995 строки
41 KiB
JSON
995 строки
41 KiB
JSON
{
|
||
"version": "Notebook/1.0",
|
||
"items": [
|
||
{
|
||
"type": 1,
|
||
"content": {
|
||
"json": "# Microsoft Sentinel cost summary\n---\n"
|
||
},
|
||
"name": "text - 2"
|
||
},
|
||
{
|
||
"type": 9,
|
||
"content": {
|
||
"version": "KqlParameterItem/1.0",
|
||
"parameters": [
|
||
{
|
||
"id": "9d001d6f-301c-4d03-b02c-b8cc6dce210b",
|
||
"version": "KqlParameterItem/1.0",
|
||
"name": "TimeRange",
|
||
"type": 4,
|
||
"isRequired": true,
|
||
"value": {
|
||
"durationMs": 604800000
|
||
},
|
||
"typeSettings": {
|
||
"selectableValues": [
|
||
{
|
||
"durationMs": 300000
|
||
},
|
||
{
|
||
"durationMs": 900000
|
||
},
|
||
{
|
||
"durationMs": 1800000
|
||
},
|
||
{
|
||
"durationMs": 3600000
|
||
},
|
||
{
|
||
"durationMs": 14400000
|
||
},
|
||
{
|
||
"durationMs": 43200000
|
||
},
|
||
{
|
||
"durationMs": 86400000
|
||
},
|
||
{
|
||
"durationMs": 172800000
|
||
},
|
||
{
|
||
"durationMs": 259200000
|
||
},
|
||
{
|
||
"durationMs": 604800000
|
||
},
|
||
{
|
||
"durationMs": 1209600000
|
||
},
|
||
{
|
||
"durationMs": 2419200000
|
||
},
|
||
{
|
||
"durationMs": 2592000000
|
||
},
|
||
{
|
||
"durationMs": 5184000000
|
||
},
|
||
{
|
||
"durationMs": 7776000000
|
||
}
|
||
],
|
||
"allowCustom": true
|
||
},
|
||
"timeContext": {
|
||
"durationMs": 86400000
|
||
}
|
||
},
|
||
{
|
||
"id": "67c2ce6e-ea54-4ae4-8343-3fcad8e53d1b",
|
||
"version": "KqlParameterItem/1.0",
|
||
"name": "Workspace",
|
||
"type": 5,
|
||
"isRequired": true,
|
||
"multiSelect": true,
|
||
"quote": "'",
|
||
"delimiter": ",",
|
||
"query": "resources | where type =~ 'Microsoft.operationsmanagement/solutions' | where name contains 'SecurityInsights' | project id = tostring(properties.workspaceResourceId)",
|
||
"crossComponentResources": [
|
||
"value::all"
|
||
],
|
||
"value": [
|
||
"value::all"
|
||
],
|
||
"typeSettings": {
|
||
"limitSelectTo": 100,
|
||
"additionalResourceOptions": [
|
||
"value::all"
|
||
],
|
||
"showDefault": false
|
||
},
|
||
"timeContext": {
|
||
"durationMs": 86400000
|
||
},
|
||
"queryType": 1,
|
||
"resourceType": "microsoft.resourcegraph/resources"
|
||
},
|
||
{
|
||
"id": "9375c625-e916-4f48-b072-352d6aeefddb",
|
||
"version": "KqlParameterItem/1.0",
|
||
"name": "Price",
|
||
"label": "Ingestion price",
|
||
"type": 1,
|
||
"description": "Enter your ingestion price per GB (PAYG or Commitment Tier). You can also refer to Azure Pricing Calculator.",
|
||
"value": "4"
|
||
},
|
||
{
|
||
"id": "9d5299d0-36a0-4666-9803-ca6931bdaab7",
|
||
"version": "KqlParameterItem/1.0",
|
||
"name": "RetentionPrice",
|
||
"label": "Retention price",
|
||
"type": 1,
|
||
"description": "Enter the retention price per GB/month that will be used in this workbook's calculations",
|
||
"value": "0.1"
|
||
},
|
||
{
|
||
"id": "67494f3e-322e-4411-9b45-1cbea03ed618",
|
||
"version": "KqlParameterItem/1.0",
|
||
"name": "TotalE5Seats",
|
||
"label": "Total seats (E5/A5/F5/G5)",
|
||
"type": 1,
|
||
"description": "Enter the total number of Microsoft 365 E5, A5, F5, G5 and Microsoft 365 E5, A5, F5, G5 Security licenses in your environment",
|
||
"value": "0"
|
||
}
|
||
],
|
||
"style": "pills",
|
||
"queryType": 0,
|
||
"resourceType": "microsoft.operationalinsights/workspaces"
|
||
},
|
||
"name": "parameters - 5"
|
||
},
|
||
{
|
||
"type": 1,
|
||
"content": {
|
||
"json": "## Ingestion summary"
|
||
},
|
||
"name": "text - 2"
|
||
},
|
||
{
|
||
"type": 3,
|
||
"content": {
|
||
"version": "KqlItem/1.0",
|
||
"query": "union withsource = tt *\r\n| where TimeGenerated > startofday({TimeRange:start}) and TimeGenerated < startofday({TimeRange:end})\r\n// Only look at chargeable Tables\r\n| where _IsBillable == True\r\n| summarize TotalGBytes =round(sum(_BilledSize/(1024*1024*1024)),2) by bin(TimeGenerated, 1d)//, Solution=tt\r\n| summarize ['GBs/day'] =round(avg(TotalGBytes),2)",
|
||
"size": 4,
|
||
"title": "Average billable GBs/day ingested in the last {TimeRange}",
|
||
"timeContext": {
|
||
"durationMs": 604800000
|
||
},
|
||
"timeContextFromParameter": "TimeRange",
|
||
"queryType": 0,
|
||
"resourceType": "microsoft.operationalinsights/workspaces",
|
||
"crossComponentResources": [
|
||
"{Workspace}"
|
||
],
|
||
"visualization": "tiles",
|
||
"tileSettings": {
|
||
"titleContent": {
|
||
"columnMatch": "GBs/day",
|
||
"formatter": 12,
|
||
"formatOptions": {
|
||
"palette": "greenRed"
|
||
}
|
||
},
|
||
"showBorder": false,
|
||
"size": "auto"
|
||
}
|
||
},
|
||
