Azure-Sentinel/Playbooks/Send-IngestionCostAlert

Ingestion Cost Alert Playbook

Managing cost for cloud services is an essential part of ensuring that you get maximum value for your investment in solutions running on this computing platform. Azure Sentinel is no different. To help you exercise greater control over your budget for Azure Sentinel  this playbook will send you an alert should you exceed a budget that you define for your Azure Sentinel Workspace within a given time-frame.

Deployment steps

1. Log into the Azure Portal
2. In the Azure search box type Log Analytics Workspaces

3. Select the Azure Sentinel workspace

4. Copy the Subscription ID, Resource group and the Workspace name

The Logic App is activated by a Recurrence trigger whose frequency of execution can be adjusted to your requirements

5. Scroll to the bottom of this document and select Deploy to Azure

6. Log into the Azure portal

7. Enter the following information

• Subscription: Select the Subscription
• Resource Group: Select the RG
• Playbook Name: Enter playbook name
• Sentinel WS Name: Enter workspace name
• Sentinel Sub ID: Enter Subscription ID
• Sentinel ES Resource Group: Enter Resource Group Name
• Mail List: Enter email address of user(s) that need to get the notification
• User Name: Enter account with permissions to create a logic app

8. Select Review + create + Create
9. Click Go to resource group
10. Click o365-IngestionCostAlert

11. Click Test connection failed.

12. Click Authorize

13. Login into portal again

14. Click Save

15. Click the resource group again

16. Click teams-IngestionCostAlert

17. Click Test connection failed.

18. Click Authorize

19. Login into portal again

20. Click Save

21. In the Azure search box type Logic App

22. Select the newly created logic app

23. Click Logic app designer

24. Select Price Per GB
25. Change the Type to Float
26. For the value, enter the total cost of Sentinel. This value will consist of the cost of:

• Azure Sentinel Pricing

• Azure Monitor- ingestion and retention

These 3 costs should be added together

27. Select Days in a month and change the days to 31

28. Select Monthly budget and enter the total monthly budget

29. Select Threshold per day and enter the daily limit. To get this value simply divide the total budget from step 29 above by the number of days per month (31) in step 28

30. Select Connection

31. Select the account to log in with or add a new connection

32. Click Sign-in and log into the account

33. Click For Each -> Condition

34. Enter the email address of the user(s) that will receive the notification. (secops@yourdomain.onmicrosoft.com)

35. Click Add an Action

36. Search for “Office365 Outlook”

37. Select “Send an e-mail”

38. Select “Add an action”
39. In the search box type Teams -> Microsoft Teams

40. In the search box type Post a message -> Post a message (V3) (preview)

41. Select the Teams group that will receive the message

42. Select the Team Channel within that teams group

43. In the message box type You have exceeded your daily budget

44. Click the Dynamic content -> Max_per_day

When complete this section should look as follows:

45. Click Save

Below is the query being executed in the step above in text format which you can use for validation directly in the Log Analytics query window. Ensure to replace the variables below with actual numbers if running the query within the Log Analytics query window.

  let price_per_GB = price_per_GB;
  let how_many_days = days_in_month;
  let total_funding = monthly_budget;
  let max_per_day = toreal(monthly_budget) / toreal(days_in_month);
  Usage
  | where TimeGenerated > startofday(ago(1d))
  | where IsBillable == true
  | summarize AggregatedValue= sum(Quantity) * price_per_GB / 1024
  | where AggregatedValue > max_per_day

In this step, the aggregated value obtained from the previous step is compared against the budget value you set and should it exceed the amount then the logic branches to the left and sends out an e-mail or posts a Microsoft Teams message. If you are still within budget, then the logic branches to the right and no message is sent.

In the final step below sends out an e-mail to the specified recipient list and a message is posted in a Microsoft Teams channel that you selected earlier

Additional information on cost management can be found in this document

Special thanks to Damon Neal for his documentation template