%3CLINGO-SUB%20id%3D%22lingo-sub-1282246%22%20slang%3D%22en-US%22%3ERe%3A%20Usage%20reporting%20for%20Azure%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1282246%22%20slang%3D%22en-US%22%3E%3CP%3EAdded%20v1.1%20-%20to%20show%20Event%20Per%20Second%20(eps)%20details%20for%20all%20tables.%26nbsp%3B%20Thanks%20Yaniv%20Shasha%20and%20Kara%20Cole%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1287772%22%20slang%3D%22en-US%22%3ERe%3A%20Usage%20reporting%20for%20Azure%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1287772%22%20slang%3D%22en-US%22%3E%3CP%3EWell%20done%20Clive%20very%20useful%20workbook!%3C%2FP%3E%0A%3CP%3Eit%20give%20the%20overview%20about%20the%20Sentinel's%20Ingestion%20Cost.%3C%2FP%3E%0A%3CP%3EMany%20customer%20asked%20me%20in%20the%20past.%3C%2FP%3E%0A%3CP%3Ei%20suggest%20to%20include%20it%20by%20default%20into%20Sentinel%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1288405%22%20slang%3D%22en-US%22%3ERe%3A%20Usage%20reporting%20for%20Azure%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1288405%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F482040%22%20target%3D%22_blank%22%3E%40sifriger%3C%2FA%3E%26nbsp%3Bthanks%20for%20the%20feedback%2C%20and%20we%20taking%20about%20getting%20it%20added%20fairly%20soon.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1291227%22%20slang%3D%22en-US%22%3ERe%3A%20Usage%20reporting%20for%20Azure%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1291227%22%20slang%3D%22en-US%22%3E%3CP%3EAdded%20%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FCliveW-MSFT%2FKQLpublic%2Fblob%2Fmaster%2FKQL%2FWorkbooks%2FWorkspace%2520Usage%2520report%2520v1.2.workbook%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ev1.2%3C%2FA%3E%20-%20EPS%20by%20Device%20Vendor%20in%20CommonSecurityLog%20table%20(CEF)%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1304240%22%20slang%3D%22en-US%22%3ERe%3A%20Usage%20reporting%20for%20Azure%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1304240%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F239477%22%20target%3D%22_blank%22%3E%40Clive%20Watson%3C%2FA%3E%2C%20great%20details%20-%20could%20this%20also%20be%20used%20to%20track%20usage%20into%20Logic%20Apps%20as%20well%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe're%20looking%20into%20how%20we%20enable%20the%20lookup%20of%20the%20%22Groups%22%20a%20use%20is%20in%2C%20and%20this%20doesn't%20exist%20at%20the%20moment%20(%3F%3F)%20so%20the%20options%20appear%20to%20be%20either%3A%3C%2FP%3E%3COL%3E%3CLI%3EUse%20Logic%20Apps%20-%20possibly%20expensive%20on%2014%2C000%20Users%3F%3C%2FLI%3E%3CLI%3EUse%20Azure%20Functions%20%26amp%3B%20Powershell%20into%20a%20Blob%20might%20be%20more%20affordable%3C%2FLI%3E%3C%2FOL%3E%3CP%3EA%20bit%20off%20topic%2C%20but%20it's%20also%20strange%20why%20this%20cannot%20be%20done%20thru%20the%20native%20connector%20or%20the%20Graph%20API%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1304766%22%20slang%3D%22en-US%22%3ERe%3A%20Usage%20reporting%20for%20Azure%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1304766%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CSPAN%20class%3D%22UserName%20lia-user-name%20lia-user-rank-Frequent-Contributor%20lia-component-message-view-widget-author-username%22%3E%3CA%20id%3D%22link_23%22%20class%3D%22lia-link-navigation%20lia-page-link%20lia-user-name-link%22%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F129396%22%20target%3D%22_self%22%3E%3CSPAN%20class%3D%22login-bold%22%3EDavid%20Caddick%3C%2FSPAN%3E%3C%2FA%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EGroup%20data%20isn't%26nbsp%3Bavailable%2C%20the%20connector%20is%20for%20logging%20not%20configuration%2C%20so%20even%20if%20there%20were%20log%20entries%20you%20may%20miss%20groups%20or%20their%26nbsp%3Bmembership.%26nbsp%3B%20i.e.%20group%26nbsp%3Bcreated%20on%20Jan%201st%2C%20and%20you%20elected%20to%20only%20keep%203mths%20retention%20in%20your%20workspace%26nbsp%3B%20so%20you%20lose%20knowledge%20of%20it%20on%201st%20April.%26nbsp%3B%20That's%20why%20you%20need%20to%20check%20against%20the%20api%20or%20another%26nbsp%3Btrusted%20source.%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-sentinel%2Fsign-in-logs-and-azure-ad-groups%2Fm-p%2F1244996%23M1213%22%20target%3D%22_blank%22%3Ehttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-sentinel%2Fsign-in-logs-and-azure-ad-groups%2Fm-p%2F1244996%23M1213%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EHow%20often%20are%20you%20adding%20Groups%20%2F%20memberships%2C%20perhaps%20a%20Logic%20app%2F%20PS%20%2F%20Function%26nbsp%3B%20that%20ran%201%2C2%2C4%20times%20a%20day%20would%3CFONT%20face%3D%22inherit%22%3E%26nbsp%3Bbe%20%3C%2FFONT%3Esufficient%3CFONT%20face%3D%22inherit%22%3E%26nbsp%3Bto%20populate%20a%20csv%20file%3F%3CBR%20%2F%3E%3CBR%20%2F%3E%3CBR%20%2F%3ESome%20logging%20data%20is%20obtained%20by%20these%20EventIDs%20(my%20list%20so%20I%20may%20have%20missed%20some)%3C%2FFONT%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%0A%3CPRE%3E%2F%2F%204727%20A%20security-enabled%20global%20group%20was%20created.%20%0A%2F%2F%204728%20A%20member%20was%20added%20to%20a%20security-enabled%20global%20group.%20%0A%2F%2F%204729%20A%20member%20was%20removed%20from%20a%20security-enabled%20global%20group.