https://www.verboon.info/tags/daily-cap/Recent content in Daily Cap on Anything About ITHugoen-usFri, 20 May 2022 20:18:50 +0000https://www.verboon.info/2022/05/how-to-analyze-microsoft-sentinel-daily-cap-alerts-aadnoninteractiveusersigninlogs/Fri, 20 May 2022 20:18:50 +0000https://www.verboon.info/2022/05/how-to-analyze-microsoft-sentinel-daily-cap-alerts-aadnoninteractiveusersigninlogs/<p>To avoid unplanned costs for Microsoft Sentinel, it is recommended to set a daily cap and create an analytics rule that triggers an alert when the daily cap is reached. Microsoft has published general guidance for monitoring costs <a href="https://learn.microsoft.com/azure/sentinel/billing-monitor-costs">here</a>.</p> <p>In the past months I have deployed a number of Microsoft Sentinel instances and in many cases the root cause for reaching the daily cap was related to data ingested into the AADNonInteractiveUserSignInLogs table. When analyzing the data we often found an individual user that created an unusually high amount of events. This can happen for various reasons such as:</p>