Copilot for Security Plugin: Sentinel Table Sizes and Costs
Copilot for Security Plugin: Sentinel Table Sizes and Costs
Shows Tables by Table size and how much they cost.
Table size and the cost of those tables continues to be an item of interest for most Microsoft Sentinel customers. Using this plugin, you can use Copilot for Security to help show that information in a much easier way.
Get the plugin file: https://github.com/rod-trent/Copilot-for-Security/blob/main/Plugins/TableSizesCost.yaml
What’s inside the yaml file:
Descriptor:
Name: TableSizesCost
DisplayName: Sentinel Table Sizes and Costs
Description: Look at all Sentinel tables and identify sizes and costs
SkillGroups:
- Format: KQL
Skills:
- Name: TableSizesCost
DisplayName: Sentinel Tables Not Ingesting Data
Description: Look at all Sentinel tables and identify sizes and costs
Settings:
Target: Sentinel
TenantId: <your_tenant_ID>
SubscriptionId: <your_subscription_ID>
ResourceGroupName: <your_RG_name>
WorkspaceName: <your_WS_name>
Template: |-
union withsource=TableName1 * | where TimeGenerated > ago(30d) | summarize Entries = count(), Size = sum(_BilledSize), last_log = datetime_diff("second",now(), max(TimeGenerated)), estimate = sumif(_BilledSize, _IsBillable==true) by TableName1, _IsBillable | project ['Table Name'] = TableName1, ['Table Entries'] = Entries, ['Table Size'] = Size, ['Size per Entry'] = 1.0 * Size / Entries, ['IsBillable'] = _IsBillable, ['Last Record Received'] = last_log , ['Estimated Table Price'] = (estimate/(1024*1024*1024)) * 0.0 | order by ['Table Size'] descNote that you’ll need to adjust the items in BOLD with your own environment details. For the 0.0, enter your own price based on the pricing tier you use for Microsoft Sentinel. (Tip: Use the Azure Pricing Calculator, enter a value of 1GB and divide by 30days). If you don’t adjust the pricing it won’t show prices but you can still ask for table sizes like the following…
Example of a prompt/something you can ask: Which Sentinel table is the largest?
The KQL query that is being utilized by the plugin:
union withsource=TableName1 *
| where TimeGenerated > ago(30d)
| summarize Entries = count(), Size = sum(_BilledSize), last_log = datetime_diff("second",now(), max(TimeGenerated)), estimate = sumif(_BilledSize, _IsBillable==true) by TableName1, _IsBillable
| project ['Table Name'] = TableName1, ['Table Entries'] = Entries, ['Table Size'] = Size,
['Size per Entry'] = 1.0 * Size / Entries, ['IsBillable'] = _IsBillable, ['Last Record Received'] = last_log , ['Estimated Table Price'] = (estimate/(1024*1024*1024)) * 0.0
| order by ['Table Size'] descTo install this in your own Copilot for Security instance, see: Add custom plugins
[Want to discuss this further? Hit me up on Twitter or LinkedIn]
[Subscribe to the RSS feed for this blog]
[ Subscribe to the Bi-weekly Copilot for Security Newsletter]
[Subscribe to the Weekly Microsoft Sentinel Newsletter]
[Subscribe to the Weekly Microsoft Defender Newsletter]
[Subscribe to the Weekly Azure OpenAI Newsletter]
[Learn KQL with the Must Learn KQL series and book]
[Learn AI Security with the Must Learn AI Security series and book]