Addicted to KQL Part 0: The Wit and Wisdom of Standard Columns in Azure Monitor Logs – Azure Cloud &...
I have a bunch of KQL queries in my Microsoft Sentinel repo on GitHub (https://cda.ms/41t) that pulls in information about table costs. Even though it may not be evident in some of them, the Usage table is where most of the data comes from.
However, some of the data (like the _IsBillable column) doesn’t come from the Usage table, but instead is pulled from the Standard Columns. I regularly get asked where these columns come from, so I thought I’d share since its good information to know. But also as I start building out the Advanced series for Must Learn KQL (https://aka.ms/Addicted2KQL), these will be used periodically and I’ll point back to this reference instead of recapping constantly.
Azure Monitor Logs provides several columns of data that is available to access in any query or any table.