"name": "query - 6"
|
||
},
|
||
{
|
||
"type": 3,
|
||
"content": {
|
||
"version": "KqlItem/1.0",
|
||
"query": "Usage\r\n| where IsBillable == true\r\n| summarize size = sum(Quantity)/1024 by IsBillable\r\n| project ['Total data ingestion'] = size, ['Estimated cost'] = size*{Price}",
|
||
"size": 4,
|
||
"title": "Total billable ingestion and cost in the last {TimeRange}",
|
||
"timeContext": {
|
||
"durationMs": 604800000
|
||
},
|
||
"timeContextFromParameter": "TimeRange",
|
||
"queryType": 0,
|
||
"resourceType": "microsoft.operationalinsights/workspaces",
|
||
"crossComponentResources": [
|
||
"{Workspace}"
|
||
],
|
||
"visualization": "tiles",
|
||
"tileSettings": {
|
||
"titleContent": {
|
||
"formatter": 12,
|
||
"formatOptions": {
|
||
"palette": "greenRed",
|
||
"compositeBarSettings": {
|
||
"labelText": "",
|
||
"columnSettings": []
|
||
}
|
||
},
|
||
"numberFormat": {
|
||
"unit": 0,
|
||
"options": {
|
||
"currency": "USD",
|
||
"style": "currency",
|
||
"useGrouping": false
|
||
}
|
||
}
|
||
},
|
||
"leftContent": {
|
||
"columnMatch": "Total data ingestion",
|
||
"formatter": 12,
|
||
"formatOptions": {
|
||
"palette": "greenRed"
|
||
},
|
||
"numberFormat": {
|
||
"unit": 39,
|
||
"options": {
|
||
"style": "decimal",
|
||
"useGrouping": false,
|
||
"maximumFractionDigits": 1
|
||
}
|
||
}
|
||
},
|
||
"rightContent": {
|
||
"columnMatch": "Estimated cost",
|
||
"formatter": 12,
|
||
"formatOptions": {
|
||
"palette": "greenRed"
|
||
},
|
||
"numberFormat": {
|
||
"unit": 0,
|
||
"options": {
|
||
"currency": "USD",
|
||
"style": "currency",
|
||
"useGrouping": false,
|
||
"maximumFractionDigits": 1
|
||
}
|
||
}
|
||
},
|
||
"showBorder": false,
|
||
"size": "auto"
|
||
}
|
||
},
|
||
"name": "query - 8"
|
||
},
|
||
{
|
||
"type": 3,
|
||
"content": {
|
||
"version": "KqlItem/1.0",
|
||
"query": "let Categories = datatable(Type:string,Category:string)\r\n[\r\n \"AuditLogs\", \"Azure Active Directory\",\r\n \"SigninLogs\", \"Azure Active Directory\",\r\n \"AADNonInteractiveUserSignInLogs\", \"Azure Active Directory\",\r\n \"AADServicePrincipalSignInLogs\", \"Azure Active Directory\",\r\n \"AADManagedIdentitySignInLogs\", \"Azure Active Directory\",\r\n \"AADProvisioningLogs\",\"Azure Active Directory\",\r\n \"BehaviorAnalytics\", \"User Entity Behavior Analytics\",\r\n \"UserPeerAnalytics\",\"User Entity Behavior Analytics\",\r\n \"UserAccessAnalytics\",\"User Entity Behavior Analytics\",\r\n \"IdentityInfo\",\"User Entity Behavior Analytics\",\r\n \"DeviceLogonEvents\", \"Microsoft Defender for Endpoint\",\r\n\t\"DeviceEvents\",\"Microsoft Defender for Endpoint\",\r\n\t\"DeviceNetworkInfo\", \"Microsoft Defender for Endpoint\",\r\n\t\"DeviceImageLoadEvents\", \"Microsoft Defender for Endpoint\",\r\n\t\"DeviceFileEvents\", \"Microsoft Defender for Endpoint\",\r\n\t\"DeviceInfo\", \"Microsoft Defender for Endpoint\",\r\n\t\"DeviceProcessEvents\", \"Microsoft Defender for Endpoint\",\t\r\n\t\"DeviceNetworkEvents\", \"Microsoft Defender for Endpoint\",\r\n\t\"DeviceRegistryEvents\", \"Microsoft Defender for Endpoint\",\r\n \"DeviceFileCertificateInfo\", \"Microsoft Defender for Endpoint\",\r\n \"EmailAttachmentInfo\", \"Microsoft Defender for Office 365\", \r\n \"EmailEvents\", \"Microsoft Defender for Office 365\", \r\n \"EmailPostDeliveryEvents\", \"Microsoft Defender for Office 365\", \r\n \"EmailUrlInfo\", \"Microsoft Defender for Office 365\",\r\n \"IdentityLogonEvents\", \"Microsoft Defender for Identity\",\r\n \"IdentityQueryEvents\", \"Microsoft Defender for Identity\",\r\n \"IdentityDirectoryEvents\", \"Microsoft Defender for Identity\",\r\n \"CloudAppEvents\", \"Microsoft Defender for Cloud Apps\",\r\n \"AlertEvidence\", \"Microsoft Defender Alert Evidence\",\r\n \"InsightsMetrics\", \"Azure Monitor for VMs\",\r\n \"VMBoundPort\", \"Azure Monitor for VMs\",\r\n \"VMComputer\", \"Azure Monitor for VMs\",\r\n \"VMConnection\", \"Azure Monitor for VMs\",\r\n \"VMProcess\", \"Azure Monitor for VMs\",\r\n \"SecurityEvent\", \"Windows Security Events\",\r\n \"Syslog\", \"Syslog/CEF\",\r\n \"CommonSecurityLog\", \"Syslog/CEF\",\r\n \"ThreatIntelligenceIndicator\", \"Threat Intelligence\",\r\n \"DnsEvents\", \"DNS Logs\",\r\n \"DnsInventory\", \"DNS Logs\",\r\n \"AWSCloudTrail\", \"AWS Cloud Trail\",\r\n \"ConfigurationChange\", \"Change Tracking\",\r\n \"ConfigurationData\", \"Change Tracking\",\r\n \"AzureDiagnostics\", \"Azure Resources\",\r\n \"LAQueryLogs\", \"Management\",\r\n \"SentinelHealth\",\"Management\",\r\n \"Perf\",\"Performance\",\r\n \"AzureMetrics\",\"Azure Metrics\",\r\n \"SecurityNestedRecommendation\", \"Microsoft Defender for Cloud\",\r\n \"SecurityRecommendation\", \"Microsoft Defender for Cloud\",\r\n \"SecurityRegulatoryCompliance\", \"Microsoft Defender for Cloud\",\r\n \"SecureScoreControls\", \"Microsoft Defender for Cloud\",\r\n \"SecurityBaseline\", \"Microsoft Defender for Cloud\",\r\n \"SecureScores\", \"Microsoft Defender for Cloud\",\r\n \"Update\", \"Update Management\",\r\n \"UpdateSummary\", \"Update Management\"\r\n];\r\nlet customTables = Usage\r\n| where IsBillable == true\r\n| where DataType contains \"_CL\"\r\n| summarize size = sum(Quantity)/1024 by DataType\r\n| project ['Log Type'] = DataType, ['Table Size'] = size, ['Estimated cost'] = size*{Price};\r\nlet knownTables = Usage\r\n| where IsBillable == true \r\n| join kind=leftouter Categories on $left.DataType == $right.Type\r\n| summarize size =sumif(Quantity, isnotempty(Category))/1024, sizeOther= sumif(Quantity,(isempty(Category) and DataType !contains \"_CL\"))/1024 by Category\r\n| project ['Log Type'] = iif(isnotempty( Category),Category,\"Other\"), ['Table Size'] = iif(isnotempty( Category),size,sizeOther), ['Estimated cost'] = iif(isnotempty(Category),size*{Price},sizeOther*4);\r\nunion customTables, knownTables\r\n| order by ['Table Size'] desc",
|
||
"size": 0,
|
||
"title": "Breakdown of billable ingestion by log category in the last {TimeRange}",
|
||
"timeContext": {
|
||
"durationMs": 604800000
|
||
},
|
||
"timeContextFromParameter": "TimeRange",
|
||
"queryType": 0,
|
||
"resourceType": "microsoft.operationalinsights/workspaces",
|
||
"crossComponentResources": [
|
||
"{Workspace}"
|
||
],
|
||
"visualization": "table",
|
||
"gridSettings": {
|
||
"formatters": [
|
||
{
|
||
"columnMatch": "Table Size",
|
||
"formatter": 3,
|
||
"formatOptions": {
|
||
"palette": "greenRed"
|
||
},
|
||
"numberFormat": {
|
||
"unit": 39,
|
||
"options": {
|
||
"style": "decimal",
|
||
"useGrouping": false
|
||
}
|
||
}
|
||
},
|
||
{
|
||
"columnMatch": "Estimated cost",
|
||
"formatter": 0,
|
||
"numberFormat": {
|
||
"unit": 0,
|
||
"options": {
|
||
"currency": "USD",
|
||
"style": "currency"
|
||
}
|
||
}
|
||
}
|
||
]
|
||
},
|
||
"graphSettings": {
|
||
"type": 0,
|
||
"topContent": {
|
||
"columnMatch": "Log Category",
|
||
"formatter": 1
|
||
},
|
||
"centerContent": {
|
||
"columnMatch": "Billed Size",
|
||
"formatter": 1,
|
||
"numberFormat": {
|
||
"unit": 17,
|
||
"options": {
|
||
"maximumSignificantDigits": 3,
|
||
"maximumFractionDigits": 2
|
||
}
|
||
}
|
||
}
|
||
}
|
||
},
|
||
"name": "query - 2"
|
||
},
|
||
{
|
||
"type": 1,
|
||
"content": {
|
||
"json": "## Retention summary"
|
||
},
|
||
"name": "text - 4"
|
||
},
|
||
{
|
||
"type": 3,
|
||
"content": {
|
||
"version": "KqlItem/1.0",
|
||
"query": "union withsource=TableName1 * | where TimeGenerated < ago(90d) | extend key = 'Key' | summarize size = sum(_BilledSize)/1024/1024/1024 by key\r\n| project ['Data over 90 days'] = size, ['Retention Cost'] = size*{RetentionPrice}\r\n\r\n\r\n",
|
||
"size": 4,
|
||
"title": "Data older than 90 days and resulting retention cost",
|
||
"noDataMessage": "You have no data older than 90 days",
|
||
"noDataMessageStyle": 3,
|
||
"queryType": 0,
|
||
"resourceType": "microsoft.operationalinsights/workspaces",
|
||
"crossComponentResources": [
|
||
"{Workspace}"
|
||
],
|
||
"visualization": "tiles",
|
||
"gridSettings": {
|
||
"formatters": [
|
||
{
|
||
"columnMatch": "Data over 90 days",
|
||
"formatter": 0,
|
||
"numberFormat": {
|
||
"unit": 36,
|
||
"options": {
|
||
"style": "decimal",
|
||
"useGrouping": false
|
||
}
|
||
}
|
||
},
|
||
{
|
||
"columnMatch": "Retention Cost",
|
||
"formatter": 0,
|
||
"numberFormat": {
|
||
"unit": 0,
|
||
"options": {
|
||
"style": "decimal"
|
||
}
|
||
}
|
||
}
|
||
]
|
||
},
|
||
"tileSettings": {
|
||
"titleContent": {},
|
||
"leftContent": {
|
||
"columnMatch": "Data over 90 days",
|
||
"formatter": 12,
|
||
"formatOptions": {
|
||
"palette": "greenRed"
|
||
},
|
||
"numberFormat": {
|
||
"unit": 39,
|
||
"options": {
|
||
"style": "decimal",
|
||
"maximumFractionDigits": 1
|
||
}
|
||
}
|
||
},
|
||
"rightContent": {
|
||
"columnMatch": "Retention Cost",
|
||
"formatter": 12,
|
||
"formatOptions": {
|
||
"palette": "greenRed"
|
||
},
|
||
"numberFormat": {
|
||
"unit": 0,
|
||
"options": {
|
||
"currency": "USD",
|
||
"style": "currency",
|
||
"maximumFractionDigits": 2
|
||
}
|
||
}
|
||
},
|
||
