Azure Sentinel – Average GB per day

03/10/2019

Why Average GB per day, it’s because that’s the information the Azure Pricing Calculator needs now that Azure Sentinel is released. This query looks at all billable data in your Log Analytics workspace and takes an average over the period. Example

https://azure.microsoft.com/en-gb/pricing/calculator/

Then search for Sentinel / or look in the Security section.
Azure Sentinel in the Pricing Calculator

——————————————————————————————————————

// Clive Watson Microsoft // let daystoSearch = 31d; // Please enter how many days worth of data to look at? union withsource = tt * | where TimeGenerated > startofday(ago(daystoSearch)) and TimeGenerated < startofday(now()) // Only look at chargeable Tables | where _IsBillable == True | summarize TotalGBytes =round(sum(_BilledSize/(1024*1024*1024)),2) by bin(TimeGenerated, 1d)//, Solution=tt | summarize avg(TotalGBytes)

In the demo system, the result is 37GB a day (at the moment).

avg_TotalGBytes
36.75

Now you can add this to the calculator:

Sentinel Calculator

For budgeting some might like to add a max figure rather than an average, in that case swap the last line to:

| summarize avg(TotalGBytes), max(TotalGBytes)

You can also just run, part of the query to get a daily graph

let daystoSearch = 31d; // Please enter how many days worth of data to look at? union withsource = tt * | where TimeGenerated > startofday(ago(daystoSearch)) and TimeGenerated < startofday(now()) // Only look at chargable Tables | where _IsBillable == True | summarize TotalGBytes =round(sum(_BilledSize/(1024*1024*1024)),2) by bin(TimeGenerated, 1d) | render areachart kind=stacked title = "Azure Sentinel billable data"

Area chart of Sentinel usage

Join the conversation

Leave a reply Cancel reply

Chandu
3 years ago

How to we get all the tables name with how much data we received with EPS is there any opposition.

Please help Kql query for that.

Reply
- Clive Watson
  3 years ago
  
  The Workbook “Data collection health monitoring” within Azure Sentinel shows you EPS per Table – you can see other KQL within that workbook, here is the main part
  
  union withsource=_TableName1 *
  | summarize count() , Size = sum(_BilledSize) by bin(_TimeReceived, 1m), Type, _IsBillable
  | extend counttemp =count_ / 60
  | summarize
  [‘Average Events per Second (eps)’] = avg(counttemp), [‘Minimum eps’]=min (counttemp),
  [‘Maximum eps’]=max(counttemp)
  by [‘Table Name’]=Type
  | order by [‘Average Events per Second (eps)’] desc
  
  Reply
Adrian Grigorof
5 years ago

To include the daily average and maximum price using this code:

// Clive Watson Microsoft
//
// Pricing by Adrian Grigorof – managedsentinel.com
// Pricing for Azure Region East US (USD)
// Retention not included in the calculation (free up to 3 months)
// Consumption and pricing are per day
let priceperGbLA = 2.30;
let priceperGbSentinel = 2.00;
let lastDays = 31;
let daystoSearch = now() – lastDays * 1d;
union withsource = tt *
//| where TimeGenerated > startofday(ago(daystoSearch)) and TimeGenerated daystoSearch and TimeGenerated < startofday(now())
| where _IsBillable == True
| summarize TotalGBytes = round(sum(_BilledSize/(1024*1024*1024)),2) by bin(TimeGenerated, 1d)//, Solution=tt
| summarize avg(TotalGBytes), max(TotalGBytes)
| extend avg_TotalPrice = round(((avg_TotalGBytes*lastDays-5)*priceperGbLA + avg_TotalGBytes*lastDays*priceperGbSentinel)/lastDays,2)
| extend max_TotalPrice = round(((max_TotalGBytes*lastDays-5)*priceperGbLA + max_TotalGBytes*lastDays*priceperGbSentinel)/lastDays,2)

At http://www.managedsentinel.com we've been using a similar approach since June to record the daily log ingestion, cost and EPS for our customers through an Azure Sentinel Playbook that records all this data in an Excel spreadsheet published on our SharePoint.

Reply
- Clive Watson
  5 years ago
  
  Thanks Adrian – great to know.
  
  BTW, I get a syntax error with your line #4 “let daystoSearch = now() – lastDays * 1d” – removing it works ok, but I’ve not looked into it deeply.
  
  P.s. excellent architecture diagrams https://www.managedsentinel.com/2019/05/20/azure-sentinel-architecture/
  
  Reply
  - Morten Knudsen
    4 years ago
    
    I’m a little confused about Sentinel pricing. I’m aware of the LogAnalytics pricing-model as we have been using this for many months now.
    This comment is only about the additional cost for Sentinel analyzing the data.
    
    When I look at the pricing conditions found on https://azure.microsoft.com/en-us/pricing/details/azure-sentinel/, it states the following:
    Azure Sentinel is billed based on the volume of data ingested for analysis in Azure Sentinel and stored in the Azure Monitor Log Analytics workspace
    
    This means to me, that I only pay for the CONNECTORS which are BILLABLE, where Sentinel analyzes the data – excluding these connectors Azure Activity Logs, Office 365 Audit Logs and alerts from Microsoft Threat Protection are available for ingestion at no additional cost.
    
    But when I look at the queries, it extracts the average data stored in LogAnalytics. That doesn’t seem fair/correct, as I should ONLY pay for the BILLABLE data, that goes through Sentinel
    
    Comments ?
  - Clive Watson
    4 years ago
    
    Hi Morten,
    
    My query here https://www.microsoft.com/en-gb/industry/blog/cross-industry/2019/10/03/azure-sentinel-average-gb-per-day/ ONLY looks at Billable data for that reason.
    
    This line in particular.
    
    | where _IsBillable == True
    
    You pay once for Log Analytics to ingest the data (or ingest on behalf of Sentinel if you use a Sentinel connector) – Log Analytics bills per GB for that ingestion.
    You also pay for Sentinel analysis based on that data capacity (excluding any data that is marked “_IsBillable == false”).