-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathGetBillableSize.kql
58 lines (51 loc) · 2.67 KB
/
GetBillableSize.kql
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
Usage
| where StartTime >= startofday(ago(31d)) and EndTime < startofday(now())
| where IsBillable == true
| summarize BillableDataGB = sum(Quantity) / 1000. by bin(StartTime, 1d), DataType
| render columnchart
union *
| project Type, billable = _IsBillable, datasize =_BilledSize
| summarize totalentries = count(), sum(datasize) by Type, billable
| sort by sum_datasize
CommonSecurityLog
| where TimeGenerated >= ago(90d)
| project Type, billable = _IsBillable, datasize =_BilledSize, TimeGenerated
| summarize Count = count(), Average = avg(datasize)
let RetentionCostPerGbPerMonth = 0.126;
let IngestionCostPerGb = 5.17;
Usage
| where TimeGenerated > ago(90d)
| where DataType == "CommonSecurityLog"
//| distinct QuantityUnit
| summarize smb=sumif(Quantity, QuantityUnit == "MBytes"), skb = sumif(Quantity, QuantityUnit == "KBytes"), count() by bin(TimeGenerated, 1d)
| extend ["Total Ingestion (MB)"] = (smb + skb/1000)
| extend ["Total Ingestion (GB)"] = ["Total Ingestion (MB)"]/1000
| extend ["Ingestion Cost per Day"] = ["Total Ingestion (MB)"]/1000 * IngestionCostPerGb
| project-away smb, skb
//| summarize avg(["Total Ingestion (GB)"])
//| distinct DataType, Solution
let AnalyticIngestionCostPerGb = 5.36;
let BasicIngestionCostPerGb = 1.10;
let AuxIngestionCostPerGb = 0.19;
CommonSecurityLog
| where TimeGenerated >= ago(30d)
| extend policyName = tostring(extract("profile=(\\w+)[-]?(\\w+)", 0, AdditionalExtensions))
| extend policyID = extract("policyid=(\\d+)", 1, AdditionalExtensions)
| extend policyUUID = extract("poluuid=(\\d+)", 1, AdditionalExtensions)
//| where ipv4_is_private(SourceIP) == true and ipv4_is_private(DestinationIP) == false
//| where Activity contains "dns"
//| where policyID == 111
//| where SimplifiedDeviceAction contains "block"
| project Type, billable = _IsBillable, datasize =_BilledSize, TimeGenerated
| summarize DatenProHInGB = sum(datasize)/1000/1000/1000 by bin(TimeGenerated, 1h)
| summarize AvgDatenProHInGB = avg(DatenProHInGB)
//| extend CostPerDay = AvgDatenProHInGB*24*AnalyticIngestionCostPerGb
| extend AnalyticCostPerMonth = round(AvgDatenProHInGB*24*AnalyticIngestionCostPerGb*30,2)
| extend BasicCostPerMonth = round(AvgDatenProHInGB*24*BasicIngestionCostPerGb*30,2)
| extend AuxCostPerMonth = round(AvgDatenProHInGB*24*AuxIngestionCostPerGb*30,2)
| project-reorder AnalyticCostPerMonth, BasicCostPerMonth, AuxCostPerMonth, AvgDatenProHInGB
// where policyID == 111
//| summarize count() by Activity, DeviceAction
//| where DeviceAction contains "block"
| project Type, billable = _IsBillable, datasize =_BilledSize, TimeGenerated
| summarize sum(datasize)/1000/1000/1000 by bin(TimeGenerated, 1h)