"showBorder": false,
|
||
"size": "auto"
|
||
}
|
||
},
|
||
"name": "query - 7"
|
||
},
|
||
{
|
||
"type": 1,
|
||
"content": {
|
||
"json": "## Microsoft Sentinel benefit for Microsoft 365 E5, A5, F5 and G5 customers\r\n\r\nWith security information and event management (SIEM) and extended detection and response (XDR) from Microsoft, you’re armed with the context and automation you need to stop sophisticated, cross-domain attacks across your entire organization. \r\n\r\nMicrosoft 365 E5, A5, F5, G5 and Microsoft 365 E5, A5, F5, G5 Security customers can get data grant up to 5MB per user/day of Microsoft 365 data ingestion into Microsoft Sentinel. <br>\r\nThe data sources included in this offer include:\r\n\r\n- Azure Active Directory (Azure AD) sign-in and audit logs\r\n- Microsoft Cloud App Security shadow IT discovery logs\r\n- Microsoft Information Protection logs\r\n- Microsoft 365 advanced hunting data\r\n\r\nThe data grant will be calculated at the end of the month and applied to your bill, covering the cost of up to 5 MB of data ingestion per user/day.\r\n\r\nVisit https://azure.microsoft.com/offers/sentinel-microsoft-365-offer/ for more information\r\n\r\n<br>\r\n\r\n### Below are the ingestion for the eligible data sources:\r\n\r\n_**Note:** Kindly specify **Total seats (E5/A5/F5/G5)** and **Ingestion Price** parameters for calculation._"
|
||
},
|
||
"name": "text - 12"
|
||
},
|
||
{
|
||
"type": 3,
|
||
"content": {
|
||
"version": "KqlItem/1.0",
|
||
"query": "Usage\r\n| where IsBillable == true\r\n| where DataType in (\"SigninLogs\", \r\n\"AuditLogs\", \r\n\"AADNonInteractiveUserSignInLogs\", \r\n\"AADServicePrincipalSignInLogs\",\r\n\"AADManagedIdentitySignInLogs\",\r\n\"AADProvisioningLogs\",\r\n\"ADFSSignInLogs\",\r\n\"McasShadowItReporting\", \r\n\"InformationProtectionLogs_CL\", \r\n\"DeviceEvents\", \r\n\"DeviceFileEvents\", \r\n\"DeviceImageLoadEvents\", \r\n\"DeviceInfo\", \r\n\"DeviceLogonEvents\", \r\n\"DeviceNetworkEvents\", \r\n\"DeviceNetworkInfo\", \r\n\"DeviceProcessEvents\", \r\n\"DeviceRegistryEvents\",\r\n\"DeviceFileCertificateInfo\", \r\n\"EmailAttachmentInfo\", \r\n\"EmailEvents\", \r\n\"EmailPostDeliveryEvents\", \r\n\"EmailUrlInfo\",\r\n\"IdentityLogonEvents\",\r\n\"IdentityQueryEvents\",\r\n\"IdentityDirectoryEvents\",\r\n\"AlertEvidence\",\r\n\"CloudAppEvents\"\r\n) \r\n| summarize BillableDataGB = sum(Quantity) / 1000. by DataType\r\n| order by BillableDataGB desc\r\n",
|
||
"size": 0,
|
||
"timeContext": {
|
||
"durationMs": 604800000
|
||
},
|
||
"timeContextFromParameter": "TimeRange",
|
||
"queryType": 0,
|
||
"resourceType": "microsoft.operationalinsights/workspaces",
|
||
"crossComponentResources": [
|
||
"{Workspace}"
|
||
],
|
||
"gridSettings": {
|
||
"formatters": [
|
||
{
|
||
"columnMatch": "BillableDataGB",
|
||
"formatter": 3,
|
||
"formatOptions": {
|
||
"palette": "blue"
|
||
}
|
||
}
|
||
]
|
||
}
|
||
},
|
||
"name": "query - 13"
|
||
},
|
||
{
|
||
"type": 1,
|
||
"content": {
|
||
"json": "<br>\r\n**Daily ingestion size (for eligible data sources) vs Maximum data grant:**"
|
||
},
|
||
"conditionalVisibilities": [
|
||
{
|
||
"parameterName": "TotalE5Seats",
|
||
"comparison": "isNotEqualTo",
|
||
"value": "0"
|
||
},
|
||
{
|
||
"parameterName": "TotalE5Seats",
|
||
"comparison": "isNotEqualTo"
|
||
}
|
||
],
|
||
"name": "text - DailyIngestionVsAllocation"
|
||
},
|
||
{
|
||
"type": 3,
|
||
"content": {
|
||
"version": "KqlItem/1.0",
|
||
"query": "Usage\r\n| where IsBillable == true\r\n| where DataType in (\"SigninLogs\", \r\n\"AuditLogs\", \r\n\"AADNonInteractiveUserSignInLogs\", \r\n\"AADServicePrincipalSignInLogs\",\r\n\"AADManagedIdentitySignInLogs\",\r\n\"AADProvisioningLogs\",\r\n\"ADFSSignInLogs\",\r\n\"McasShadowItReporting\", \r\n\"InformationProtectionLogs_CL\", \r\n\"DeviceEvents\", \r\n\"DeviceFileEvents\", \r\n\"DeviceImageLoadEvents\", \r\n\"DeviceInfo\", \r\n\"DeviceLogonEvents\", \r\n\"DeviceNetworkEvents\", \r\n\"DeviceNetworkInfo\", \r\n\"DeviceProcessEvents\", \r\n\"DeviceRegistryEvents\",\r\n\"DeviceFileCertificateInfo\", \r\n\"EmailAttachmentInfo\", \r\n\"EmailEvents\", \r\n\"EmailPostDeliveryEvents\", \r\n\"EmailUrlInfo\",\r\n\"IdentityLogonEvents\",\r\n\"IdentityQueryEvents\",\r\n\"IdentityDirectoryEvents\",\r\n\"AlertEvidence\",\r\n\"CloudAppEvents\") \r\n| summarize DailyIngestionGB = toreal(sum(Quantity))/ 1024 by format_datetime(TimeGenerated, 'yyyy-MM-dd') \r\n| extend MaxDataGrantGB = ((5*toreal({TotalE5Seats}))/1024)\r\n| sort by TimeGenerated asc\r\n",
