KQL Query
Posts Categories whoami Projects Events KQL News
KQL Query

Contents

Sentinel Table Cost Optimization

   111 words   One minute 
Contents 
let SearchPeriod = 90d;
union *
| where TimeGenerated > ago(SearchPeriod)
| summarize TotalEvents = count(), Bytes=sum(_BilledSize), GBs= round(sum(_BilledSize) / (1024 * 1024 * 1024), 2) by Type, bin(Timestamp, 1d)
| project Type, Timestamp, GBs
| render columnchart with (title='Daily Billed Table Size')
SecurityEvent
| where TimeGenerated > ago(30d)
| summarize TotalEvents = count(), Bytes=sum(_BilledSize), GBs= round(sum(_BilledSize) / (1024 * 1024 * 1024), 2) by EventID, Activity
| top 10 by Bytes
let SearchPeriod = 90d;
union *
| where TimeGenerated > ago(SearchPeriod)
| extend Action = coalesce(Operation, OperationName, OperationNameValue, ActionType, tostring(EventID), RequestURI) 
| summarize TotalEvents = count(), Bytes=sum(_BilledSize), GBs= round(sum(_BilledSize) / (1024 * 1024 * 1024), 2) by Type, Action
Updated on 2026-03-01
Back | Home