This post has been republished via RSS; it originally appeared at: New blog articles in Microsoft Tech Community.
Azure Sentinel is a modern SIEM solution offering cloud scale analytics to power your thereat detection and response requirements. Like most cloud solutions , the billing for Azure Sentinel is largely based on a pay per use model. Specifically for Azure Sentinel, billing is based on the amount of data ingested into Log Analytics and Azure Sentinel. To ensure that you have continuous visibility should the amount of billable data ingested into the platform experience an unexpected spike, we have developed this Logic App to address exactly this sort of scenario.
This ingestion cost spike alert logic app is based on the principle of anomaly detection and as such utilizes the built-in KQL function series_decompose_anomalies(). It compares the base line/expected level of ingestion over a period of time and then uses that historical pattern to determine whether to alert on a sudden increase of billable data into the workspace. Below is an image depicting the various actions the Logic App steps through, followed by a detailed explanation of the key parts of the query that checks for anomalies based on the historical ingestion pattern . The Logic app is triggered on a recurring schedule. Since you probably want to be immediately notified when this type of anomaly occurs then you may want to run it on a daily basis.
Note: This logic app is complementary to the previously released Ingestion Cost Alert App but different in function. The Ingestion Cost Alert App is designed to send you alerts if the budget you define is exceeded. In contrast, the Ingestion Cost Anomaly App is designed to alert you, should there be an unusual spike in the billable data being ingested into the Log Analytics workspace where you have deployed Azure Sentinel. The App provides you with the flexibility to determine two thresholds around which the alerting should occur:
- The minimum increase in the amount of data in Giga bytes around which alerting should occur. This allows you to suppress alerts triggered by increases you consider immaterial
- The percentage increase in data. This parameter gives you additonal flexibility to manage alerting thresholds by specifying what percentage increase you consider worth triggering the anomaly alert on.
To deploy the Ingestion Cost Anomaly App, follow this link to our GitHub repo. As part of the deployment process, you will need to specify some parameters in the “project details” page that determine the sensitivity of the App in terms of how it responds to ingestion anomalies, as well as define additional settings specific to your environment. See below highlighting the various parameters needed in this form:
Upon a successful run of the logic app and should there be a billable data ingetsion spike in your workspace then an e-mail with contents similar to the below will be sent out to the designated recipients :
Special thanks to