|
||
"size": 0,
|
||
"aggregation": 3,
|
||
"timeContext": {
|
||
"durationMs": 604800000
|
||
},
|
||
"timeContextFromParameter": "TimeRange",
|
||
"queryType": 0,
|
||
"resourceType": "microsoft.operationalinsights/workspaces",
|
||
"crossComponentResources": [
|
||
"{Workspace}"
|
||
],
|
||
"visualization": "linechart",
|
||
"chartSettings": {
|
||
"xAxis": "TimeGenerated",
|
||
"showDataPoints": true,
|
||
"ySettings": {
|
||
"numberFormatSettings": {
|
||
"unit": 0,
|
||
"options": {
|
||
"style": "decimal",
|
||
"useGrouping": true,
|
||
"maximumFractionDigits": 3
|
||
}
|
||
}
|
||
}
|
||
}
|
||
},
|
||
"conditionalVisibilities": [
|
||
{
|
||
"parameterName": "TotalE5Seats",
|
||
"comparison": "isNotEqualTo"
|
||
},
|
||
{
|
||
"parameterName": "TotalE5Seats",
|
||
"comparison": "isNotEqualTo",
|
||
"value": "0"
|
||
}
|
||
],
|
||
"name": "DailyIngestionVSAllocation"
|
||
},
|
||
{
|
||
"type": 3,
|
||
"content": {
|
||
"version": "KqlItem/1.0",
|
||
"query": "Usage\r\n| where IsBillable == true\r\n| where DataType in (\"SigninLogs\", \r\n\"AuditLogs\", \r\n\"AADNonInteractiveUserSignInLogs\", \r\n\"AADServicePrincipalSignInLogs\",\r\n\"AADManagedIdentitySignInLogs\",\r\n\"AADProvisioningLogs\",\r\n\"ADFSSignInLogs\",\r\n\"McasShadowItReporting\", \r\n\"InformationProtectionLogs_CL\", \r\n\"DeviceEvents\", \r\n\"DeviceFileEvents\", \r\n\"DeviceImageLoadEvents\", \r\n\"DeviceInfo\", \r\n\"DeviceLogonEvents\", \r\n\"DeviceNetworkEvents\", \r\n\"DeviceNetworkInfo\", \r\n\"DeviceProcessEvents\", \r\n\"DeviceRegistryEvents\",\r\n\"DeviceFileCertificateInfo\", \r\n\"EmailAttachmentInfo\", \r\n\"EmailEvents\", \r\n\"EmailPostDeliveryEvents\", \r\n\"EmailUrlInfo\",\r\n\"IdentityLogonEvents\",\r\n\"IdentityQueryEvents\",\r\n\"IdentityDirectoryEvents\",\r\n\"AlertEvidence\",\r\n\"CloudAppEvents\"\r\n) \r\n| summarize TotalBillableDataGB = sum(Quantity) / 1024\r\n\r\n",
|
||
"size": 4,
|
||
"title": "Total ingestion",
|
||
"timeContext": {
|
||
"durationMs": 604800000
|
||
},
|
||
"timeContextFromParameter": "TimeRange",
|
||
"queryType": 0,
|
||
"resourceType": "microsoft.operationalinsights/workspaces",
|
||
"crossComponentResources": [
|
||
"{Workspace}"
|
||
],
|
||
"visualization": "tiles",
|
||
"tileSettings": {
|
||
"titleContent": {
|
||
"columnMatch": "TotalBillableDataGB",
|
||
"formatter": 12,
|
||
"formatOptions": {
|
||
"palette": "greenRed"
|
||
},
|
||
"numberFormat": {
|
||
"unit": 39,
|
||
"options": {
|
||
"style": "decimal",
|
||
"maximumFractionDigits": 2
|
||
}
|
||
}
|
||
},
|
||
"showBorder": false
|
||
}
|
||
},
|
||
"customWidth": "20",
|
||
"name": "E5IngestionSize"
|
||
},
|
||
{
|
||
"type": 3,
|
||
"content": {
|
||
"version": "KqlItem/1.0",
|
||
"query": "let DailyMaxDiscountGB = ((5*toreal({TotalE5Seats}))/1024);\r\nUsage\r\n| where IsBillable == true\r\n| where DataType in (\"SigninLogs\", \r\n\"AuditLogs\", \r\n\"AADNonInteractiveUserSignInLogs\", \r\n\"AADServicePrincipalSignInLogs\",\r\n\"AADManagedIdentitySignInLogs\",\r\n\"AADProvisioningLogs\",\r\n\"ADFSSignInLogs\",\r\n\"McasShadowItReporting\", \r\n\"InformationProtectionLogs_CL\", \r\n\"DeviceEvents\", \r\n\"DeviceFileEvents\", \r\n\"DeviceImageLoadEvents\", \r\n\"DeviceInfo\", \r\n\"DeviceLogonEvents\", \r\n\"DeviceNetworkEvents\", \r\n\"DeviceNetworkInfo\", \r\n\"DeviceProcessEvents\", \r\n\"DeviceRegistryEvents\",\r\n\"DeviceFileCertificateInfo\", \r\n\"EmailAttachmentInfo\", \r\n\"EmailEvents\", \r\n\"EmailPostDeliveryEvents\", \r\n\"EmailUrlInfo\",\r\n\"IdentityLogonEvents\",\r\n\"IdentityQueryEvents\",\r\n\"IdentityDirectoryEvents\",\r\n\"AlertEvidence\",\r\n\"CloudAppEvents\") \r\n| summarize DailyBillableGB = toreal(sum(Quantity))/ 1024 by format_datetime(TimeGenerated, 'yy-MM-dd') \r\n| extend DailyMaxGrantGB = DailyMaxDiscountGB\r\n| summarize MaxDataGrantGB = sum(toreal(DailyMaxGrantGB))\r\n\r\n",
|
||
"size": 4,
|
||
"title": "Total Data Grant Limit",
|
||
"timeContext": {
|
||
"durationMs": 604800000
|
||
},
|
||
"timeContextFromParameter": "TimeRange",
|
||
"queryType": 0,
|
||
"resourceType": "microsoft.operationalinsights/workspaces",
|
||
"crossComponentResources": [
|
||
"{Workspace}"
|
||
],
|
||
"visualization": "tiles",
|
||
"tileSettings": {
|
||
"titleContent": {
|
||
"columnMatch": "MaxDataGrantGB",
|
||
"formatter": 12,
|
||
"formatOptions": {
|
||
"palette": "orangeBlue"
|
||
},
|
||
"numberFormat": {
|
||
"unit": 39,
|
||
"options": {
|
||
"style": "decimal",
|
||
"maximumFractionDigits": 2
|
||
}