%20%0A%2F%2F%204730%20A%20security-enabled%20global%20group%20was%20deleted.%20%0A%2F%2F%204731%20A%20security-enabled%20local%20group%20was%20created.%20%0A%2F%2F%204732%20A%20member%20was%20added%20to%20a%20security-enabled%20local%20group.%20%0A%2F%2F%204733%20A%20member%20was%20removed%20from%20a%20security-enabled%20local%20group.%20%0A%2F%2F%204734%20A%20security-enabled%20local%20group%20was%20deleted.%20%0A%2F%2F%204735%20A%20security-enabled%20local%20group%20was%20changed.%20%0A%2F%2F%204737%20A%20security-enabled%20global%20group%20was%20changed.%20%0A%2F%2F%204754%20A%20security-enabled%20universal%20group%20was%20created.%20%0A%2F%2F%204755%20A%20security-enabled%20universal%20group%20was%20changed.%20%0A%2F%2F%204756%20A%20member%20was%20added%20to%20a%20security-enabled%20universal%20group.%20%0A%2F%2F%204757%20A%20member%20was%20removed%20from%20a%20security-enabled%20universal%20group.%20%0A%2F%2F%204758%20A%20security-enabled%20universal%20group%20was%20deleted.%20%0A%2F%2F%204764%20A%20groups%20type%20was%20changed.%20%0A%0ASecurityEvent%0A%7C%20where%20EventID%20in%20(4727%2C%204728%2C%204729%2C%204730%2C%204731%2C%204732%2C%204733%2C%204734%2C%204735%2C%204737%2C%204754%2C%204755%2C%204756%2C%204757%2C%204758%2C%204764)%0A%7C%20summarize%20count()%20by%20EventID%2C%20Activity%3C%2FPRE%3E%0A%3CP%3E%3CFONT%20face%3D%22inherit%22%3E%26nbsp%3B%3C%2FFONT%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1305810%22%20slang%3D%22en-US%22%3ERe%3A%20Usage%20reporting%20for%20Azure%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1305810%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%3EAdded%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FCliveW-MSFT%2FKQLpublic%2Fblob%2Fmaster%2FKQL%2FWorkbooks%2FWorkspace%2520Usage%2520Report%2520v1.3a.workbook%22%20target%3D%22_self%22%20rel%3D%22noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ev1.3a%3C%2FA%3E%3CSPAN%3E%26nbsp%3B-%20EPS%20Tab%20added.%26nbsp%3B%20Graphs%20for%20Workspace%20Info%20and%20eps%20are%20also%20now%20in%20the%26nbsp%3Bsame%20format%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1339981%22%20slang%3D%22en-US%22%3ERe%3A%20Usage%20reporting%20for%20Azure%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1339981%22%20slang%3D%22en-US%22%3E%3CP%3EAdded%20v1.4%20with%20suggested%20Daily%2C%20Weekly%20and%20Monthly%20checks%20-%20see%20link%20in%20the%20main%20post%20for%20the%20download%3CBR%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22dwm-main.gif%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F186766iB90DD2B5000EA485%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22dwm-main.gif%22%20alt%3D%22dwm-main.gif%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1359647%22%20slang%3D%22en-US%22%3ERe%3A%20Usage%20reporting%20for%20Azure%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1359647%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F239477%22%20target%3D%22_blank%22%3E%40Clive%20Watson%3C%2FA%3ESaw%20this%20on%20your%20Azure%20Sentinel%20presentation%2C%20looks%20to%20be%20an%20awesome%20workbook.%3C%2FP%3E%3CP%3EThanks%20%3CIMG%20class%3D%22lia-deferred-image%20lia-image-emoji%22%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Fhtml%2Fimages%2Femoticons%2Fsmile_40x40.gif%22%20alt%3D%22%3Asmile%3A%22%20title%3D%22%3Asmile%3A%22%20%2F%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1671016%22%20slang%3D%22en-US%22%3ERe%3A%20Usage%20reporting%20for%20Azure%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1671016%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F239477%22%20target%3D%22_blank%22%3E%40Clive%20Watson%3C%2FA%3E%26nbsp%3B%3CBR%20%2F%3EGreetings.%20We%20implemented%20your%20great%20workbook%20(v1.4)%20for%20one%20of%20our%20clients%20and%20its%20been%20most%20useful%20thank%20you.%3C%2FP%3E%3CP%3EUnfortunately%20in%20the%20last%20couple%20of%20days%20something%20has%20changed%20and%20when%20they%20went%20to%20use%20it%2C%20it%20now%20comes%20up%20with%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Col_Sanders_0-1600208460489.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F218537iF7AEF2D19E89B82D%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20title%3D%22Col_Sanders_0-1600208460489.png%22%20alt%3D%22Col_Sanders_0-1600208460489.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3EBeing%20fairly%20new%20to%20workbooks%20and%20kusto%2C%20I'm%20not%20really%20sure%20where%20to%20start%20with%20debugging%20this%2C%20or%20is%20it%20literally%20a%20case%20of%20needing%20to%20log%20a%20support%20ticket%20to%20resolve%20this%3F%3C%2FP%3E%3CP%3EThinking%20someone%20must%20have%20messed%20with%20the%20workbook%2C%20I%20re-downloaded%20and%20recreated%20the%20workbook%20but%20still%20get%20the%20same%20error.%26nbsp%3B%3C%2FP%3E%3CP%3EI'm%20guessing%20(maybe%20wrongly)%20that%20it%20may%20be%20a%20new%20custom%20table%20that's%20been%20added%20in%2C%20though%20I'm%20not%20sure%20which%20one%20that%20may%20have%20been%20or%20how%20to%20identify%20it.