├── Docs ├── Kit-Guidance.md ├── Managing Costs for Azure Monitor Logs.md ├── Notes-and-Resources.md └── readme.md ├── KQL-Queries ├── Billable-Events-By-Computer.yaml ├── BillableDatavsNotBillableOver30Days.yaml ├── DailyCAPEffect.yaml ├── DailyCAPOverQuota.yaml ├── DailyCapChanges.yaml ├── Data-Volume-By-Computer.yaml ├── Data-Volume-By-Events.yaml ├── Data-volume-by-solution.yaml ├── Data-volume-by-type.yaml ├── DataPerEvent.txt ├── Event-Volume-Per-Table.yaml ├── EventIDs-BilledSize.yaml ├── EventIDs-by-Bytes.yaml ├── IngestionPerHour.txt ├── NodesData24Hours.yaml ├── NodesReporting30days.yaml ├── NodesSendingAnyData.yaml ├── PaloAltoEvents.kql ├── Size-of-ingested-data-per-computer.yaml ├── Sysmon-Events-by-size.yaml ├── TableActivity.yaml ├── Tables-Sizes-Entries.yaml ├── TotalGBCSecurityEvent.txt ├── UEBACosts.kql ├── Using-the-KQL-queries.md ├── Volume-by-RG.yaml ├── Volume-by-sub-yaml ├── count-of-billable-events-ingested-per-computer.yaml ├── data volume by resource group.yaml ├── nodes as billed in the Per Node pricing.yaml ├── size of ingested data per Azure subscription.yaml └── size of ingested data per computer.yaml ├── README.md ├── Scripts ├── Using-the-scripts.md └── readme.md └── Workbooks ├── External-Resource-List.md ├── Installing-a-Workbook.md └── readme.md /Docs/Kit-Guidance.md: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /Docs/Managing Costs for Azure Monitor Logs.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rod-trent/Azure-Sentinel-Cost-Troubleshooting-Kit/HEAD/Docs/Managing Costs for Azure Monitor Logs.md -------------------------------------------------------------------------------- /Docs/Notes-and-Resources.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rod-trent/Azure-Sentinel-Cost-Troubleshooting-Kit/HEAD/Docs/Notes-and-Resources.md -------------------------------------------------------------------------------- /Docs/readme.md: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /KQL-Queries/Billable-Events-By-Computer.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rod-trent/Azure-Sentinel-Cost-Troubleshooting-Kit/HEAD/KQL-Queries/Billable-Events-By-Computer.yaml -------------------------------------------------------------------------------- /KQL-Queries/BillableDatavsNotBillableOver30Days.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rod-trent/Azure-Sentinel-Cost-Troubleshooting-Kit/HEAD/KQL-Queries/BillableDatavsNotBillableOver30Days.yaml -------------------------------------------------------------------------------- /KQL-Queries/DailyCAPEffect.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rod-trent/Azure-Sentinel-Cost-Troubleshooting-Kit/HEAD/KQL-Queries/DailyCAPEffect.yaml -------------------------------------------------------------------------------- /KQL-Queries/DailyCAPOverQuota.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rod-trent/Azure-Sentinel-Cost-Troubleshooting-Kit/HEAD/KQL-Queries/DailyCAPOverQuota.yaml -------------------------------------------------------------------------------- /KQL-Queries/DailyCapChanges.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rod-trent/Azure-Sentinel-Cost-Troubleshooting-Kit/HEAD/KQL-Queries/DailyCapChanges.yaml -------------------------------------------------------------------------------- /KQL-Queries/Data-Volume-By-Computer.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rod-trent/Azure-Sentinel-Cost-Troubleshooting-Kit/HEAD/KQL-Queries/Data-Volume-By-Computer.yaml -------------------------------------------------------------------------------- /KQL-Queries/Data-Volume-By-Events.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rod-trent/Azure-Sentinel-Cost-Troubleshooting-Kit/HEAD/KQL-Queries/Data-Volume-By-Events.yaml -------------------------------------------------------------------------------- /KQL-Queries/Data-volume-by-solution.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rod-trent/Azure-Sentinel-Cost-Troubleshooting-Kit/HEAD/KQL-Queries/Data-volume-by-solution.yaml -------------------------------------------------------------------------------- /KQL-Queries/Data-volume-by-type.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rod-trent/Azure-Sentinel-Cost-Troubleshooting-Kit/HEAD/KQL-Queries/Data-volume-by-type.yaml -------------------------------------------------------------------------------- /KQL-Queries/DataPerEvent.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rod-trent/Azure-Sentinel-Cost-Troubleshooting-Kit/HEAD/KQL-Queries/DataPerEvent.txt -------------------------------------------------------------------------------- /KQL-Queries/Event-Volume-Per-Table.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rod-trent/Azure-Sentinel-Cost-Troubleshooting-Kit/HEAD/KQL-Queries/Event-Volume-Per-Table.yaml -------------------------------------------------------------------------------- /KQL-Queries/EventIDs-BilledSize.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rod-trent/Azure-Sentinel-Cost-Troubleshooting-Kit/HEAD/KQL-Queries/EventIDs-BilledSize.yaml -------------------------------------------------------------------------------- /KQL-Queries/EventIDs-by-Bytes.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rod-trent/Azure-Sentinel-Cost-Troubleshooting-Kit/HEAD/KQL-Queries/EventIDs-by-Bytes.yaml -------------------------------------------------------------------------------- /KQL-Queries/IngestionPerHour.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rod-trent/Azure-Sentinel-Cost-Troubleshooting-Kit/HEAD/KQL-Queries/IngestionPerHour.txt -------------------------------------------------------------------------------- /KQL-Queries/NodesData24Hours.