Dec 21 2020 02:04 PM
Dec 21 2020 02:04 PM
We have some customers in the process of aligning about closing a partnership to obtain Azure Sentinel, however, now and then we are asked about the average expense that they may have through the acquisition of the solution so that the customer “projects” what average consumption they will have. I did some research on the web and found some content about average consumption of EPS by solutions and average log size of them, however, I did not feel "firm" with such information. I know it is subjective and depends on each solution / technology, among other variables, however, I would like to know if someone has / indicates some type of material / spreadsheet or something like that I can help “price” a new customer for Azure acquisition Sentinel. Ex: Knowing on average that the customer has X equipment and technologies, as well as the EPS and average size of the logs of these artifacts, they arrive at an approximate value of X, we can “stipulate” that they will be ingested in Sentinel “X GB”, which in turn , can result in “X” values.
Dec 22 2020 03:17 AM
As you say there can be a large variance here.
union withsource=_TableName1 * | where _TimeReceived > ago(1d) | summarize count() , Size = sum(_BilledSize) by bin(_TimeReceived, 1m), Type, _IsBillable, _BilledSize | extend counttemp =count_ / 60 | summarize ['Average Events per Second (eps)'] = avg(counttemp), ['Average Bytes']=avg(_BilledSize), //['Bytes']=avg(counttemp) * avg(_BilledSize), ['Minimum eps']=min (counttemp), ['Maximum eps']=max(counttemp) by ['Table Name']=Type | order by ['Average Events per Second (eps)'] desc
Here I run the above on the Microsoft demo data:
Go to Log Analytics and run query (top 5 shown)
|Table Name||Average Events per Second (eps)||Average Bytes||Minimum eps||Maximum eps|
What you can see is there is often a large difference between the min, avg and max eps. And the average bytes varies as well. You could use this as a basis of a calculation, adding in your device counts for the various technologies. Many of the online calculators use 200-500bytes as a baseline.
Ideally you'd do a POC to test the incoming customer data, but I appreciate that isn't always possible.