as a basis of a calculation, adding in your device counts for the various technologies.  Many of the online calculators use 200-500bytes as a baseline. 


Ideally you'd do a POC to test the incoming customer data, but I appreciate that isn't always possible.