Descriptor: Name: Summarize Sentinel Cost details for a specified time and date range. DisplayName: "Sentinel KQL: Sentinel Cost Details" Description: Skills that lookup recent Sentinel Cost Details from Sentinel workspace. #Can you lookup what my Sentinel costs are for the past 7 days? #Can you provide a detailed summary of my total Sentinel costs for the past 90 days? Be sure to explain what each table is used for within Sentinel and the security value it provides. Also total up all the costs to give me an average monthly cost. Also be sure to give any cost saving recommendations based on my data ingestion. Settings: - Name: TenantId Label: TenantId Description: Azure tenant ID where Sentinel exists. HintText: Azure tenant ID where Sentinel exists. SettingType: String Required: true - Name: SubscriptionId Label: SubscriptionId Description: Azure subscription ID where Sentinel exists. HintText: Azure subscription ID where Sentinel exists. SettingType: String Required: true - Name: WorkspaceName Label: WorkspaceName Description: Log Analytics workspace name for Sentinel. HintText: Log Analytics workspace name for Sentinel. SettingType: String Required: true - Name: ResourceGroupName Label: ResourceGroupName Description: Resource group where Sentinel workspace exists. HintText: Resource group where Sentinel workspace exists. SettingType: String Required: true SkillGroups: - Format: KQL Skills: - Name: GetSentinelCost DisplayName: Get Sentinel Cost Description: Fetches all the Sentinel Cost details for each table for the specified time and date range from Sentinel. Inputs: - Name: fromDateTime Description: The from time and date Required: true - Name: toDateTime Description: The to time and date Required: true Settings: Target: Sentinel TenantId: "{{TenantId}}" SubscriptionId: "{{SubscriptionId}}" ResourceGroupName: "{{ResourceGroupName}}" WorkspaceName: "{{WorkspaceName}}" Template: |- let fromDateTime=datetime('{{fromDateTime}}'); let toDateTime=datetime('{{toDateTime}}'); Usage | where IsBillable == true | where TimeGenerated between ( fromDateTime .. toDateTime ) | where DataType <> "AzureDiagnostics" | summarize size = sum(Quantity)/1024, sizeOther = sumif(Quantity,(DataType !contains "_CL" and TimeGenerated between ( fromDateTime .. toDateTime )))/1024 by DataType | project ['Table Name'] = DataType, ['Table Size'] = size, ['Estimated cost'] = size*4.3 | order by ['Estimated cost'] desc | take 20