根据文档 https://learn.microsoft.com/en-us/azure/azure-monitor/logs/daily-cap:
当 Log Analytics 工作区达到每日上限时,Azure 门户中会显示横幅,并且事件会写入工作区中的操作表。您应该创建一个警报规则,以便在发生这种情况时主动通知您。
当达到每日上限时,您可以通过创建一个来接收警报日志警报规则 https://learn.microsoft.com/en-us/azure/azure-monitor/alerts/alerts-unified-log通过指定目标范围 and 状况.
要查看每日上限的效果,请尝试以下 Kusto 查询,根据文档 https://learn.microsoft.com/en-us/azure/azure-monitor/logs/daily-cap#view-the-effect-of-the-daily-cap:
let DailyCapResetHour=14;
Usage
| where DataType !in ("SecurityAlert", "SecurityBaseline", "SecurityBaselineSummary", "SecurityDetection", "SecurityEvent", "WindowsFirewall", "MaliciousIPCommunication", "LinuxAuditLog", "SysmonEvent", "ProtectionStatus", "WindowsEvent")
| where TimeGenerated > ago(32d)
| extend StartTime=datetime_add("hour",-1*DailyCapResetHour,StartTime)
| where StartTime > startofday(ago(31d))
| where IsBillable
| summarize IngestedGbBetweenDailyCapResets=sum(Quantity)/1000. by day=bin(StartTime , 1d) // Quantity in units of MB
| render areachart
参考:Sentinel 每日配额 https://techcommunity.microsoft.com/t5/microsoft-sentinel/daily-quota-for-sentinel/m-p/3128882, 摄取成本峰值检测手册 https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/ingestion-cost-spike-detection-playbook/ba-p/2591301 and 如何分析 Microsoft Sentinel 每日上限警报 https://www.verboon.info/2022/05/how-to-analyze-microsoft-sentinel-daily-cap-alerts-aadnoninteractiveusersigninlogs/
