You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/sentinel/basic-logs-use-cases.md
+4-10Lines changed: 4 additions & 10 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,24 +1,18 @@
1
1
---
2
-
title: When to use Basic or Auxiliary Logs in Microsoft Sentinel
3
-
description: Learn what log sources might be appropriate for Basic Log or Auxiliary Log ingestion.
2
+
title: When to use Auxiliary Logs in Microsoft Sentinel
3
+
description: Learn what log sources might be appropriate for Auxiliary Log or Basic Log ingestion.
4
4
author: cwatson-cat
5
5
ms.author: cwatson
6
6
ms.topic: conceptual
7
-
ms.date: 06/24/2024
7
+
ms.date: 07/21/2024
8
8
appliesto:
9
9
- Microsoft Sentinel in the Azure portal
10
10
- Microsoft Sentinel in the Microsoft Defender portal
11
11
ms.collection: usx-security
12
12
---
13
13
# Log sources to use for Basic Logs or Auxiliary Logs ingestion
14
14
15
-
Log collection is critical to a successful security analytics program. The more log sources you have for an investigation or threat hunt, the more you might accomplish.
16
-
17
-
The primary log sources used for detection often contain the metadata and context of what was detected. But sometimes you need secondary log sources to provide a complete picture of the security incident or breach. Unfortunately, many of these secondary log sources are high-volume, verbose logs with limited security detection value. They're useful for providing rich context for a security incident investigation or a threat hunt, but their high volume makes them expensive to store and retain when they're not being used. That is where Basic Logs and Auxiliary Logs come in. These two log types provide lower-cost and super-low-cost options for ingestion of high-volume, verbose logs into your Log Analytics workspace.
18
-
19
-
Event log data in Basic and Auxiliary Logs can't be used as the primary log source for security incidents and alerts. But these log types' event data is useful to correlate with and enrich your primary log data, and draw more informed conclusions, when you investigate an incident or hunt for threats.
20
-
21
-
This topic highlights log sources to consider configuring for Basic or Auxiliary Logs when they're stored in Log Analytics tables. Before choosing a log type for which to configure a given table, do the research to see which is most appropriate. For more information about log data plans, see [Select a table plan based on data usage in a Log Analytics workspace](../azure-monitor/logs/basic-logs-configure.md).
15
+
This article highlights log sources to consider configuring as Auxiliary Logs (or Basic Logs) when they're stored in Log Analytics tables. Before choosing a log type for which to configure a given table, do the research to see which is most appropriate. For more information about data categories and log data plans, see [Log retention plans in Microsoft Sentinel](log-plans.md).
title: Configure data retention and archive in Microsoft Sentinel
2
+
title: Configure interactive and long-term data retention in Microsoft Sentinel
3
3
description: Towards the end of your deployment procedure, you set up data retention to suit your organization's needs.
4
-
author: limwainstein
4
+
author: cwatson-cat
5
5
ms.topic: how-to
6
-
ms.date: 07/05/2023
7
-
ms.author: lwainstein
8
-
#Customer intent: As a SOC analyst, I want to set up data retention and archive settings so I can retain the data that's important to my organization in the long term.
6
+
ms.date: 07/21/2024
7
+
ms.author: cwatson
8
+
#Customer intent: As a SOC analyst, I want to set up interactive and long-term data retention settings so I can retain the data that's important to my organization in the long term.
9
9
---
10
10
11
-
# Configure data retention and archive in Microsoft Sentinel
11
+
# Configure interactive and long-term data retention in Microsoft Sentinel
12
12
13
-
In the previous deployment step, you enabled the User and Entity Behavior Analytics (UEBA) feature to streamline your analysis process. In this article, you learn how to set up data retention and archive, to make sure your organization retains the data that's important in the long term. This article is part of the [Deployment guide for Microsoft Sentinel](deploy-overview.md).
13
+
In the previous deployment step, you enabled the User and Entity Behavior Analytics (UEBA) feature to streamline your analysis process. In this article, you learn how to set up interactive and long-term data retention, to make sure your organization retains the data that's important in the long term. This article is part of the [Deployment guide for Microsoft Sentinel](deploy-overview.md).
14
14
15
15
## Configure data retention and archive
16
16
17
-
Retention policies define when to remove or archive data in a Log Analytics workspace. Archiving lets you keep older, less used data in your workspace at a reduced cost. To set up data retention, use one or both of these methods, depending on your use case:
17
+
Retention policies define when to remove data, or mark it for long-term retention, in a Log Analytics workspace. Long-term retention lets you keep older, less used data in your workspace at a reduced cost. To set up data retention plans, consult [Log retention plans in Microsoft Sentinel](log-plans.md), and use one or both of these methods, depending on your use case:
18
18
19
19
-[Configure data retention and archive for one or more tables](../azure-monitor/logs/data-retention-archive.md) (one table at a time)
20
20
-[Configure data retention and archive for multiple tables](https://github.com/Azure/Azure-Sentinel/tree/master/Tools/Archive-Log-Tool) at once
21
21
22
22
## Next steps
23
23
24
-
In this article, you learned how to set up data retention and archive.
24
+
In this article, you learned how to set up interactive and long-term data retention.