%3C%2FP%3E%3CP%3EPS%3C%2FP%3E%3CP%3EJust%20going%20through%20the%20table%20names%2C%20the%20only%20thing%20I%20notice%20is%20there%20are%20two%20%3CEM%3Esimilarly%3C%2FEM%3E%20named%20custom%20logs%3C%2FP%3E%3CP%3ECompromised_IP_CL%3C%2FP%3E%3CP%3ECompromised_URL_CL%26nbsp%3B%20%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1671881%22%20slang%3D%22en-US%22%3ERe%3A%20Usage%20reporting%20for%20Azure%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1671881%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F676388%22%20target%3D%22_blank%22%3E%40Col_Sanders%3C%2FA%3E%26nbsp%3B%2C%20I%20should%20have%20a%20new%20version%20out%20today%2C%20to%20fix%20this.%20It%20is%20a%20name%20clash.%20It%20may%20not%20be%20as%20fully%20tested%20as%20I'd%20like%2C%20but%20I'm%20sure%20I'll%20get%20feedback%20if%20anything%20isn't%20working.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ECan%20you%20please%20try%20this%20and%20let%20me%20know%3F%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FCliveW-MSFT%2FKQLpublic%2Fblob%2Fmaster%2FKQL%2FWorkbooks%2FWorkspaceHealth%2FWorkspace%2520Health%2520Report%2520v1.4.4%2520-quickFix.workbook%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fgithub.com%2FCliveW-MSFT%2FKQLpublic%2Fblob%2Fmaster%2FKQL%2FWorkbooks%2FWorkspaceHealth%2FWorkspace%2520Health%2520Report%2520v1.4.4%2520-quickFix.workbook%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThanks%20Clive%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1267383%22%20slang%3D%22en-US%22%3EUsage%20reporting%20for%20Azure%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1267383%22%20slang%3D%22en-US%22%3E%3CP%3E%3CFONT%20size%3D%225%22%3E%3CSTRONG%3E%3CFONT%20color%3D%22%23FF0000%22%3EUpdate%3C%2FFONT%3E%3C%2FSTRONG%3E%3C%2FFONT%3E%3A%2016th%20September%202020%3A%20There%20has%20been%20an%20issue%20with%20a%20name%20convention%20I%20used%20in%20this%20workbook%2C%20you%20will%20need%20to%20download%20v1.4.4%20from%20below%2C%20as%20a%20quick%20fix%20to%20the%20issue.%26nbsp%3B%20%26nbsp%3BPlease%20upgrade%20if%20you%20see%20this%20error%3A%20%22%3CFONT%20size%3D%222%22%3E%3CEM%3Eunion%20named%20column%20name%3A%20%3CSTRONG%3ETableName%3C%2FSTRONG%3E%20already%20exists%22%3C%2FEM%3E%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Annotation%202020-03-31%20105407.jpg%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F180854iFE72324DEBC41C5E%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22Annotation%202020-03-31%20105407.jpg%22%20alt%3D%22Annotation%202020-03-31%20105407.jpg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3EFrom%20the%20above%20screenshot%20you%20can%20see%20you%20can%20select%20your%20%3CSTRONG%3ESubscription%3C%2FSTRONG%3E%20and%20%3CSTRONG%3EWorkspace(s)%3C%2FSTRONG%3E.%26nbsp%3B%20You%20also%20have%20the%20ability%20to%20provide%20a%20price%20(see%20the%20tool%20tip%20as%20you%20hover%20your%20mouse%20over%20the%20icon%2C%20above%20that%20field%20for%20details).%26nbsp%3B%20%3CBR%20%2F%3EThe%20first%20part%20of%20the%20report%2C%20shows%20a%20Workspace%20or%20many%20if%20you%20select%20%3CSTRONG%3E%3CUNSET%3E%3C%2FUNSET%3E%3C%2FSTRONG%3E%26nbsp%3Bin%20the%20workspace%20drop-down.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Annotation%202020-03-31%20105957.jpg%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F180855iFFF1083C517CDCE4%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22Annotation%202020-03-31%20105957.jpg%22%20alt%3D%22Annotation%202020-03-31%20105957.jpg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3EThis%20report%20is%20using%20Azure%20resource%20Graph%20(ARG)%20data%2C%20so%20it%20retrieves%20data%20like%20the%20retention%20and%20licence%20used.%26nbsp%3B%20You%20can%20also%20see%20(if%20known)%20who%20last%20set%20the%20licence%20and%20what%20licence%20scheme%20you're%20on.%26nbsp%3B%20If%20you%20have%20Sentinel%20assigned%20to%20the%20the%20workspace%2C%20you%20can%20probably%20adjust%20your%20retention%20from%2030days%20to%2090days%20for%20free%2C%20so%20I%20make%20a%20note%20of%20that.%26nbsp%3B%20Please%20do%20check%20before%20you%20make%20changes.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH3%20id%3D%22toc-hId-1115959400%22%20id%3D%22toc-hId-1115936211%22%20id%3D%22toc-hId-1115936211%22%20id%3D%22toc-hId-1115936211%22%20id%3D%22toc-hId-1115936211%22%20id%3D%22toc-hId-1115936211%22%20id%3D%22toc-hId-1115936211%22%3EDownload%20and%20Install%3A%3C%2FH3%3E%0A%3CP%3E%3CSPAN%20class%3D%22TextRun%20%20BCX7%20SCXW114590556%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20%20BCX7%20SCXW114590556%22%3EPlease%20down%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20%20BCX7%20SCXW114590556%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20%20BCX7%20SCXW114590556%22%3Eload%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20%20BCX7%20SCXW114590556%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20%20BCX7%20SCXW114590556%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20%20BCX7%20SCXW114590556%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20%20BCX7%20SCXW114590556%22%3Ethe%20Workbook%20from%20my%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FCliveW-MSFT%2FKQLpublic%2Fblob%2Fmaster%2FKQL%2FWorkbooks%2FWorkspace%2520Usage%2520report.workbook%22%20target%3D%22_self%22%20rel%3D%22noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3E%3CSPAN%20class%3D%22SpellingError%20%20BCX7%20SCXW114590556%22