cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Sentinel Billable data

T150732D
Copper Contributor

‎Jun 27 2022 12:28 AM

‎Jun 27 2022 12:28 AM

Sentinel Billable data

Hello can you please help me understand difference of two queries we received from vendor deployin sentinel. 

 

We have logic app running daily this query to see billable data (to monitor if we are reaching cap).

Usage
| where TimeGenerated > ago(1d)
| where IsBillable == true
| summarize BillableDataGB = sum(Quantity) / 1000. by bin(TimeGenerated, 31d), Solution
| summarize TotalDataGB = sum(BillableDataGB)

 

Also we got the visualisation in chart over mont

Usage
|where TimeGenerated > ago (30d)
|where IsBillable == true
| summarize BillableDataGB=sum(Quantity) / 1000. by bin(TimeGenerated, 1d), Solution
| render columnchart

 

 

However often there is big difference, while the first one reports over several days numbers 300-400, when i look at the data in second I see peaks to 700 GB.

 

Example below. On 22June we see peak to 700GB, however the outcome of the first query was always 300-400 GB when reported 

23.6. reported previous daily ingestion : 415.907715810097 GB.

22.6 reported previous daily ingestion : 367.10762928873 GB.

 

Does not make sense to me have such big difference.

 

T150732D_0-1656314559718.png

 

 

ALSO WHAt Query for monnitoring and analyzing daily ingestion are you using please???

 

4,776 Views
0 Likes
10 Replies
Reply
10 Replies
Clive_Watson

‎Jun 27 2022 02:45 AM

‎Jun 27 2022 02:45 AM

Re: Sentinel Billable data

@T150732D 

 

For query one, you only need this KQL for the same result. 

Usage
| where TimeGenerated > ago(1d)
| where IsBillable == true
| summarize BillableDataGB = sum(Quantity) / 1000.


However you may be better off adding a time alignment, as you dont say when the Playbooks runs, and you will get different results depending on the time of day, however if you add startofday() you always get from the first record after midnight.  See here for more How to align your Analytics with time windows in Azure Sentinel using KQL (Kusto Query Language) - M...  

Usage
| where TimeGenerated > startofday(ago(1d))
| where IsBillable == true
| summarize BillableDataGB = sum(Quantity) / 1000.

 

1 Like
Reply
mikhailf

‎Jun 27 2022 03:11 AM

‎Jun 27 2022 03:11 AM

Re: Sentinel Billable data

Hello @T150732D ,

 

Instead of

| where TimeGenerated > ago(1d)

I would use:

| where StartTime >= startofday(ago(1d)) and EndTime < startofday(now())

 

I tried to use the queries you sent and got the same results. Will try to check it deeper and update you later.

0 Likes
Reply
Clive_Watson

‎Jun 27 2022 03:22 AM

‎Jun 27 2022 03:22 AM

Re: Sentinel Billable data

I tend to prefer "between" for this...but either work

| where TimeGenerated between ( startofday(ago(1d)) .. endofday(ago(1d)) )


0 Likes
Reply
T150732D

‎Jun 27 2022 07:12 AM

‎Jun 27 2022 07:12 AM

Re: Sentinel Billable data

@Clive_Watson thanks for your helps.

 

this query you proposed returns now 550 GB

Usage
| where TimeGenerated > ago(1d)
| where IsBillable == true
| summarize BillableDataGB = sum(Quantity) / 1000.

the second query  returns now 840 GB

Usage
| where TimeGenerated > startofday(ago(1d))
| where IsBillable == true
| summarize BillableDataGB = sum(Quantity) / 1000.

 the query @mikhailf proposed

| where StartTime >= startofday(ago(1d)) and EndTime < startofday(now())

 

returns 485 GB

 

My initial query returns now 550 GB

 Usage
| where TimeGenerated > ago(1d)
| where IsBillable == true
| summarize BillableDataGB = sum(Quantity) / 1000. by bin(TimeGenerated, 31d), Solution
| summarize TotalDataGB = sum(BillableDataGB)

0 Likes
Reply
mikhailf

‎Jun 28 2022 12:56 AM - edited ‎Jun 28 2022 12:58 AM

‎Jun 28 2022 12:56 AM - edited ‎Jun 28 2022 12:58 AM

Re: Sentinel Billable data

Hello @T150732D ,

 

Please, try the following queries:

 

Usage
| where TimeGenerated >= startofday(ago(1d)) and EndTime < startofday(now())
| where IsBillable == true
| summarize BillableDataGB = sum(Quantity) / 1000. by bin(TimeGenerated, 1d), Solution
| summarize TotalDataGB = sum(BillableDataGB)

 

Usage
| where TimeGenerated >= startofday(ago(30d)) and EndTime < startofday(now())
| where IsBillable == true
| summarize BillableDataGB=sum(Quantity) / 1000. by bin(TimeGenerated, 1d), Solution
| render columnchart

 

It will return similar results.

0 Likes
Reply
T150732D

‎Jul 07 2022 09:13 AM

‎Jul 07 2022 09:13 AM

Re: Sentinel Billable data

@mikhailf can you please help me with some query to show monthly sentinel ingestion log cost?

 

I would like to provide management total Gb but also cost in dollars.

 

thank you

 

0 Likes
Reply
Clive_Watson

‎Jul 07 2022 09:35 AM

‎Jul 07 2022 09:35 AM

Re: Sentinel Billable data

@T150732D 

 

Example for previous 3 months (excludes current month) but you can tweak that, alter line 4  from "-1" to "-0"

let price_ = 4.0;  // enter you price per GB for LogAnalytics + Sentinel 
Usage
// get logs for previous 3 months
| where TimeGenerated between(startofmonth(now(),-3) ..endofmonth(endofmonth(now(),-1)) )
| summarize GBytesTotal=sum(Quantity) / 1000, Price=sum(Quantity) / 1000 * price_ by month=bin(datepart("Month", TimeGenerated), 1)
// format month so we can sort it
| extend month = case(month==1,strcat(month,'. Jan'),month==2,strcat(month,'. Feb'),month==3, strcat(month,'. Mar'),month==4,strcat(month,'. Apr'),month==5,strcat(month,'. May'),month==6,strcat(month,'. Jun'),month==7, strcat(month,'. Jul'),month==8,strcat(month,'. Aug'),month==9,strcat(month,'. Sep'),month==10,strcat(month,'. Oct'),month==11,strcat(month,'. Nov'),month==12,strcat(month,'. Dec'),"error")
| order by month asc

 

Clive_Watson_0-1657211576466.png

 

You'll see this in the next version of the "Workspace Usage Report" workbook, in a week or so I hope. 


1 Like
Reply
T150732D

‎Jul 07 2022 12:08 PM

‎Jul 07 2022 12:08 PM

Re: Sentinel Billable data

@Clive_Watson wow thats great. can you help me setup right price for the parametr?

 

if we have 1000 GB daily cap and 500 GB commited tier, i insert value $0.99 per GB as per https://azure.microsoft.com/en-gb/pricing/details/microsoft-sentinel/

0 Likes
Reply
Clive_Watson

‎Jul 07 2022 03:18 PM

‎Jul 07 2022 03:18 PM

Re: Sentinel Billable data

Correct.
If you need to get the total costs, you would need to add the 500MB commitment tier value for Azure Monitor (Log Analytics) as well https://azure.microsoft.com/en-gb/pricing/details/monitor/

$0.99 + $1.94 = $2.93

https://azure.microsoft.com/en-us/pricing/calculator/
0 Likes
Reply