Alert When Microsoft Sentinel Daily Ingestion Reaches a Threshold

Because too much data is never enough

I just wanted to take a quick moment to highlight the efforts of a community member and to make everyone aware of this potential solution.

Ashok Krishna Vemuri wrote a KQL query that reports when the daily data ingestion volume is more than 200GB. This number can be modified to fit your needs and can be used in an Analytics Rules with automation (Playbook, Automation Rule) to send an alert through email, text, or any means to the team responsible for monitoring ingestion and costs.

The query is located here: https://github.com/le0li9ht/Microsoft-Sentinel-Queries/blob/main/SuddenSpikeInDataIngestion.kql

This is what the current version looks like:

//This query can be used to alert an user in sentinel when the daily data ingestion volume is more than 200GB 
//You can change the threshold according to your environment.
Usage 
| where TimeGenerated > startofday(ago(1d)) 
| where StartTime > startofday(ago(1d)) 
| where IsBillable == true 
| summarize TotalVolumeGB = sum(Quantity) / 1000 by bin(StartTime, 1d) 
| summarize Tot=make_list_if(TotalVolumeGB,StartTime==startofday(ago(1d))) 
| where Tot[0]>200 //threshold.
| project-rename TotalVolumeRecievedGB=Tot

I have it running in my demo environment with the following parameters set.

Analytics Rule

To automate the alert, I opted to send myself an email and assign the Incident that’s created to my engineer.

Automation

Have fun with this and let me know what you come up with.

Additionally, if you’d like to go the full Playbook route (instead of relying on an Analytics Rule), see the Ingestion Cost Alert Playbook.

[Want to discuss this further? Hit me up on Twitter or LinkedIn]

[Subscribe to the RSS feed for this blog]

[Subscribe to the Weekly Microsoft Sentinel Newsletter]

[Subscribe to the Weekly Microsoft Defender Newsletter]

[Learn KQL with the Must Learn KQL series and book]