|
||
}
|
||
},
|
||
"showBorder": false,
|
||
"sortOrderField": 1
|
||
}
|
||
},
|
||
"conditionalVisibilities": [
|
||
{
|
||
"parameterName": "TotalE5Seats",
|
||
"comparison": "isNotEqualTo"
|
||
},
|
||
{
|
||
"parameterName": "TotalE5Seats",
|
||
"comparison": "isNotEqualTo",
|
||
"value": "0"
|
||
}
|
||
],
|
||
"customWidth": "20",
|
||
"name": "DataGrantLimit"
|
||
},
|
||
{
|
||
"type": 3,
|
||
"content": {
|
||
"version": "KqlItem/1.0",
|
||
"query": "let DailyMaxDiscountGB = ((5*toreal({TotalE5Seats}))/1024);\r\nUsage\r\n| where IsBillable == true\r\n| where DataType in (\"SigninLogs\", \r\n\"AuditLogs\", \r\n\"AADNonInteractiveUserSignInLogs\", \r\n\"AADServicePrincipalSignInLogs\",\r\n\"AADManagedIdentitySignInLogs\",\r\n\"AADProvisioningLogs\",\r\n\"ADFSSignInLogs\",\r\n\"McasShadowItReporting\", \r\n\"InformationProtectionLogs_CL\", \r\n\"DeviceEvents\", \r\n\"DeviceFileEvents\", \r\n\"DeviceImageLoadEvents\", \r\n\"DeviceInfo\", \r\n\"DeviceLogonEvents\", \r\n\"DeviceNetworkEvents\", \r\n\"DeviceNetworkInfo\", \r\n\"DeviceProcessEvents\", \r\n\"DeviceRegistryEvents\",\r\n\"DeviceFileCertificateInfo\", \r\n\"EmailAttachmentInfo\", \r\n\"EmailEvents\", \r\n\"EmailPostDeliveryEvents\", \r\n\"EmailUrlInfo\",\r\n\"IdentityLogonEvents\",\r\n\"IdentityQueryEvents\",\r\n\"IdentityDirectoryEvents\",\r\n\"AlertEvidence\",\r\n\"CloudAppEvents\") \r\n| summarize DailyBillableGB = toreal(sum(Quantity))/ 1024 by format_datetime(TimeGenerated, 'yy-MM-dd') \r\n| summarize TotalEligibleGB = sum(iif(toreal(DailyBillableGB)>toreal(DailyMaxDiscountGB),toreal(DailyMaxDiscountGB),DailyBillableGB))\r\n\r\n",
|
||
"size": 4,
|
||
"title": "Total Data Grant Used",
|
||
"timeContext": {
|
||
"durationMs": 604800000
|
||
},
|
||
"timeContextFromParameter": "TimeRange",
|
||
"queryType": 0,
|
||
"resourceType": "microsoft.operationalinsights/workspaces",
|
||
"crossComponentResources": [
|
||
"{Workspace}"
|
||
],
|
||
"visualization": "tiles",
|
||
"tileSettings": {
|
||
"titleContent": {
|
||
"columnMatch": "TotalEligibleGB",
|
||
"formatter": 12,
|
||
"formatOptions": {
|
||
"palette": "coldHot"
|
||
},
|
||
"numberFormat": {
|
||
"unit": 39,
|
||
"options": {
|
||
"style": "decimal",
|
||
"maximumFractionDigits": 2
|
||
}
|
||
}
|
||
},
|
||
"showBorder": false,
|
||
"sortOrderField": 1
|
||
}
|
||
},
|
||
"conditionalVisibilities": [
|
||
{
|
||
"parameterName": "TotalE5Seats",
|
||
"comparison": "isNotEqualTo"
|
||
},
|
||
{
|
||
"parameterName": "TotalE5Seats",
|
||
"comparison": "isNotEqualTo",
|
||
"value": "0"
|
||
}
|
||
],
|
||
"customWidth": "30",
|
||
"name": "EligibleE5Ingestion"
|
||
},
|
||
{
|
||
"type": 3,
|
||
"content": {
|
||
"version": "KqlItem/1.0",
|
||
"query": "let DailyMaxDiscountGB = ((5*toreal({TotalE5Seats}))/1024);\r\nUsage\r\n| where IsBillable == true\r\n| where DataType in (\"SigninLogs\", \r\n\"AuditLogs\", \r\n\"AADNonInteractiveUserSignInLogs\", \r\n\"AADServicePrincipalSignInLogs\",\r\n\"AADManagedIdentitySignInLogs\",\r\n\"AADProvisioningLogs\",\r\n\"ADFSSignInLogs\",\r\n\"McasShadowItReporting\", \r\n\"InformationProtectionLogs_CL\", \r\n\"DeviceEvents\", \r\n\"DeviceFileEvents\", \r\n\"DeviceImageLoadEvents\", \r\n\"DeviceInfo\", \r\n\"DeviceLogonEvents\", \r\n\"DeviceNetworkEvents\", \r\n\"DeviceNetworkInfo\", \r\n\"DeviceProcessEvents\", \r\n\"DeviceRegistryEvents\",\r\n\"DeviceFileCertificateInfo\", \r\n\"EmailAttachmentInfo\", \r\n\"EmailEvents\", \r\n\"EmailPostDeliveryEvents\", \r\n\"EmailUrlInfo\",\r\n\"IdentityLogonEvents\",\r\n\"IdentityQueryEvents\",\r\n\"IdentityDirectoryEvents\",\r\n\"AlertEvidence\",\r\n\"CloudAppEvents\") \r\n| summarize DailyBillableGB = toreal(sum(Quantity))/ 1024 by format_datetime(TimeGenerated, 'yy-MM-dd') \r\n| summarize TotalEligibleGB = sum(iif(toreal(DailyBillableGB)>toreal(DailyMaxDiscountGB),toreal(DailyMaxDiscountGB),DailyBillableGB))\r\n| extend TotalDiscount = toreal(TotalEligibleGB)*{Price}\r\n| project TotalDiscount\r\n\r\n",
|
||
"size": 4,
|
||
"title": "Estimated Saving",
|
||
"timeContext": {
|
||
"durationMs": 604800000
|
||
},
|
||
"timeContextFromParameter": "TimeRange",
|
||
"queryType": 0,
|
||
"resourceType": "microsoft.operationalinsights/workspaces",
|
||
"crossComponentResources": [
|
||
"{Workspace}"
|
||
],
|
||
"visualization": "tiles",
|
||
"tileSettings": {
|
||
"titleContent": {
|
||
"columnMatch": "TotalDiscount",
|
||
"formatter": 12,
|
||
"formatOptions": {
|
||
"palette": "greenRed"
|
||
},
|
||
"numberFormat": {
|
||
"unit": 0,
|
||