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rod-trent/Azure-Sentinel-Cost-Troubleshooting-Kit/HEAD/KQL-Queries/NodesData24Hours.yaml -------------------------------------------------------------------------------- /KQL-Queries/NodesReporting30days.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rod-trent/Azure-Sentinel-Cost-Troubleshooting-Kit/HEAD/KQL-Queries/NodesReporting30days.yaml -------------------------------------------------------------------------------- /KQL-Queries/NodesSendingAnyData.yaml: -------------------------------------------------------------------------------- 1 | //List of nodes sending any data 2 | -------------------------------------------------------------------------------- /KQL-Queries/PaloAltoEvents.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rod-trent/Azure-Sentinel-Cost-Troubleshooting-Kit/HEAD/KQL-Queries/PaloAltoEvents.kql -------------------------------------------------------------------------------- /KQL-Queries/Size-of-ingested-data-per-computer.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rod-trent/Azure-Sentinel-Cost-Troubleshooting-Kit/HEAD/KQL-Queries/Size-of-ingested-data-per-computer.yaml -------------------------------------------------------------------------------- /KQL-Queries/Sysmon-Events-by-size.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rod-trent/Azure-Sentinel-Cost-Troubleshooting-Kit/HEAD/KQL-Queries/Sysmon-Events-by-size.yaml -------------------------------------------------------------------------------- /KQL-Queries/TableActivity.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rod-trent/Azure-Sentinel-Cost-Troubleshooting-Kit/HEAD/KQL-Queries/TableActivity.yaml -------------------------------------------------------------------------------- /KQL-Queries/Tables-Sizes-Entries.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rod-trent/Azure-Sentinel-Cost-Troubleshooting-Kit/HEAD/KQL-Queries/Tables-Sizes-Entries.yaml -------------------------------------------------------------------------------- /KQL-Queries/TotalGBCSecurityEvent.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rod-trent/Azure-Sentinel-Cost-Troubleshooting-Kit/HEAD/KQL-Queries/TotalGBCSecurityEvent.txt -------------------------------------------------------------------------------- /KQL-Queries/UEBACosts.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rod-trent/Azure-Sentinel-Cost-Troubleshooting-Kit/HEAD/KQL-Queries/UEBACosts.kql -------------------------------------------------------------------------------- /KQL-Queries/Using-the-KQL-queries.md: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /KQL-Queries/Volume-by-RG.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rod-trent/Azure-Sentinel-Cost-Troubleshooting-Kit/HEAD/KQL-Queries/Volume-by-RG.yaml -------------------------------------------------------------------------------- /KQL-Queries/Volume-by-sub-yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rod-trent/Azure-Sentinel-Cost-Troubleshooting-Kit/HEAD/KQL-Queries/Volume-by-sub-yaml -------------------------------------------------------------------------------- /KQL-Queries/count-of-billable-events-ingested-per-computer.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rod-trent/Azure-Sentinel-Cost-Troubleshooting-Kit/HEAD/KQL-Queries/count-of-billable-events-ingested-per-computer.yaml -------------------------------------------------------------------------------- /KQL-Queries/data volume by resource group.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rod-trent/Azure-Sentinel-Cost-Troubleshooting-Kit/HEAD/KQL-Queries/data volume by resource group.yaml -------------------------------------------------------------------------------- /KQL-Queries/nodes as billed in the Per Node pricing.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rod-trent/Azure-Sentinel-Cost-Troubleshooting-Kit/HEAD/KQL-Queries/nodes as billed in the Per Node pricing.yaml -------------------------------------------------------------------------------- /KQL-Queries/size of ingested data per Azure subscription.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rod-trent/Azure-Sentinel-Cost-Troubleshooting-Kit/HEAD/KQL-Queries/size of ingested data per Azure subscription.yaml -------------------------------------------------------------------------------- /KQL-Queries/size of ingested data per computer.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rod-trent/Azure-Sentinel-Cost-Troubleshooting-Kit/HEAD/KQL-Queries/size of ingested data per computer.yaml -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rod-trent/Azure-Sentinel-Cost-Troubleshooting-Kit/HEAD/README.md -------------------------------------------------------------------------------- /Scripts/Using-the-scripts.md: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /Scripts/readme.md: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /Workbooks/External-Resource-List.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rod-trent/Azure-Sentinel-Cost-Troubleshooting-Kit/HEAD/Workbooks/External-Resource-List.md -------------------------------------------------------------------------------- /Workbooks/Installing-a-Workbook.md: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /Workbooks/readme.md: -------------------------------------------------------------------------------- 1 | 2 | --------------------------------------------------------------------------------