We make it easy to quickly monitor data consumption for Azure Sentinel in the Settings blade in the console.
But, for those cost-conscious individuals who need more, here’s a couple valuable KQL queries to better visualize data consumption.
Billable data volume by data type
Usage
| where TimeGenerated > ago(32d)
| where StartTime >= startofday(ago(31d)) and EndTime < startofday(now())
| where IsBillable == true
| summarize BillableDataGB = sum(Quantity) / 1000. by bin(StartTime, 1d), DataType | render barchartGet the query from GitHub: https://github.com/rod-trent/SentinelKQL/blob/master/Billabledatavolumebydatatype.txt
Billable data volume by solution
Usage
| where TimeGenerated > ago(32d)
| where StartTime >= startofday(ago(31d)) and EndTime < startofday(now())
| where IsBillable == true
| summarize BillableDataGB = sum(Quantity) / 1000. by bin(StartTime, 1d), Solution | render barchartGet the query from GitHub: https://github.com/rod-trent/SentinelKQL/blob/master/Billabledatavolumebysolution.txt
And, of course, if you simply want to view the data in old, boring table results rather than a chart, use the comment operator on the render command…
You must log in to post a comment.