"options": {
|
||
"currency": "USD",
|
||
"style": "currency",
|
||
"maximumFractionDigits": 2
|
||
}
|
||
}
|
||
},
|
||
"showBorder": false
|
||
}
|
||
},
|
||
"conditionalVisibilities": [
|
||
{
|
||
"parameterName": "TotalE5Seats",
|
||
"comparison": "isNotEqualTo",
|
||
"value": "0"
|
||
},
|
||
{
|
||
"parameterName": "TotalE5Seats",
|
||
"comparison": "isNotEqualTo"
|
||
}
|
||
],
|
||
"customWidth": "20",
|
||
"name": "EstimateE5Discount"
|
||
},
|
||
{
|
||
"type": 1,
|
||
"content": {
|
||
"json": "## SOAR summary\r\n\r\nIn this section, you can view billable information regarding your Logic Apps. The data is based on Logic Apps' built-in metrics. To view the list of Logic Apps click the \">\" icon in the subscription column.\r\n\r\nYou can change the default Logic App execution cost in the parameter below.\r\n\r\nTo see the approximate cost of your logic apps, **click on any subscription on the table below**.\r\n\r\nFor more billable information, visit: https://azure.microsoft.com/pricing/details/logic-apps/"
|
||
},
|
||
"name": "text - 3"
|
||
},
|
||
{
|
||
"type": 9,
|
||
"content": {
|
||
"version": "KqlParameterItem/1.0",
|
||
"parameters": [
|
||
{
|
||
"id": "6f50ee54-8f0e-424e-9e16-70eca531af7f",
|
||
"version": "KqlParameterItem/1.0",
|
||
"name": "ResourceTypes",
|
||
"label": "Resource types",
|
||
"type": 7,
|
||
"isRequired": true,
|
||
"multiSelect": true,
|
||
"quote": "'",
|
||
"delimiter": ",",
|
||
"value": [
|
||
"microsoft.logic/workflows"
|
||
],
|
||
"isHiddenWhenLocked": true,
|
||
"typeSettings": {
|
||
"additionalResourceOptions": [],
|
||
"includeAll": true
|
||
},
|
||
"timeContext": {
|
||
"durationMs": 86400000
|
||
}
|
||
},
|
||
{
|
||
"id": "1c8dc8da-2233-426c-8cfc-52ec31bf1e84",
|
||
"version": "KqlParameterItem/1.0",
|
||
"name": "Subscription",
|
||
"label": "Subscriptions",
|
||
"type": 6,
|
||
"isRequired": true,
|
||
"multiSelect": true,
|
||
"quote": "'",
|
||
"delimiter": ",",
|
||
"query": "Resources\r\n| where type in~ ({ResourceTypes})\r\n| summarize Count = count() by subscriptionId\r\n| order by Count desc\r\n| extend Rank = row_number()\r\n| project value = subscriptionId, label = subscriptionId, selected = Rank == 1",
|
||
"typeSettings": {
|
||
"additionalResourceOptions": [
|
||
"value::all"
|
||
],
|
||
"showDefault": false
|
||
},
|
||
"timeContext": {
|
||
"durationMs": 86400000
|
||
},
|
||
"defaultValue": "value::all",
|
||
"queryType": 1,
|
||
"resourceType": "microsoft.resourcegraph/resources",
|
||
"value": [
|
||
"value::all"
|
||
]
|
||
},
|
||
{
|
||
"id": "f103ef04-042e-45ed-8f78-b31e676258d7",
|
||
"version": "KqlParameterItem/1.0",
|
||
"name": "ResourceGroups",
|
||
"label": "Resource groups",
|
||
"type": 2,
|
||
"isRequired": true,
|
||
"multiSelect": true,
|
||
"quote": "'",
|
||
"delimiter": ",",
|
||
"query": "Resources\r\n| where type in~ ({ResourceTypes})\r\n| summarize Count = count() by subscriptionId, resourceGroup\r\n| order by Count desc\r\n| extend Rank = row_number()\r\n| project value = strcat('/subscriptions/', subscriptionId, '/resourceGroups/', resourceGroup), label = resourceGroup, selected = false",
|
||
"typeSettings": {
|
||
"additionalResourceOptions": [
|
||
"value::all"
|
||
],
|
||
"showDefault": false
|
||
},
|
||
"timeContext": {
|
||
"durationMs": 86400000
|
||
},
|
||
"defaultValue": "value::all",
|
||
"queryType": 1,
|
||
"resourceType": "microsoft.resourcegraph/resources",
|
||
"value": [
|
||
"value::all"
|
||
]
|
||
},
|
||
{
|
||
"id": "b6514d02-8893-44b8-896e-e53ada5024d5",
|
||
"version": "KqlParameterItem/1.0",
|
||
"name": "Resources",
|
||
"label": "Logic Apps",
|
||
"type": 5,
|
||
"isRequired": true,
|
||
"multiSelect": true,
|
||
"quote": "'",
|
||
"delimiter": ",",
|
||
"query": "Resources\r\n| where type in~({ResourceTypes})\r\n| extend resourceGroupId = strcat('/subscriptions/', subscriptionId, '/resourceGroups/', resourceGroup)\r\n| where resourceGroupId in~({ResourceGroups}) or '*' in~({ResourceGroups})\r\n| order by name asc\r\n| extend Rank = row_number()\r\n| project value = id, label = tostring(name), selected = Rank <= 10, group = resourceGroup",
|
||
"value": [
|
||
"value::all"
|
||
],
|
||
"typeSettings": {
|
||
"additionalResourceOptions": [
|
||
"value::all"
|
||
],
|
||
"showDefault": false
|
||
},
|
||
"timeContext": {
|
||
"durationMs": 86400000
|
||
},
|
||
"queryType": 1,
|
||
"resourceType": "microsoft.resourcegraph/resources"
|
||
},
|
||
{
|
||
"id": "8f552e99-2d30-4679-b4b0-25429bf0216b",
|
