Forum Discussion
Analytic rules, KQL queries and UEBA pricing
Hi, I am interested if there is any additional cost when talking about Log Analytics Workspace (without Sentinel) when it comes to running KQL queries? Are there any "data processing" costs that ...
Rod_Trent
Microsoft
MicrosoftThere's not cost to run queries. Sentinel costs are at the base level ingestion and data retention. There's other things that factor in like Logic Apps, etc. but for the most part it's just the ingestion and data retention.
UEBA consists of four tables: BehaviorAnalytics, IdentityInfo, UserAccessAnalytics, and UserPeerAnalytics.
You can look at how much each will cost based on ingestion and data retention using the following query: https://github.com/rod-trent/SentinelKQL/blob/master/UEBACosts.txt
And, if you ever want to know which tables do or do not factor into cost, you can use the following query to show the isBillable flag: https://github.com/rod-trent/SentinelKQL/blob/master/TableUsageandCost.txt
UEBA consists of four tables: BehaviorAnalytics, IdentityInfo, UserAccessAnalytics, and UserPeerAnalytics.
You can look at how much each will cost based on ingestion and data retention using the following query: https://github.com/rod-trent/SentinelKQL/blob/master/UEBACosts.txt
And, if you ever want to know which tables do or do not factor into cost, you can use the following query to show the isBillable flag: https://github.com/rod-trent/SentinelKQL/blob/master/TableUsageandCost.txt
When you say there is no cost to run queries do you mean also that there is no cost to setting up scheduled analytical rules in Sentinel besides KQL interactive queries from Log Analytic Workspace?
When Microsoft mentions Pay-As-You- $2.60 per GB-ingested price I would assume that the very same data that has already been ingested once would be billed again if ingested later when running KQL interactive query or Analytical rule. It doesn't explicitly say what does "ingest" mean. Is it applied automatically only once when data is ingested in Log Analytics (LA price + Sentinel price) or LA price once and Sentinel price n times you run some query or Analytical rule? I would assume the latter since they only say "$ per GB ingested" and because it is logical that compute resources are used when using KQL queries and rules.
Can you please provide me with some approximate numbers regarding those 4 UEBA tables? How much space in MB/GB do all 4 of those tables take on a monthly basis and in what kind of environment (approximate number of users/computers within organization where you have used UEBA)?
When Microsoft mentions Pay-As-You- $2.60 per GB-ingested price I would assume that the very same data that has already been ingested once would be billed again if ingested later when running KQL interactive query or Analytical rule. It doesn't explicitly say what does "ingest" mean. Is it applied automatically only once when data is ingested in Log Analytics (LA price + Sentinel price) or LA price once and Sentinel price n times you run some query or Analytical rule? I would assume the latter since they only say "$ per GB ingested" and because it is logical that compute resources are used when using KQL queries and rules.
Can you please provide me with some approximate numbers regarding those 4 UEBA tables? How much space in MB/GB do all 4 of those tables take on a monthly basis and in what kind of environment (approximate number of users/computers within organization where you have used UEBA)?