%3EGithub%20(v1.0)%3C%2FSPAN%3E%3C%2FA%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20%20BCX7%20SCXW114590556%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20%20BCX7%20SCXW114590556%22%3Eread%20the%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CSTRONG%3Eimport%3C%2FSTRONG%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Einstructions%20here%20%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FCliveW-MSFT%2FKQLpublic%2Fblob%2Fmaster%2FREADME.md%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ereadme%3C%2FA%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%26nbsp%3B%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3E%3CSPAN%20class%3D%22TextRun%20%20BCX7%20SCXW114590556%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20%20BCX7%20SCXW114590556%22%3E%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FCliveW-MSFT%2FKQLpublic%2Fblob%2Fmaster%2FKQL%2FWorkbooks%2FWorkspace%2520Usage%2520report%2520v1.1.workbook%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ev1.1%3C%2FA%3E%20Added%20Events%20Per%20Second%20(eps)%20info%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%20class%3D%22TextRun%20%20BCX7%20SCXW114590556%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20%20BCX7%20SCXW114590556%22%3EPlease%20look%20in%20the%20Github%20(above)%20for%20other%20versions%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%20class%3D%22TextRun%20%20BCX7%20SCXW114590556%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20%20BCX7%20SCXW114590556%22%3E...%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FCliveW-MSFT%2FKQLpublic%2Fblob%2Fmaster%2FKQL%2FWorkbooks%2FWorkspace%2520Usage%2520Report%2520v1.4.txt%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3E%3CSPAN%20class%3D%22TextRun%20%20BCX7%20SCXW114590556%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20%20BCX7%20SCXW114590556%22%3Ev1.4%20%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%3EAdded%20Checks%20Tab%20for%20Daily%2C%20Weekly%20and%20Monthly%20suggested%20checking%20routines.%26nbsp%3B%20Thanks%20to%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F324945%22%20target%3D%22_self%22%3ERod%20Trent%3C%2FA%3E%2C%20the%20Workbook%20aligns%20to%20his%20and%20the%20community%26nbsp%3Bsuggested%20checks%2C%20Daily%2C%20Weekly%20%26amp%3B%20Monthly%26nbsp%3B%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fsecureinfra.blog%2F2020%2F03%2F19%2Fsuggested-daily-weekly-and-monthly-tasks-for-azure-sentinel%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fsecureinfra.blog%2F2020%2F03%2F19%2Fsuggested-daily-weekly-and-monthly-tasks-for-azure-sentinel%2F%3C%2FA%3E%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3Ev1.4.4%20Quick%20fix%3A%20There%20has%20been%20a%20recent%20clash%2C%20with%20the%20prime%20query%20table%20name%20I%20used%20in%20this%20workbook%20and%20therefore%20I%20have%20renamed%20%22TableName%22%20to%20%22TableName1%22.%26nbsp%3B%20%3CBR%20%2F%3EThis%20is%20the%20%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FCliveW-MSFT%2FKQLpublic%2Fblob%2Fmaster%2FKQL%2FWorkbooks%2FWorkspaceHealth%2FWorkspace%2520Health%2520Report%2520v1.4.4%2520-quickFix.workbook%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Elatest%20version%3C%2FA%3E.%26nbsp%3B%20%26nbsp%3BPlease%20note%2C%20I%20had%20some%20other%20changes%20planned%20so%20some%20parts%20may%20not%20be%20fully%20working.%3C%2FSPAN%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CH2%20id%3D%22toc-hId-1105456296%22%20id%3D%22toc-hId-1105433107%22%20id%3D%22toc-hId-1105433107%22%20id%3D%22toc-hId-1105433107%22%20id%3D%22toc-hId-1105433107%22%20id%3D%22toc-hId-1105433107%22%20id%3D%22toc-hId-1105433107%22%3E%26nbsp%3B%3C%2FH2%3E%0A%3CH2%20id%3D%22toc-hId--701998167%22%20id%3D%22toc-hId--702021356%22%20id%3D%22toc-hId--702021356%22%20id%3D%22toc-hId--702021356%22%20id%3D%22toc-hId--702021356%22%20id%3D%22toc-hId--702021356%22%20id%3D%22toc-hId--702021356%22%3ETab%201%3A%20Workspace%20Info%26nbsp%3B%3C%2FH2%3E%0A%3CP%3E%3CBR%20%2F%3EThe%20report%20then%20shows%20all%20the%20Tables%20you%20have%20(and%20a%20daily%20average%20in%20the%20the%20chart%20title).%26nbsp%3B%20the%20'Estimated%20Table%20Price'%20will%20only%20have%20data%20if%20you%20put%20in%20value%20-%20in%20the%20%5Bprice%5D%20field.%3CBR%20%2F%3E%3CBR%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Annotation%202020-03-31%20110640.jpg%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F180835iC042B4E21954906A%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22Annotation%202020-03-31%20110640.jpg%22%20alt%3D%22Annotation%202020-03-31%20110640.jpg%22%20%2F%3E%3C%2FSPAN%3E%3CBR%20%2F%3ENext%20I%20have%20included%20the%20Table%20Size%20and%20Table%20entries%20reports%20from%20another%20workbook.%26nbsp%3B%20These%20are%20useful%20to%20see%20any%20pattern%20changes%20over%20the%20time%20period.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId-1785514666%22%20id%3D%22toc-hId-1785491477%22%20id%3D%22toc-hId-1785491477%22%20id%3D%22toc-hId-1785491477%22%20id%3D%22toc-hId-1785491477%22%20id%3D%22toc-hId-1785491477%22%20id%3D%22toc-hId-1785491477%22%3ETab%202%3A%20Latency%26nbsp%3B%3C%2FH2%3E%0A%3CP%3EThe%20latency%20report%20is%20similar%20to%20the%20info%20one%20in%20Tab1.