Sentinel Billable data

Hello can you please help me understand difference of two queries we received from vendor deployin sentinel. We have logic app running daily this query to see billable data (to monitor if we are...

cost management

data collection

Clive_Watson

Bronze Contributor

Jun 27, 2022

T150732D

For query one, you only need this KQL for the same result.

Usage
| where TimeGenerated > ago(1d)
| where IsBillable == true
| summarize BillableDataGB = sum(Quantity) / 1000.

However you may be better off adding a time alignment, as you dont say when the Playbooks runs, and you will get different results depending on the time of day, however if you add startofday() you always get from the first record after midnight. See here for more How to align your Analytics with time windows in Azure Sentinel using KQL (Kusto Query Language) - Microsoft Tech Community

Usage
| where TimeGenerated > startofday(ago(1d))
| where IsBillable == true
| summarize BillableDataGB = sum(Quantity) / 1000.

Clive_Watson
Bronze Contributor
Jun 27, 2022
btw, there are two articles/Playbooks from Microsoft:

https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/ingestion-cost-spike-detection-playbook/ba-p/2591301

and

https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/ingestion-cost-alert-playbook/ba-p/2006003

Forum Discussion

Sentinel Billable data

Share

Resources