-
Notifications
You must be signed in to change notification settings - Fork 8
/
Top_10_WindowsEvent_EventIDs.kql
13 lines (11 loc) · 1.08 KB
/
Top_10_WindowsEvent_EventIDs.kql
1
2
3
4
5
6
7
8
9
10
11
12
13
// Author: Ian D. Hanley | LinkedIn: /in/ianhanley/ | Twitter: @IanDHanley | Github: https://github.com/EEN421 | Blog: Hanley.cloud / DevSecOpsDad.com
// This query will break down your top 10 most expensive EventIDs from the Windows Event table over the last 90 days
// East US Region | 100GB/Day commitment tier | Effective Cost per GB - https://azure.microsoft.com/en-ca/pricing/details/microsoft-sentinel/?cdn=disable
WindowsEvent
| where TimeGenerated >ago(90d) //<-- Run this query against the past quarter (90 days)
| where _IsBillable == True //<-- Filter out non-billable data
| summarize EventCount=count(), Billable_GB=round(sum(_BilledSize/1000/1000/1000),2) by EventID
| sort by Billable_GB desc //<-- Display results in descending order
| extend Estimated_Cost=round(Billable_GB*cost, 2) //<-- Create a column (extend) and fill it with results of "Billable_GB x cost" where cost is referenced above
| sort by Billable_GB desc //<-- Sort by GB in descending order
| limit 10 //<-- Limit results to top 10 entries