Azure Sentinel – Average GB per day 

Why Average GB per day, it’s because that’s the information the Azure Pricing Calculator needs now that Azure Sentinel is released. This query looks at all billable data in your Log Analytics workspace and takes an average over the period. Example Then search for Sentinel / or look in the Security section. —————————————————————————————————————— // Read more


Azure Log Analytics: Azure Sentinel Queries 

I almost forgot about this set of tips, but I was asked again yesterday – so decided to post this. Often when investigating Event logs or Security Event logs, you look at the EventID. These are two of the most common basic methods. Event | summarize count() by EventID, RenderedDescription | sort by count_ desc Read more

Azure Log Analytics: Looking at data and costs 

At some stage, you either need to add a new set of data to Log Analytics or even look at your usage and costs. Originally you looked at the Usage table for this data: As you can see from these docs (and please read them as I wont go over the content here), Usage Read more

Azure Log Analytics: Cross Workspace Query 

This was announced at Ignite last week, see here which I missed at the time. Adding the ‘withsource=SourceTable’ I have found to be really useful to see where the data was found. If the returned SourceTable is just “SecurityEvent” as per this example its from your local workspace, if its workspace(”). SecurityEvent // show Read more