Ingestion Cost Alert Playbook

Posted by

blog banner-ICA.png


Managing cost for cloud services is an essential part of ensuring that you get maximum value for your investment in solutions running on this computing platform. Azure Sentinel is no different. To help you exercise greater control over your budget for Azure Sentinel  this playbook will send you an alert should you exceed a budget that you define for your Azure Sentinel Workspace within a given time-frame. The solution is also available for deployment from Github on this link .


 


Overview of the Logic App


01-overview.png


02-overview.png


 


The Logic App is activated by a Recurrence trigger whose frequency of execution can be adjusted to your requirements


03-reccurence.png


 


Since the Logic App is being deployed from an ARM template you will need to make connections to Azure Monitor, Office 365 and Teams before the Logic App can work in your environment. You can expect to see windows like the one below. Click “Add new” to create a connection to Azure Monitor and subsequently perform a similar operation for the “Send and e-mail” and “Send a Teams message” steps.


04-connections.png


 


The below variables are all declared as integers and can be used to specify values that suit your requirements.


05-variables.png


 


The query below will then run against your workspace and computes the aggregated cost of billable tables in your Azure Monitor Workspace.


06-query.png


Below is the query being executed in the step above in text format which you can use for validation directly in the Log Analytics query window. Ensure to replace the variables below with actual numbers if running the query within the Log Analytics query window.


let price_per_GB = price_per_GB;


let how_many_days = how_many_days;


let total_funding = total_funding;


let threshold_per_day = toreal(total_funding) / toreal(how_many_days);


Usage


| where TimeGenerated > startofday(ago(1d))


| where IsBillable == true


| summarize AggregatedValue= sum(Quantity) * price_per_GB / 1000 by bin(TimeGenerated, 1d)


| where AggregatedValue > threshold_per_day


 


In this step, the aggregated value obtained from the previous step is compared against the budget value you set and should it exceed the amount then the logic branches to the left and sends out an e-mail or a Microsoft Teams message. If you are still within budget, then the logic branches to the right and no message is sent.


 


02-overview.png


 


In the final step below sends out an e-mail to the specified recipient list and a message is posted in a Microsoft Teams channel of your choice


08-sendmessage.png


Additional information on cost alerts can be found in this document


 


 

This articles are republished, there may be more discussion at the original link. But if you found this helpful, you're more than welcome to let us know!

This site uses Akismet to reduce spam. Learn how your comment data is processed.