Query Details
UEBA Costs
Query
union withsource=TableName1 *
| where TimeGenerated > ago(30d) //In the last 30 days
| summarize Entries = count(), Size = sumif(_BilledSize, _IsBillable == true), last_log = datetime_diff("second", now(), max(TimeGenerated)), estimate = sumif(_BilledSize, _IsBillable == true) by TableName1, _IsBillable
| project ['Table Name'] = TableName1, ['Table Size'] = Size, ['% of Total GiB'] = (Size / (1024 * 1024 * 1024)) / 10.04 * 100, ['IsBillable'] = _IsBillable, ['Last Record Received'] = last_log, ['Estimated Table Price'] = (estimate / (1024 * 1024 * 1024)) * 4.0 //Cost may be different. Then, alter the 4.0
| where ['Table Name'] == "BehaviorAnalytics" or ['Table Name'] == "IdentityInfo" or ['Table Name'] == "UserAccessAnalytics" or ['Table Name'] == "UserPeerAnalytics" //The four data tables utilized by UEBA
| serialize TotalCost=row_cumsum(['Estimated Table Price']) //This starts at the bottom result row and adds all table prices for a final TotalCost value at the top
| order by ['Table Size'] desc
Explanation
This query retrieves data from a table called TableName1 and performs several calculations and filters on it. It counts the number of entries, calculates the size of the table, determines the time difference between the current time and the latest log entry, estimates the table price, and selects specific columns for display. It then filters the results to only include specific table names and calculates the cumulative total cost. Finally, it orders the results by table size in descending order.
Details
Rod Trent
Released: April 29, 2021
Tables
TableName1
Keywords
Devices,Intune,User
Operators
union withsourcewheresummarizecount()sumif()datetime_diff()now()max()sumif()byproject=/*100==orwhere==or==or==orserializerow_cumsum()order bydesc.