Strange result querying Azure Sentinel Costs

Question

I am deploying a cost analysis tool for some Azure Sentinel Pay as you Go products, but the query I found doesn´t seem to reflect reality.

I found some queries on Microsoft page here

And ended with this KQL query:

let t1 = Usage
| where StartTime >= startofday(ago(2d)) and EndTime < endofday(ago(2d))
| where IsBillable == true
| summarize BillableDataGB = sum(Quantity) / 1000. by bin(StartTime, 2d), Solution
| extend Solution = iif(Solution == "SecurityInsights", "AzureSentinel", Solution)
| project sumsenti = (BillableDataGB * 5.59)
| summarize d1 = bin(sum(sumsenti), 0.01);
let t2 = Usage
| where StartTime >= startofday(ago(1d)) and EndTime < endofday(ago(1d))
| where IsBillable == true
| summarize BillableDataGB = sum(Quantity) / 1000. by bin(StartTime, 1d), Solution
| extend Solution = iif(Solution == "SecurityInsights", "AzureSentinel", Solution)
| project sumsenti = (BillableDataGB * 5.59)
| summarize d2 = bin(sum(sumsenti), 0.01);
union t1,t2
| summarize day1 = sum(d1), day2 = sum(d2)

Where this three lines

| summarize BillableDataGB = sum(Quantity) / 1000. by bin(StartTime, 2d), Solution
| extend Solution = iif(Solution == "SecurityInsights", "AzureSentinel", Solution)
| project sumsenti = (BillableDataGB * 5.59)

gets the amount of billable Data and multiply it by 5.59 I need to multiply it by 5.59 since its the value per GB for Azure, as Microsoft page says here

The output of this query and what I see on Azure cost analysis is too different

I understand the query pretty well, but for some reason its output shows near 3000$ for the last two days, while the Azure Cost Analysis tool says that the last days was only 200 for Sentinel, that makes no sense and I am not sure if the query is OK, or if the query seeks for some resources that Cost analysis doesn`t

Anyone have any idea of the reason I get so different values in cost analysis and in the query?

Answer 1

It could be possible that there is one error in your query in the statement for “bin” Function. Below is the correct query which you can follow:

let t1 = Usage 

| where StartTime >= startofday(ago(2d)) and EndTime < endofday(ago(2d)) 

| where IsBillable == true 

| summarize BillableDataGB = sum(Quantity) / 1000. by Solution, bin(StartTime, 2d) 

| extend Solution = iif(Solution == "SecurityInsights", "AzureSentinel", Solution) 

| project sumsenti = (BillableDataGB * 5.59) 

| summarize d1 = bin(sum(sumsenti), 0.01); 

 

let t2 = Usage 

| where StartTime >= startofday(ago(1d)) and EndTime < endofday(ago(1d)) 

| where IsBillable == true 

| summarize BillableDataGB = sum(Quantity) / 1000. by Solution, bin(StartTime, 1d) 

| extend Solution = iif(Solution == "SecurityInsights", "AzureSentinel", Solution) 

| project sumsenti = (BillableDataGB * 5.59) 

| summarize d2 = bin(sum(sumsenti), 0.01); 

 

union t1,t2 

| summarize day1 = sum(d1), day2 = sum(d2) 

Other reason which could be possible for mismatch of output cost. There might be difference between the Value of cost analysis tool and the value shown in Microsoft Sentinel pricing. It's critical to utilise the most recent pricing when estimating costs because Azure Sentinel's pricing is subject to change.

As here it shown different value. https://azure.microsoft.com/en-us/pricing/details/microsoft-sentinel/