%26nbsp%3B%20Here%20I%20show%20the%20Average%2C%20Minimum%20and%20Maximum%20latency%20information%20for%20each%20Table.%26nbsp%3B%20You%20can%20press%20the%20column%20heading%20to%20sort%20the%20results.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Annotation%202020-03-31%20111210.jpg%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F180836i6E953C9278D6ECC0%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22Annotation%202020-03-31%20111210.jpg%22%20alt%3D%22Annotation%202020-03-31%20111210.jpg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ENext%20we%20show%20(please%20select%20a%20Computer%20from%20the%20list)%2C%20this%20shows%20it's%20Heartbeat%20data%2C%20this%20view%20is%20based%20on%20the%20default%20Agent%20Health%20workbook%20(see%20Azure%20Monitor%20Workbooks)%2C%20but%20in%20the%20right-hand%20graph%20this%20shows%20the%20latency%20info%2C%20for%20both%20the%20Computer%20and%20the%20Agent%20(they%20can%20be%20different)%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Annotation%202020-03-31%20111540.jpg%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F180839i08C72EF8BB6DAD2D%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22Annotation%202020-03-31%20111540.jpg%22%20alt%3D%22Annotation%202020-03-31%20111540.jpg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId--21939797%22%20id%3D%22toc-hId--21962986%22%20id%3D%22toc-hId--21962986%22%20id%3D%22toc-hId--21962986%22%20id%3D%22toc-hId--21962986%22%20id%3D%22toc-hId--21962986%22%20id%3D%22toc-hId--21962986%22%3ETab%203%3A%20Costs%3C%2FH2%3E%0A%3CP%3EThis%20tab%2C%20as%20the%20name%20suggests%20give%20you%20some%20other%20insights%20into%20Costs%2C%20the%20first%20graph%20is%20a%20capacity%20trend%2C%20projecting%20forward%2030days%20to%20give%20you%20a%20hint%20as%20to%20the%20ingestion%20trajectory%20you%20are%20on.%3C%2FP%3E%0A%3CP%3ENote%3A%20the%20longer%20time%20span%20you%20select%20the%20better%20the%20slope%20will%20be%2C%2030days%2B%20ideally%2C%20however%20its%20a%20slow%20query%20and%20longer%20time%20span%20will%20slow%20it%20down%20more!%26nbsp%3B%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Annotation%202020-03-31%20112027.jpg%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F180842iE58965C921CB1447%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22Annotation%202020-03-31%20112027.jpg%22%20alt%3D%22Annotation%202020-03-31%20112027.jpg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20next%20three%20graphs%2C%20breakdown%20Top%2010%20costs%20by%20%3CSTRONG%3ETable%3C%2FSTRONG%3E%20and%20by%20%3CSTRONG%3EResource%3C%2FSTRONG%3E%2C%20as%20well%20as%20Top%2020%20cost%20per%20%3CSTRONG%3EEventID%3C%2FSTRONG%3E.%26nbsp%3B%20These%20can%20be%20very%20useful%20to%20spot%20a%20busy%20Computer%20or%20EventID%20that%20you%20may%20have.%26nbsp%3B%20%26nbsp%3B%3CBR%20%2F%3EWould%20a%20filter%20to%20select%20the%20Top%2010%2C%2020%20or%2030%20be%20useful%3F%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Annotation%202020-03-31%20112619.jpg%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F180844iAFB93B0E876620F7%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22Annotation%202020-03-31%20112619.jpg%22%20alt%3D%22Annotation%202020-03-31%20112619.jpg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId--1829394260%22%20id%3D%22toc-hId--1829417449%22%20id%3D%22toc-hId--1829417449%22%20id%3D%22toc-hId--1829417449%22%20id%3D%22toc-hId--1829417449%22%20id%3D%22toc-hId--1829417449%22%20id%3D%22toc-hId--1829417449%22%3ETab%204%3A%20Sentinel%26nbsp%3B%3C%2FH2%3E%0A%3CP%3EThis%20tab%2C%20shows%20some%20details%20from%20Azure%20Activity%20logs%20as%20a%20tile%20view.%26nbsp%3B%20%26nbsp%3B%20The%20bottom%20graph%20just%20shows%20specific%20Tables%20that%20Sentinel%20uses%20in%20the%20Log%20Analytics%20workspace.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Annotation%202020-03-31%20113042.jpg%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F180845i6F85145F44EB0498%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22Annotation%202020-03-31%20113042.jpg%22%20alt%3D%22Annotation%202020-03-31%20113042.jpg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH4%20id%3D%22toc-hId-1359183151%22%20id%3D%22toc-hId-1359159962%22%20id%3D%22toc-hId-1359159962%22%20id%3D%22toc-hId-1359159962%22%20id%3D%22toc-hId-1359159962%22%20id%3D%22toc-hId-1359159962%22%20id%3D%22toc-hId-1359159962%22%3ESummary%3A%3C%2FH4%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThis%20workbook%20has%20been%20many%20months%20in%20the%20making%2C%20and%20thanks%20to%20many%20people%20for%20testing%20and%20suggesting%20features.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-1267383%22%20slang%3D%22en-US%22%3E%3CP%3EThis%20Workbook%20Usage%20report%20is%20designed%20to%20give%20you%20insights%20into%20the%20usage%20and%20capabilities%20of%20the%20Log%20Analytics%20workspace%20that%20Azure%20Sentinel%20uses.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EMuch%20like%20my%20recent%20Workbook%20for%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-sentinel%2Fcompliance-reporting-for-azure%2Fba-p%2F1259574%22%20target%3D%22_self%22%3ECompliance%20reporting%3C%2FA%3E%26nbsp%3B%20this%20workbook%20is%20divided%20into%204%20main%20Tabs.