Query Details
Watchlists Costs
Query
//Query to show cost of each Microsoft Sentinel Watchlist. Watchlist costs come directly from ingestion. Usage | where StartTime >= startofday(ago(365d)) and EndTime < startofday(now()) | where IsBillable == true | where DataType == "Watchlist" | summarize BillableDataGB = sum(Quantity) / 1000. by bin(StartTime, 1d), DataType
Explanation
This query calculates the cost of each Microsoft Sentinel Watchlist. The cost is based on the amount of data ingested. It filters the usage data for the past year, only includes billable data, and focuses on the Watchlist data type. The query then summarizes the billable data in gigabytes per day, grouping it by the start time and data type.
Details
Rod Trent
Released: July 22, 2022
Tables
Usage
Keywords
Usage,StartTime,EndTime,IsBillable,DataType,BillableDataGB,Quantity
Operators
whereand==true"Watchlist"summarizesum/1000.bybin(StartTime1d)