||
"version": "KqlParameterItem/1.0",
|
||
"name": "ExecutionCost",
|
||
"label": "Logic App execution cost",
|
||
"type": 1,
|
||
"isRequired": true,
|
||
"value": "0.000125"
|
||
}
|
||
],
|
||
"style": "pills",
|
||
"queryType": 1,
|
||
"resourceType": "microsoft.resourcegraph/resources"
|
||
},
|
||
"name": "parameters - 10"
|
||
},
|
||
{
|
||
"type": 10,
|
||
"content": {
|
||
"chartId": "workbooke70b7cbc-f1d7-4a74-b8b9-75cc8d5ab586",
|
||
"version": "MetricsItem/2.0",
|
||
"size": 1,
|
||
"chartType": 0,
|
||
"resourceType": "microsoft.logic/workflows",
|
||
"metricScope": 0,
|
||
"resourceParameter": "Resources",
|
||
"resourceIds": [
|
||
"{Resources}"
|
||
],
|
||
"timeContextFromParameter": "TimeRange",
|
||
"timeContext": {
|
||
"durationMs": 604800000
|
||
},
|
||
"metrics": [
|
||
{
|
||
"namespace": "microsoft.logic/workflows",
|
||
"metric": "microsoft.logic/workflows--TotalBillableExecutions",
|
||
"aggregation": 1
|
||
}
|
||
],
|
||
"title": "Click on a subscription below to calculate the estimated automation costs",
|
||
"resourceLimit": 10000,
|
||
"gridSettings": {
|
||
"formatters": [
|
||
{
|
||
"columnMatch": "$gen_group",
|
||
"formatter": 15,
|
||
"formatOptions": {
|
||
"linkTarget": null,
|
||
"showIcon": true
|
||
}
|
||
},
|
||
{
|
||
"columnMatch": "Subscription",
|
||
"formatter": 5
|
||
},
|
||
{
|
||
"columnMatch": "Name",
|
||
"formatter": 13,
|
||
"formatOptions": {
|
||
"linkTarget": "Resource",
|
||
"showIcon": true
|
||
}
|
||
},
|
||
{
|
||
"columnMatch": "microsoft.logic/workflows--TotalBillableExecutions",
|
||
"formatter": 8,
|
||
"formatOptions": {
|
||
"palette": "blue",
|
||
"aggregation": "Sum"
|
||
}
|
||
},
|
||
{
|
||
"columnMatch": "microsoft.logic/workflows--TotalBillableExecutions Timeline",
|
||
"formatter": 21,
|
||
"formatOptions": {
|
||
"palette": "blue"
|
||
}
|
||
},
|
||
{
|
||
"columnMatch": "microsoft.logic/workflows--BillableTriggerExecutions Timeline",
|
||
"formatter": 5
|
||
},
|
||
{
|
||
"columnMatch": "microsoft.logic/workflows--BillableActionExecutions",
|
||
"formatter": 8,
|
||
"formatOptions": {
|
||
"palette": "blue"
|
||
},
|
||
"numberFormat": {
|
||
"unit": 0,
|
||
"options": {
|
||
"style": "decimal"
|
||
}
|
||
}
|
||
},
|
||
{
|
||
"columnMatch": "microsoft.logic/workflows--BillableActionExecutions Timeline",
|
||
"formatter": 5
|
||
},
|
||
{
|
||
"columnMatch": "RG",
|
||
"formatter": 13,
|
||
"formatOptions": {
|
||
"linkTarget": null,
|
||
"showIcon": true
|
||
}
|
||
},
|
||
{
|
||
"columnMatch": "Sum",
|
||
"formatter": 1,
|
||
"formatOptions": {
|
||
"aggregation": "Sum"
|
||
},
|
||
"numberFormat": {
|
||
"unit": 0,
|
||
"options": {
|
||
"style": "decimal"
|
||
}
|
||
}
|
||
}
|
||
],
|
||
"rowLimit": 10000,
|
||
"filter": true,
|
||
"hierarchySettings": {
|
||
"treeType": 1,
|
||
"groupBy": [
|
||
"Subscription"
|
||
]
|
||
},
|
||
"labelSettings": [
|
||
{
|
||
"columnId": "microsoft.logic/workflows--TotalBillableExecutions",
|
||
"label": "Total Billable Executions (Sum)"
|
||
},
|
||
{
|
||
"columnId": "microsoft.logic/workflows--TotalBillableExecutions Timeline",
|
||
"label": "Total Billable Executions Timeline"
|
||
}
|
||
]
|
||
},
|
||
"sortBy": [],
|
||
"exportFieldName": "microsoft.logic/workflows--TotalBillableExecutions",
|
||
"exportParameterName": "Total",
|
||
"exportDefaultValue": "0"
|
||
},
|
||
"name": "Billable Metric"
|
||
},
|
||
{
|
||
"type": 3,
|
||
"content": {
|
||
"version": "KqlItem/1.0",
|
||
"query": "Usage | take 1 | project ['Estimated automation costs'] ={Total}*{ExecutionCost}",
|
||
"size": 4,
|
||
"title": "Estimated Logic App execution cost over the last {TimeRange}",
|
||
"timeContext": {
|
||
"durationMs": 86400000
|
||
},
|
||
"queryType": 0,
|
||
"resourceType": "microsoft.operationalinsights/workspaces",
|
||
"visualization": "tiles",
|
||
"tileSettings": {
|
||
"titleContent": {
|
||
"columnMatch": "Estimated automation costs",
|
||
"formatter": 12,
|
||
"formatOptions": {
|
||
"palette": "greenRed"
|
||
},
|
||
"numberFormat": {
|
||
"unit": 0,
|
||
"options": {
|
||
"currency": "USD",
|
||
"style": "currency",
|
||
"minimumFractionDigits": 2,
|
||
"maximumFractionDigits": 3
|
||
}
|
||
}
|
||
},
|
||
"showBorder": false
|
||
}
|
||
},
|
||
"conditionalVisibility": {
|
||
"parameterName": "Total",
|
||
"comparison": "isNotEqualTo"
|
||
},
|
||
"name": "query - 11"
|
||
}
|
||
],
|
||
"fromTemplateId": "sentinel-CostWorkbook",
|
||
"$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json"
|
||
} |