Need a good way of tracking your Azure Sentinel table usage? Here’s a KQL query to help.
I can’t take full credit for it, other than sharing it. This query is an amalgam of different queries and the work of a multitude of individuals, but hugely useful.
union withsource=TableName1 * | where TimeGenerated > ago(30d) | summarize Entries = count(), Size = sum(_BilledSize), last_log = datetime_diff("second",now(), max(TimeGenerated)), estimate = sumif(_BilledSize, _IsBillable==true) by TableName1, _IsBillable | project ['Table Name'] = TableName1, ['Table Entries'] = Entries, ['Table Size'] = Size, ['Size per Entry'] = 1.0 * Size / Entries, ['IsBillable'] = _IsBillable, ['Last Record Received'] = last_log , ['Estimated Table Price'] = (estimate/(1024*1024*1024)) * 0.0 | order by ['Table Size'] desc
This is what the results look like:
NOTE: For the 0.0 in the query (at the end of line 5), enter your price. You can use the Azure Pricing Calculator to obtain it.
Grab the most current version from GitHub: https://github.com/rod-trent/SentinelKQL/blob/master/TableUsageandCost.txt