Visualizing Azure Sentinel Billable Data by Solution and Data Type

We make it easy to quickly monitor data consumption for Azure Sentinel in the Settings blade in the console.

But, for those cost-conscious individuals who need more, here’s a couple valuable KQL queries to better visualize data consumption.

Billable data volume by data type

Usage 
| where TimeGenerated > ago(32d)
| where StartTime >= startofday(ago(31d)) and EndTime < startofday(now())
| where IsBillable == true
| summarize BillableDataGB = sum(Quantity) / 1000. by bin(StartTime, 1d), DataType | render barchart

Get the query from GitHub: https://github.com/rod-trent/SentinelKQL/blob/master/Billabledatavolumebydatatype.txt

Billable data volume by solution

Usage 
| where TimeGenerated > ago(32d)
| where StartTime >= startofday(ago(31d)) and EndTime < startofday(now())
| where IsBillable == true
| summarize BillableDataGB = sum(Quantity) / 1000. by bin(StartTime, 1d), Solution | render barchart

Get the query from GitHub: https://github.com/rod-trent/SentinelKQL/blob/master/Billabledatavolumebysolution.txt

And, of course, if you simply want to view the data in old, boring table results rather than a chart, use the comment operator on the render command…

Reference: https://azurecloudai.blog/2020/07/15/visualizing-azure-sentinel-billable-data-by-solution-and-data-type/