Sentinel Cost Optimization Challenge
So you read my Sentinel Cost Optimization post, now what? Let’s test those fresh new skills you just picked up! See if you can ninja your way through the following typically asked questions:
1. What query should you run to graph the last 90 days of billable ingest volume?
2. How do you find the commitment tier for Sentinel?
3. How do you find the commitment tier for your Log Analytics Workspace?
4. Are you on the right commitment tier?
5. Is your retention policy bleeding you dry?
1. What query should you run to graph the last 90 days of billable ingest volume?
Answer:
Usage //<--tells us which table to apply this query to. In this case it’s the Usage log table.
| where TimeGenerated > ago(90d) //<-- how far back the query will look in the Usage table.
| where IsBillable == true //<-- filters out non-billable data (we’re only worried about data that incurs a cost).
| summarize TotalVolumeGB = sum(Quantity) / 1000 by bin(StartTime, 1d), Solution
/* Convert to GB and return results by day, per ingest solution (LogManagement, Security, etc.)*/
| render columnchart //<-- graph results to a column chart
2. How do you find the commitment tier for Sentinel?
Answer:
3. How do you find the commitment tier for your Log Analytics Workspace?
Answer:
4. Are you on the right commitment tier?
Answer:
5. Is your retention policy bleeding you dry?
Answer:
In the above example, data retention beyond 30 days is accountable for half of total ingest volume cost. Lets bring it back down to 90 to save the day:
Summary:
By now your Log Analytics Workspace and Sentinel Deployments should be humming along like a lean, mean, SIEM machine as you have mastered the basics of cost optimization.
In this post, we answered the following typical deployment questions:
- What query should you run to graph the last 90 days of billable ingest volume?
- How do you find the commitment tier for Sentinel?
- How do you find the commitment tier for your Log Analytics Workspace?
- Are you on the right commitment tier?
- Is your retention policy bleeding you dry?