Azure Sentinel – Average GB per day 

Why Average GB per day, it’s because that’s the information the Azure Pricing Calculator needs now that Azure Sentinel is released. This query looks at all billable data in your Log Analytics workspace and takes an average over the period. Example Then search for Sentinel / or look in the Security section. —————————————————————————————————————— //…Read more


Azure Sentinel – Costing Estimate (PAYG) 

In this example, now that Azure Sentinel is Generally Available (GA) we can look at the Azure Monitor Logs (Log Analytics) and Azure Sentinel charges. I have used Pay as You Go (PAYG) for both, using USD $ and EASTUS as the region, but please feel free to adapt to you local region or currency….Read more

Azure Log Analytics: how to read a file 

I often blog about various Log Analytics syntax after I get asked the same question a few times, in this case a few times last month and twice this week so far! Also posted as a reply here _______________________________________________________________________________________________________________________________________ You can use externaldata operator to read files, like csv or tsv, scsv, sohsv, psv, txt,…Read more

Azure Sentinel meets Azure Log Analytics – looking at data use and estimated costs. 

// // // Now that the pricing is released – please see // // Please use // ———————————————————————————————— Please use the above link – posted retained for examples only, now that Sentinel has been released ———————————————————————————————— This post combines two previous posts, one on Log Analytics and one on Sentinel Dashboards.…Read more

Azure Log Analytics: looking at data and costs – Part 4 

Building on Post 3 You would probably take the data projection (see post 3) and add it into Excel to do the math, but you can also use KQL for that. I assigned a price of $2.30 (line 1); most of the rest of the syntax is the same. This is correct as of…Read more

Azure Log Analytics: Azure Sentinel Queries 

I almost forgot about this set of tips, but I was asked again yesterday – so decided to post this. Often when investigating Event logs or Security Event logs, you look at the EventID. These are two of the most common basic methods. Event | summarize count() by EventID, RenderedDescription | sort by count_ desc…Read more

Azure Sentinel – Dashboard queries 

The vast majority of my day job at the moment includes Azure Sentinel. Some of the queries I’ve shown in the previous posts can be used to see data points for Sentinel as well. Typically I display all these on an Azure Dashboard, but you can also just use the queries. Sentinel specifc DashBoards can…Read more

1 Comment

Azure Log Analytics: looking at data and costs – Part 3 

Part1: Part2: Part3 – This post :…and-costs-part-3/ There are two parts to this post: 1. Predict Forward 2. Add more computers 1. Predict forward In the previous two posts on this topic, we’ve seen the data ‘as is’ and in the past (normally the past month) – but how to we predict…Read more

Azure Log Analytics: Cross-workspace connections 

I’ve had the script for a while, but didn’t finish the last part until today. Many of my Azure connected Servers are dual-homed to Azure Monitor Logs (required by our IT Security people). So this report shows me which ones are connected to one or both workspaces. Instructions: You need to provide the long form…Read more