%20Workspace%20Information%2C%20Latency%2C%20Cost%20and%20Sentinel.%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1267383%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20Sentinel%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1676788%22%20slang%3D%22en-US%22%3ERe%3A%20Usage%20reporting%20for%20Azure%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1676788%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F239477%22%20target%3D%22_blank%22%3E%40Clive%20Watson%3C%2FA%3E%26nbsp%3B%3CBR%20%2F%3EThanks%20for%20such%20a%20rapid%20fix%20%3A)%3C%2Fimg%3E%26nbsp%3B%3CBR%20%2F%3EIt%20does%20indeed%20work%20again%20thank%20you.%26nbsp%3B%3C%2FP%3E%3CP%3E%3CBR%20%2F%3EI%20see%20you%20also%20%22%3CEM%3EAdded%20value%20to%20Y%20axis%20of%20%5BCost%5D%20trend%20graph%3C%2FEM%3E%22%20which%20may%20have%20been%20in%20response%20to%20our%20request%20thru%20our%20local%20MS%20team%20...%20thank%20you%20for%20that%20too.%3CBR%20%2F%3EPlease%20permit%20me%20to%20provide%20a%20little%20%22user%20perspective%22%20on%20that%20for%20you.%3CBR%20%2F%3EHaving%20%3CEM%3Eany%3C%2FEM%3E%20value%20on%20the%20y%20axes%20is%20definitely%20an%20improvement%2C%20so%20even%20having%20storage%20is%20more%20meaningful%20-%20thanks.%3C%2FP%3E%3CP%3EFrom%20a%20client%20perspective%20however%2C%20I%20know%20that%20having%20navigated%20to%20the%20%3CEM%3ECost%3C%2FEM%3E%20tab%20they%20were%20expecting%20to%20see%20a%20%3CEM%3E%24cost%3C%2FEM%3E%20projection%20on%20the%20y%20axes%2C%20based%20upon%20the%20%3CEM%3EPrice%3C%2FEM%3E%20field%2C%20rather%20than%20just%20a%20storage-projection%20value.%3CBR%20%2F%3EWhile%20I%20acknowledge%20the%20complexity%20of%20the%20calculation%20with%20retention%20duration%20settings%20etc.%20I%20think%20that%20is%20exactly%20where%20a%20projection%20graph%20like%20this%20would%20offer%20must%20user%20value.%20Food%20for%20thought%20in%20a%20future%20version%20perhaps.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20too%20for%20providing%20a%20default%20value%20for%20the%20%3CEM%3EPrice%3C%2FEM%3E%20field%2C%20that%20makes%20it%20easy%20to%20do%20the%20workspace%20based%20calculation%20and%20plug%20that%20in%20as%20the%20default%20so%20it%20doesn't%20have%20to%20be%20re-entered%20at%20every%20use.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20again%20for%20the%20prompt%20service%20%3A)%3C%2Fimg%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1677523%22%20slang%3D%22en-US%22%3ERe%3A%20Usage%20reporting%20for%20Azure%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1677523%22%20slang%3D%22en-US%22%3E%3CP%3EGreat%20feedback%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F676388%22%20target%3D%22_blank%22%3E%40Col_Sanders%3C%2FA%3E%26nbsp%3B-%20please%20post%20if%20you%20have%20more%20ideas%3F%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI%20do%20want%20to%20rework%20the%20Cost%20tab%20(I%20also%20aim%20to%20do%20a%20little%20more%20with%20the%20data%20from%20ASC%20especially).%26nbsp%3B%20I%20had%20been%20making%20the%20changes%20to%20do%20similar%20to%20your%20suggestions%2C%20and%20things%20like%20the%20updated%20y-axis%20were%20part%20of%20that%2C%20so%20you%20got%20to%20see%20this%20a%20little%20earlier%20than%20I'd%20planned.%3CBR%20%2F%3EI'm%20being%20very%20careful%20not%20to%20re-invent%20the%20Azure%20Pricing%20Calculator%2C%20but%20I'm%20glad%20the%20default%20pricing%20value%20and%20updated%20cost(volume)%20prediction%20are%20valuable.%26nbsp%3B%20%3CBR%20%2F%3ENow%20I%20have%20the%20volumes%20in%20the%20graph%2C%20would%20something%20like%20the%20table%20below%20help%2C%20with%20a%20volume%20now%2C%20volume%20predicted%20and%20cost%20now%20and%20cost%20predicted%20work%20(this%20would%20need%20formatting%2C%20but%20you%20get%20the%20idea)%3F%26nbsp%3B%26nbsp%3B%3CBR%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Annotation%202020-09-17%20105738.jpg%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F219100iFB483AF535B175EE%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22Annotation%202020-09-17%20105738.jpg%22%20alt%3D%22Annotation%202020-09-17%20105738.jpg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F676388%22%20target%3D%22_blank%22%3E%40Col_Sanders%3C%2FA%3E%26nbsp%3Bif%20you%20DM%20me%20your%20email%2C%20I%20can%20share%20the%20revised%20version%2C%20if%20you'd%20like%20to%20test%3F%26nbsp%3B%20or%20use%20your%20Microsoft%20contact%20if%20you%20prefer%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1677569%22%20slang%3D%22en-US%22%3ERe%3A%20Usage%20reporting%20for%20Azure%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1677569%22%20slang%3D%22en-US%22%3E%3CP%3EGreat%20work%20on%20the%20latest%20update%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F239477%22%20target%3D%22_blank%22%3E%40Clive%20Watson%3C%2FA%3E%2C%20I've%20updated%20it%20this%20morning%20and%20it%20is%20now%20working%20again.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20very%20much%20%3CIMG%20class%3D%22lia-deferred-image%20lia-image-emoji%22%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Fhtml%2Fimages%2Femoticons%2Fcool_40x40.gif%22%20alt%3D%22%3Acool%3A%22%20title%3D%22%3Acool%3A%22%20%2F%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
Microsoft

