Skip to content

Workbooks

Workbooks are graphical representations of KQL queries, they are excellent for quickly pulling up data you need and presenting it in tables, graphs, and maps. You create a custom one, or you can go to the content hub and download a workbook, or you will sometimes receive them from solution packages.

If you are new to workbooks some good ones to start with from the content hub are:

  • Microsoft Sentinel Optimization Workbook
  • Microsoft Sentinel Cost
    • This is just a rough estimate, don't think this as your bill for sure, it doesn't calculate for advanced scenarios.

Microsoft Sentinel Cost

Let's walk through a single workbook example using the Microsoft Sentinel Cost workbook. First let’s set this workbook up, note that you don't have to save a copy of a workbook to view its data, but it usually means less configuration the next time you open it up if you have to adjust parameters like you will have to in this workbook.

  1. Once installed, go to the workbooks pages and select the templates tab at the top of the page.
  2. Select the Sentinel Cost workbook and choose Save template. Saving the template allows the parameters you select to be saved so you don't have to populate them next time you open the workbook.
  3. Now select View saved workbook.
  4. Once opened adjust the following parameters at the top of the workbook:
    1. TimeRange: I recommend 30 days as thinking of cost in terms of a month makes more logical sense for most users.
    2. Workspace: Leave this as is unless you have multiple Sentinel workspaces.
    3. Ingestion price: You can see this over on the Settings page unless your licensing partner hides billing from you. If they do go to the Sentinel pricing, choose your region and get the ingestion pricing here.
    4. Retention: Leave this as is, you check your cost on the Azure Monitor pricing page but most regions for US customers are between $0.10 and $0.13 per GB.
    5. Total seat: Input how many E5 or equivalent licensing you have here. This is for the E5 data grant which provides 5 MB per license per day of data ingestion for certain tables within Sentinel.
  5. Once you have updated the parameters hit Save up at the top of the page.

After you have set up the workbook, assuming your Sentinel environment is more than a few days old you can take a look at the data the workbook is presenting.

The first section contains an estimated cost for everything in the workbook. It does not factor in any potential E5 data grants. There is also no mechanism in the workbook to account for Defender for Cloud data grants either.

Below this you will see a cost breakdown per table, again not calculating for any E5 data grants.

The next section is a blurb about the E5 data grant and a link to the official Microsoft page with information about the grant. Just below this you will see a table with two lines. One static line representing how much daily data you can ingest for free, and another line showing how much data was ingested each date. If you are worried about cost then ideally you are staying below the daily ingest grant line.

At the bottom you will find information about retention costs if you are retaining any data beyond 90 days, and finally pricing for Logic apps if you are utilizing them in Automation playbooks.