-
Notifications
You must be signed in to change notification settings - Fork 8
/
Cost of EventID.kql
28 lines (24 loc) · 1.79 KB
/
Cost of EventID.kql
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
// Author: Ian D. Hanley | LinkedIn: /in/ianhanley/ | Twitter: @IanDHanley | Github: https://github.com/EEN421 | Blog: Hanley.cloud / DevSecOpsDad.com
// This query will tell you how much any EventID is costing you over a given time
// For this query, the 'rate' acts like a global floating point variable which is manually defined
// You can calculate the LAW cost and Sentinel cost separately, or both (effective cost per GB) by setting the rate variable
// The rate for your region can be found here: https://azure.microsoft.com/en-us/pricing/details/microsoft-sentinel/
// This doesn't have to be over the last hour, you can adjust the TimeGenerated parameter to a week (7d), a day (1d), or even a month (30d) etc.
let rate = 4.30; //<-- Effective Cost per GB
SecurityEvent //<-- Query the SecurityEvent table
| where TimeGenerated > ago(1h) //<-- Query the last hour
| where EventID == 8002 //<-- Query for EventID 8002
| summarize GB=sum(_BilledSize)/1000/1000/1000 //<-- Summarize billable volume in GB using the _BilledSize table column
| extend cost = GB*rate //<-- Multiply total GBs for the month by the effective rate (defined in first line of query)
//You can change the last line in the above query to the following if you’re a stickler for Gibibytes versus Gigabytes:
| summarize GB=sum(_BilledSize)/1024/1024/1024
+++++++++++++++++++++++++++++++++++++++++++++++++
SecurityEvent
| where TimeGenerated >ago(90d)
| where EventID == "5156"
| where _IsBillable == True
| summarize Billable_GB=round(sum(_BilledSize / 1000 / 1000 / 1000),2) by Computer
| extend TotalCost = round(Billable_GB * 2.74, 2)
| extend TotalCost=strcat('$', TotalCost)
| sort by Billable_GB desc
| limit 10