Azure Sentinel meets Azure Log Analytics – looking at data use and estimated costs.
//
//
// Now that the pricing is released – please see https://azure.microsoft.com/en-gb/pricing/calculator/
//
// Please use http://approjects.co.za/?big=en-gb/industry/blog/cross-industry/2019/10/03/azure-sentinel-average-gb-per-day/
//
————————————————————————————————
Please use the above link – posted retained for examples only, now that Sentinel has been released
————————————————————————————————
This post combines two previous posts, one on Log Analytics and one on Sentinel Dashboards.
http://approjects.co.za/?big=en-gb/industry/blog/cross-industry/2019/07/22/azure-log-analytics-looking-at-data-and-costs-part-4/
http://approjects.co.za/?big=en-gb/industry/blog/cross-industry/2019/07/19/azure-sentinel-dashboard-queries/
Please note Azure Sentinel prices have not been disclosed yet. However we can see the Log Analytics tables used by Sentinel and look at those costs. I’ve used the query from the “Azure Sentinel Dashboard query” post to find the relevant tables in Log Analytics, to work out the GB consumed and then estimate the costs (in USD).
let aap = 2.30; //Add Azure Pricing ($ USD) source: https://azure.microsoft.com/en-us/pricing/details/monitor/
union isfuzzy=true withsource = tt *
| where _IsBillable == True
| where tt in ("Syslog", "SecurityEvent","AWSCloudTrail", "CommonSecurityLog",
"SecurityAlert", "ThreatIntelligenceIndicator", "LinuxAuditLog",
"HuntingBookmark", "WindowsFirewall","SigninLogs","SymantecICDX_CL",
"DnsEvents","SecurityCenterFree","OfficeActivity")
| summarize
TotalGBytes =round( sum(_BilledSize/(1024*1024*1024)),2),
EstimatedCostUSD=round(aap * sum(_BilledSize/(1024*1024*1024)),2)
by Solution=tt
| sort by TotalGBytes desc
A variant of the above query is this, which filters specifically on the past 31days (and only full days). I also grab the oldest and newest date/time per solution:
let aap = 2.30; //Add Azure Pricing ($ USD) source: https://azure.microsoft.com/en-us/pricing/details/monitor/
union isfuzzy=true withsource = tt *
| where TimeGenerated > startofday(ago(31d)) and TimeGenerated < startofday(now())
| where _IsBillable == True
| where tt in
(
"Syslog", "SecurityEvent","AWSCloudTrail", "CommonSecurityLog",
"SecurityAlert", "ThreatIntelligenceIndicator", "LinuxAuditLog",
"HuntingBookmark", "WindowsFirewall","SigninLogs","SymantecICDX_CL",
"DnsEvents","SecurityCenterFree","OfficeActivity", "McasShadowItReporting "
)
| summarize
TotalGBytes =round( sum(_BilledSize/(1024*1024*1024)),2),
EstimatedCostUSD=round(aap * sum(_BilledSize/(1024*1024*1024)),2),
OldestRecord=min(TimeGenerated), NewestRecord=max(TimeGenerated)
by Solution=tt
| sort by TotalGBytes desc
You can run the above from here
Optionally you may want to view the Data on a graph for the month.
// show per day ingestion per solution for past full 31days
union withsource = tt *
| where TimeGenerated > startofday(ago(31d)) and TimeGenerated < startofday(now())
| where _IsBillable == true
| where tt in
(
"Syslog", "SecurityEvent","AWSCloudTrail", "CommonSecurityLog",
"SecurityAlert", "ThreatIntelligenceIndicator", "LinuxAuditLog",
"HuntingBookmark", "WindowsFirewall","SigninLogs","SymantecICDX_CL",
"DnsEvents","SecurityCenterFree","OfficeActivity", "McasShadowItReporting "
)
| summarize BillableGBytes=round(sum(_BilledSize/(1024*1024*1024)),2) by bin(TimeGenerated, 6h), tt
| sort by TimeGenerated asc
| render timechart
//
//Another useful Example is when you need to see the Average per computer and Service.
//
let aap = 2.30; //Add Azure Pricing ($ USD) source: https://azure.microsoft.com/en-us/pricing/details/monitor/
union isfuzzy=true withsource = tt *
| where TimeGenerated > startofday(ago(31d)) and TimeGenerated < startofday(now())
| where _IsBillable == True
| where tt in
(
"Syslog", "SecurityEvent","AWSCloudTrail", "CommonSecurityLog",
"SecurityAlert", "ThreatIntelligenceIndicator", "LinuxAuditLog",
"HuntingBookmark", "WindowsFirewall","SigninLogs","SymantecICDX_CL",
"DnsEvents","SecurityCenterFree","OfficeActivity", "McasShadowItReporting "
)
| summarize
TotalGBytes =round( sum(_BilledSize/(1024*1024*1024)),2),
EstimatedCostUSD=round(aap * sum(_BilledSize/(1024*1024*1024)),2),
OldestRecord=min(TimeGenerated), NewestRecord=max(TimeGenerated),
HowManyComputers = dcount(Computer),
avgGBperComputer= round(sum(_BilledSize / (1024*1024*1024)) / dcount(Computer),4)
by tt
| sort by TotalGBytes desc
Run this example here