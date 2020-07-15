We make it easy to quickly monitor data consumption for Azure Sentinel in the Settings blade in the console.

Monitor data ingestion and retention

But, for those cost-conscious individuals who need more, here’s a couple valuable KQL queries to better visualize data consumption.

Billable data volume by data type

Usage | where TimeGenerated > ago(32d) | where StartTime >= startofday(ago(31d)) and EndTime < startofday(now()) | where IsBillable == true | summarize BillableDataGB = sum(Quantity) / 1000. by bin(StartTime, 1d), DataType | render barchart

Get the query from GitHub: https://github.com/rod-trent/SentinelKQL/blob/master/Billabledatavolumebydatatype.txt

Billable data volume by data type

Billable data volume by solution

Usage | where TimeGenerated > ago(32d) | where StartTime >= startofday(ago(31d)) and EndTime < startofday(now()) | where IsBillable == true | summarize BillableDataGB = sum(Quantity) / 1000. by bin(StartTime, 1d), Solution | render barchart

Get the query from GitHub: https://github.com/rod-trent/SentinelKQL/blob/master/Billabledatavolumebysolution.txt

Billable data volume by solution

And, of course, if you simply want to view the data in old, boring table results rather than a chart, use the comment operator on the render command…

Using the // – comment operator

Authors Rod Trent