cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Analytic rules, KQL queries and UEBA pricing

nsovilj
Copper Contributor

‎Mar 24 2023 05:15 AM - edited ‎Mar 24 2023 05:15 AM

‎Mar 24 2023 05:15 AM - edited ‎Mar 24 2023 05:15 AM

Analytic rules, KQL queries and UEBA pricing

Hi,

 

I am interested if there is any additional cost when talking about Log Analytics Workspace (without Sentinel) when it comes to running KQL queries? Are there any "data processing" costs that occur or is it free in that sense?

On this link https://azure.microsoft.com/en-us/pricing/details/monitor/ I didn't see any mention of "data processing costs", Microsoft only mentions "Log data processing" feature name "Log data ingestion and transformation" but writing KQL queries is not data transformation in that sense -> https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/data-collection-transformations 

 

When talking about Sentinel, should I expect larger bill if I enable 50-500 Analytic rules from Sentinel templates or content hub? Do these or custom analytic rules occur any additional "processing" costs? On this link https://azure.microsoft.com/en-us/pricing/details/microsoft-sentinel/ Microsoft only mentions "Search jobs". I assume Analytic rules and issuing KQL queries fall into category search jobs. What if someone is not using Sentinel but only Log Analytics Workspace and writing KQL queries? Since this (search jobs) is not mentioned on https://azure.microsoft.com/en-us/pricing/details/monitor/ is documentation just not up to date and this same search job price applies to KQL queries in Log Analytics deployments without Sentinel?

 

Microsoft states UEBA doesn't cost any additional money. Is it truly no additional cost or some cost will occur since it processes data from Audit Logs, Azure Activity, Security Events and SignIn Logs tables, namely as described by "search jobs"?

Labels:
2,020 Views
1 Like
2 Replies
Reply
2 Replies
Rod_Trent

‎Mar 24 2023 07:16 AM

‎Mar 24 2023 07:16 AM

Re: Analytic rules, KQL queries and UEBA pricing

There's not cost to run queries. Sentinel costs are at the base level ingestion and data retention. There's other things that factor in like Logic Apps, etc. but for the most part it's just the ingestion and data retention.

UEBA consists of four tables: BehaviorAnalytics, IdentityInfo, UserAccessAnalytics, and UserPeerAnalytics.

You can look at how much each will cost based on ingestion and data retention using the following query: https://github.com/rod-trent/SentinelKQL/blob/master/UEBACosts.txt

And, if you ever want to know which tables do or do not factor into cost, you can use the following query to show the isBillable flag: https://github.com/rod-trent/SentinelKQL/blob/master/TableUsageandCost.txt
1 Like
Reply
nsovilj

‎Apr 04 2023 02:21 AM

‎Apr 04 2023 02:21 AM

Re: Analytic rules, KQL queries and UEBA pricing

When you say there is no cost to run queries do you mean also that there is no cost to setting up scheduled analytical rules in Sentinel besides KQL interactive queries from Log Analytic Workspace?

When Microsoft mentions Pay-As-You- $2.60 per GB-ingested price I would assume that the very same data that has already been ingested once would be billed again if ingested later when running KQL interactive query or Analytical rule. It doesn't explicitly say what does "ingest" mean. Is it applied automatically only once when data is ingested in Log Analytics (LA price + Sentinel price) or LA price once and Sentinel price n times you run some query or Analytical rule? I would assume the latter since they only say "$ per GB ingested" and because it is logical that compute resources are used when using KQL queries and rules.

Can you please provide me with some approximate numbers regarding those 4 UEBA tables? How much space in MB/GB do all 4 of those tables take on a monthly basis and in what kind of environment (approximate number of users/computers within organization where you have used UEBA)?
0 Likes
Reply