Update: 16th September 2020: There has been an issue with a name convention I used in this workbook, you will need to download v1.4.4 from below, as a quick fix to the issue.   Please upgrade if you see this error: "union named column name: TableName already exists"

 

Annotation 2020-03-31 105407.jpg

From the above screenshot you can see you can select your Subscription and Workspace(s).  You also have the ability to provide a price (see the tool tip as you hover your mouse over the icon, above that field for details). 
The first part of the report, shows a Workspace or many if you select <unset> in the workspace drop-down. 

Annotation 2020-03-31 105957.jpg

This report is using Azure resource Graph (ARG) data, so it retrieves data like the retention and licence used.  You can also see (if known) who last set the licence and what licence scheme you're on.  If you have Sentinel assigned to the the workspace, you can probably adjust your retention from 30days to 90days for free, so I make a note of that.  Please do check before you make changes.

 

Download and Install:

Please download the Workbook from my Github (v1.0) read the import instructions here readme 

  • v1.1 Added Events Per Second (eps) info
  • Please look in the Github (above) for other versions
  • ...
  • v1.4 Added Checks Tab for Daily, Weekly and Monthly suggested checking routines.  Thanks to Rod Trent, the Workbook aligns to his and the community suggested checks, Daily, Weekly & Monthly  https://secureinfra.blog/2020/03/19/suggested-daily-weekly-and-monthly-tasks-for-azure-sentinel/
  • v1.4.4 Quick fix: There has been a recent clash, with the prime query table name I used in this workbook and therefore I have renamed "TableName" to "TableName1". 
    This is the latest version.   Please note, I had some other changes planned so some parts may not be fully working.

 

Tab 1: Workspace Info 


The report then shows all the Tables you have (and a daily average in the the chart title).  the 'Estimated Table Price' will only have data if you put in value - in the [price] field.

Annotation 2020-03-31 110640.jpg
Next I have included the Table Size and Table entries reports from another workbook.  These are useful to see any pattern changes over the time period.

 

 

Tab 2: Latency 

The latency report is similar to the info one in Tab1.  Here I show the Average, Minimum and Maximum latency information for each Table.  You can press the column heading to sort the results.

 

Annotation 2020-03-31 111210.jpg

 

Next we show (please select a Computer from the list), this shows it's Heartbeat data, this view is based on the default Agent Health workbook (see Azure Monitor Workbooks), but in the right-hand graph this shows the latency info, for both the Computer and the Agent (they can be different)

Annotation 2020-03-31 111540.jpg

 

Tab 3: Costs

This tab, as the name suggests give you some other insights into Costs, the first graph is a capacity trend, projecting forward 30days to give you a hint as to the ingestion trajectory you are on.

Note: the longer time span you select the better the slope will be, 30days+ ideally, however its a slow query and longer time span will slow it down more!  

 

Annotation 2020-03-31 112027.jpg

 

The next three graphs, breakdown Top 10 costs by Table and by Resource, as well as Top 20 cost per EventID.  These can be very useful to spot a busy Computer or EventID that you may have.   
Would a filter to select the Top 10, 20 or 30 be useful?

 

Annotation 2020-03-31 112619.jpg

 

Tab 4: Sentinel 

This tab, shows some details from Azure Activity logs as a tile view.    The bottom graph just shows specific Tables that Sentinel uses in the Log Analytics workspace.

 

Annotation 2020-03-31 113042.jpg

 

Summary:

 

This workbook has been many months in the making, and thanks to many people for testing and suggesting features.

15 Comments
Microsoft

Added v1.1 - to show Event Per Second (eps) details for all tables.  Thanks Yaniv Shasha and Kara Cole

Microsoft

Well done Clive very useful workbook!

it give the overview about the Sentinel's Ingestion Cost.

Many customer asked me in the past.

i suggest to include it by default into Sentinel 

Microsoft

@sifriger thanks for the feedback, and we taking about getting it added fairly soon.  

Microsoft

Added v1.2 - EPS by Device Vendor in CommonSecurityLog table (CEF)

Frequent Contributor

Hi @Clive Watson, great details - could this also be used to track usage into Logic Apps as well?