Copy file name to clipboardExpand all lines: articles/sentinel/configure-data-retention.md
+5-5Lines changed: 5 additions & 5 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -14,13 +14,13 @@ ms.custom: template-tutorial
14
14
15
15
In this tutorial, you'll set a retention policy for a table in your Log Analytics workspace that you use for Microsoft Sentinel or Azure Monitor. These steps allow you to keep older, less used data in your workspace at a reduced cost.
16
16
17
-
Retention policies in a Log Analytics workspace define when to migrate data tables in the workspace to low-cost, minimal-access *auxiliary retention* (formerly known as archive) plans. By default, all tables in your workspace inherit the workspace's *interactive retention* setting and have no auxiliary retention (archive) policy. You can modify the interactive and auxiliary retention policies of individual tables, except for workspaces in the legacy Free Trial pricing tier.
17
+
Retention policies in a Log Analytics workspace define when to transition old records in data tables in the workspace to the low-cost, minimal-access *long-term retention* (formerly known as archive) state. By default, all tables in your workspace inherit the workspace's *interactive retention* setting and have no long-term retention (archive) policy. You can modify the interactive and long-term retention policies of individual tables, except for workspaces in the legacy Free Trial pricing tier.
18
18
19
19
In this tutorial, you learn how to:
20
20
21
21
> [!div class="checklist"]
22
22
> * Set the retention policy for a table
23
-
> * Review interactive and auxiliary retention policies
23
+
> * Review interactive and long-term retention policies
24
24
25
25
## Prerequisites
26
26
@@ -36,9 +36,9 @@ To complete the steps in this tutorial, you must have the following resources an
36
36
37
37
- Log Analytics workspace.
38
38
39
-
## Review interactive and auxiliary retention policies
39
+
## Review interactive and long-term retention policies
40
40
41
-
On the **Tables** page for the table you updated, review the field values for **Interactive retention** and **Total retention period**. The auxiliary retention (archive) period equals the total retention period in days minus the interactive retention in days. For example, you set the following values:
41
+
On the **Tables** page for the table you updated, review the field values for **Interactive retention** and **Total retention period**. The long-term retention (archive) period equals the total retention period in days minus the interactive retention in days. For example, you set the following values:
42
42
43
43
| Field | Value |
44
44
| ----- | ----- |
@@ -51,7 +51,7 @@ So the **Tables** page shows the following an archive period of 310 days.
51
51
52
52
## Set the retention policy for a table
53
53
54
-
In your Log Analytics workspace, clear the **Use default workspace settings** setting if you want to change the interactive retention period from its default of 31 days (90 days for Microsoft Sentinel workspaces). Then, change the total retention policy for a table like **SecurityAlert** to 3 years of data. The *total retention* period is the sum of the *interactive* and *auxiliary* (archive) retention periods.
54
+
In your Log Analytics workspace, clear the **Use default workspace settings** setting if you want to change the interactive retention period from its default of 90 days (for Microsoft Sentinel workspaces) or 31 days (for other workspaces). Then, change the total retention policy for a table like **SecurityAlert** to 3 years of data. The *total retention* period is the sum of the *interactive* and *auxiliary* (archive) retention periods.
55
55
56
56
1. Sign in to the [Azure portal](https://portal.azure.com).
57
57
1. In the Azure portal, search for and open **Log Analytics workspaces**.
Copy file name to clipboardExpand all lines: articles/sentinel/deploy-overview.md
+2-2Lines changed: 2 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -34,9 +34,9 @@ The deployment phase is typically performed by a SOC analyst or related roles.
34
34
| --------- | ------- |
35
35
|[**1. Enable Microsoft Sentinel, health and audit, and content**](enable-sentinel-features-content.md)| Enable Microsoft Sentinel, enable the health and audit feature, and enable the solutions and content you've identified according to your organization's needs. </br></br> To onboard to Microsoft Sentinel by using the API, see the latest supported version of [Sentinel Onboarding States](/rest/api/securityinsights/sentinel-onboarding-states). |
36
36
|[**2. Configure content**](configure-content.md)| Configure the different types of Microsoft Sentinel security content, which allow you to detect, monitor, and respond to security threats across your systems: Data connectors, analytics rules, automation rules, playbooks, workbooks, and watchlists. |
37
-
|[**3. Set up a cross-workspace architecture**](use-multiple-workspaces.md)|If your environment requires multiple workspaces, you can now set them up as part of your deployment. In this article, you learn how to set up Microsoft Sentinel to extend across multiple workspaces and tenants. |
37
+
|[**3. Set up a cross-workspace architecture**](use-multiple-workspaces.md)|If your environment requires multiple workspaces, you can now set them up as part of your deployment. In this article, you learn how to set up Microsoft Sentinel to extend across multiple workspaces and tenants. |
38
38
|[**4. Enable User and Entity Behavior Analytics (UEBA)**](enable-entity-behavior-analytics.md)| Enable and use the UEBA feature to streamline the analysis process. |
39
-
|[**5. Set up data retention and archive**](configure-data-retention-archive.md)|Set up data retention and archive, to make sure your organization retains the data that's important in the long term.|
39
+
|[**5. Set up interactive and long-term data retention**](configure-data-retention-archive.md)|Set up interactive and long-term data retention, to make sure your organization retains the data that's important in the long term. |
40
40
41
41
## Fine tune and review: Checklist for post-deployment
0 commit comments