Visualizing Azure Sentinel Billable Data by Solution and Data Type

Azure Sentinel 1 Minute

We make it easy to quickly monitor data consumption for Azure Sentinel in the Settings blade in the console.

Monitor data ingestion and retention

But, for those cost-conscious individuals who need more, here’s a couple valuable KQL queries to better visualize data consumption.

Billable data volume by data type

Usage 
| where TimeGenerated > ago(32d)
| where StartTime >= startofday(ago(31d)) and EndTime < startofday(now())
| where IsBillable == true
| summarize BillableDataGB = sum(Quantity) / 1000. by bin(StartTime, 1d), DataType | render barchart

Get the query from GitHub: https://github.com/rod-trent/SentinelKQL/blob/master/Billabledatavolumebydatatype.txt

Billable data volume by data type

Billable data volume by solution

Usage 
| where TimeGenerated > ago(32d)
| where StartTime >= startofday(ago(31d)) and EndTime < startofday(now())
| where IsBillable == true
| summarize BillableDataGB = sum(Quantity) / 1000. by bin(StartTime, 1d), Solution | render barchart

Get the query from GitHub: https://github.com/rod-trent/SentinelKQL/blob/master/Billabledatavolumebysolution.txt

Billable data volume by solution

And, of course, if you simply want to view the data in old, boring table results rather than a chart, use the comment operator on the render command…

Using the // – comment operator

Author

Published

Leave a Reply