 

We're looking into how we enable the lookup of the "Groups" a use is in, and this doesn't exist at the moment (??) so the options appear to be either:

  1. Use Logic Apps - possibly expensive on 14,000 Users?
  2. Use Azure Functions & Powershell into a Blob might be more affordable

A bit off topic, but it's also strange why this cannot be done thru the native connector or the Graph API?

Microsoft

Hi 

 

Group data isn't available, the connector is for logging not configuration, so even if there were log entries you may miss groups or their membership.  i.e. group created on Jan 1st, and you elected to only keep 3mths retention in your workspace  so you lose knowledge of it on 1st April.  That's why you need to check against the api or another trusted source. 

 

https://techcommunity.microsoft.com/t5/azure-sentinel/sign-in-logs-and-azure-ad-groups/m-p/1244996#M...

 

How often are you adding Groups / memberships, perhaps a Logic app/ PS / Function  that ran 1,2,4 times a day would be sufficient to populate a csv file?


Some logging data is obtained by these EventIDs (my list so I may have missed some)

// 4727 A security-enabled global group was created. 
// 4728 A member was added to a security-enabled global group. 
// 4729 A member was removed from a security-enabled global group. 
// 4730 A security-enabled global group was deleted. 
// 4731 A security-enabled local group was created. 
// 4732 A member was added to a security-enabled local group. 
// 4733 A member was removed from a security-enabled local group. 
// 4734 A security-enabled local group was deleted. 
// 4735 A security-enabled local group was changed. 
// 4737 A security-enabled global group was changed. 
// 4754 A security-enabled universal group was created. 
// 4755 A security-enabled universal group was changed. 
// 4756 A member was added to a security-enabled universal group. 
// 4757 A member was removed from a security-enabled universal group. 
// 4758 A security-enabled universal group was deleted. 
// 4764 A groups type was changed. 

SecurityEvent
| where EventID in (4727, 4728, 4729, 4730, 4731, 4732, 4733, 4734, 4735, 4737, 4754, 4755, 4756, 4757, 4758, 4764)
| summarize count() by EventID, Activity

 

Microsoft

Added v1.3a - EPS Tab added.  Graphs for Workspace Info and eps are also now in the same format 

Microsoft

Added v1.4 with suggested Daily, Weekly and Monthly checks - see link in the main post for the download
dwm-main.gif

Occasional Contributor

@Clive WatsonSaw this on your Azure Sentinel presentation, looks to be an awesome workbook.

Thanks :smile:

New Contributor

@Clive Watson 
Greetings. We implemented your great workbook (v1.4) for one of our clients and its been most useful thank you.

Unfortunately in the last couple of days something has changed and when they went to use it, it now comes up with 

Col_Sanders_0-1600208460489.png

Being fairly new to workbooks and kusto, I'm not really sure where to start with debugging this, or is it literally a case of needing to log a support ticket to resolve this?

Thinking someone must have messed with the workbook, I re-downloaded and recreated the workbook but still get the same error. 

I'm guessing (maybe wrongly) that it may be a new custom table that's been added in, though I'm not sure which one that may have been or how to identify it.

PS

Just going through the table names, the only thing I notice is there are two similarly named custom logs

Compromised_IP_CL

Compromised_URL_CL    

Microsoft

Hi @Col_Sanders , I should have a new version out today, to fix this. It is a name clash. It may not be as fully tested as I'd like, but I'm sure I'll get feedback if anything isn't working. 

 

Can you please try this and let me know?

https://github.com/CliveW-MSFT/KQLpublic/blob/master/KQL/Workbooks/WorkspaceHealth/Workspace%20Healt...

 

Thanks Clive

New Contributor

Hi @Clive Watson 
Thanks for such a rapid fix :) 
It does indeed work again thank you. 


I see you also "Added value to Y axis of [Cost] trend graph" which may have been in response to our request thru our local MS team ... thank you for that too.
Please permit me to provide a little "user perspective" on that for you.
Having any value on the y axes is definitely an improvement, so even having storage is more meaningful - thanks.

From a client perspective however, I know that having navigated to the Cost tab they were expecting to see a $cost projection on the y axes, based upon the Price field, rather than just a storage-projection value.
While I acknowledge the complexity of the calculation with retention duration settings etc. I think that is exactly where a projection graph like this would offer must user value. Food for thought in a future version perhaps.

 

Thanks too for providing a default value for the Price field, that makes it easy to do the workspace based calculation and plug that in as the default so it doesn't have to be re-entered at every use. 

 

Thanks again for the prompt service :) 

Microsoft

Great feedback @Col_Sanders - please post if you have more ideas?

 

I do want to rework the Cost tab (I also aim to do a little more with the data from ASC especially).  I had been making the changes to do similar to your suggestions, and things like the updated y-axis were part of that, so you got to see this a little earlier than I'd planned.
I'm being very careful not to re-invent the Azure Pricing Calculator, but I'm glad the default pricing value and updated cost(volume) prediction are valuable. 
Now I have the volumes in the graph, would something like the table below help, with a volume now, volume predicted and cost now and cost predicted work (this would need formatting, but you get the idea)?  
Annotation 2020-09-17 105738.jpg

@Col_Sanders if you DM me your email, I can share the revised version, if you'd like to test?  or use your Microsoft contact if you prefer?

Occasional Contributor

Great work on the latest update @Clive Watson, I've updated it this morning and it is now working again.

 

Thanks very much :cool:

Microsoft

This is fantastic - I do not have access to the Sentinel Ninja training and Sales Plays - but a link to this workbook would be extremely useful to the consumers of both of those resources.