Reputation: 1
How to create alert Azure monitor to send daily usage of Sentinel
How to Create Alert Azure monitor to send daily usage of Sentinel.
Upvotes: 0
Views: 938
Answers (1)
Reputation: 1864
According to documentation:
When the daily cap is reached for a Log Analytics workspace, a banner is displayed in the Azure portal, and an event is written to the Operations table in the workspace. You should create an alert rule to proactively notify you when this occurs.
When the daily cap is reached, you can receive an alert by creating a log alert rule by specifying the target scope and conditions.
To view the effect of the daily cap, try following Kusto query, according to documentation:
let DailyCapResetHour=14;
Usage
| where DataType !in ("SecurityAlert", "SecurityBaseline", "SecurityBaselineSummary", "SecurityDetection", "SecurityEvent", "WindowsFirewall", "MaliciousIPCommunication", "LinuxAuditLog", "SysmonEvent", "ProtectionStatus", "WindowsEvent")
| where TimeGenerated > ago(32d)
| extend StartTime=datetime_add("hour",-1*DailyCapResetHour,StartTime)
| where StartTime > startofday(ago(31d))
| where IsBillable
| summarize IngestedGbBetweenDailyCapResets=sum(Quantity)/1000. by day=bin(StartTime , 1d) // Quantity in units of MB
| render areachart
References: Daily quota for Sentinel, Ingestion Cost Spike detection Playbook and How to analyze Microsoft Sentinel Daily Cap Alerts
Upvotes: 1
Related Questions
- Create Azure service health alert in Terraform
- Query on Azure Monitor Alert Frequency of evaluation
- Script based Azure Alerts
- Azure Sentinel Heartbeat Monitor
- How can i trigger an azure monitoring alert manually?
- Create alert based on custom logs by using azure command line tool
- How to create Azure Alerts using Terraform
- Azure Monitor / Log Analytics metric alert query
- Azure Monitor - How to create an alert when a new subscription is created?
- How to add alert in Azure monitor for VM insight metrics?