You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/sentinel/basic-logs-use-cases.md
+2-6Lines changed: 2 additions & 6 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -18,11 +18,7 @@ ms.collection: usx-security
18
18
19
19
This article highlights log sources to consider configuring as Auxiliary Logs (or Basic Logs) when they're stored in Log Analytics tables. Before choosing a log type for which to configure a given table, do the research to see which is most appropriate. For more information about data categories and log data plans, see [Log retention plans in Microsoft Sentinel](log-plans.md).
20
20
21
-
> [!IMPORTANT]
22
-
>
23
-
> The **Auxiliary Logs** log type is currently in **PREVIEW**. See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
Copy file name to clipboardExpand all lines: articles/sentinel/billing-reduce-costs.md
+2-2Lines changed: 2 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -53,7 +53,7 @@ When hunting or investigating threats in Microsoft Sentinel, you might need to a
53
53
54
54
## Select low-cost log types for high-volume, low-value data
55
55
56
-
While standard analytics logs are most appropriate for continuous, real-time threat detection, two other log types—[basic logs and auxiliary logs](/azure/azure-monitor/logs/basic-logs-configure)—are more suited for ad-hoc querying and search of verbose, high-volume, low-value logs that aren't frequently needed or accessed on demand. Enable basic log data ingestion at a significantly reduced cost, or auxiliary log data ingestion (now in Preview) at an even lower cost, for eligible data tables. For more information, see [Microsoft Sentinel Pricing](https://azure.microsoft.com/pricing/details/microsoft-sentinel/).
56
+
While standard analytics logs are most appropriate for continuous, real-time threat detection, two other log types—[basic logs and auxiliary logs](/azure/azure-monitor/logs/basic-logs-configure)—are more suited for ad-hoc querying and search of verbose, high-volume, low-value logs that aren't frequently needed or accessed on demand. Enable basic log data ingestion at a significantly reduced cost, or auxiliary log data ingestion at an even lower cost, for eligible data tables. For more information, see [Microsoft Sentinel Pricing](https://azure.microsoft.com/pricing/details/microsoft-sentinel/).
57
57
58
58
-[Log retention plans in Microsoft Sentinel](log-plans.md)
59
59
-[Log sources to use for Auxiliary Logs ingestion](basic-logs-use-cases.md)
@@ -88,7 +88,7 @@ Microsoft Sentinel security data might lose some of its value after a few months
88
88
89
89
To help you reduce Microsoft Sentinel data retention costs, Azure Monitor now offers long-term retention. Data that ages out of its interactive retention state can still be retained for up to twelve years, at a much-reduced cost, and with limitations on its usage. For more information, see [Manage data retention in a Log Analytics workspace](/azure/azure-monitor/logs/data-retention-configure).
90
90
91
-
You can reduce costs even further by enrolling tables that contain secondary security data in the **Auxiliary logs** plan (now in Preview). This plan allows you to store high-volume, low-value logs at a low price, with a lower-cost 30-day interactive retention period at the beginning to allow for summarization and basic querying. To learn more about the Auxiliary logs plan and other plans, see [Log retention plans in Microsoft Sentinel](log-plans.md). While the auxiliary logs plan remains in Preview, you also have the option of enrolling these tables in the **Basic logs** plan. Basic logs offers similar functionality to auxiliary logs, but with less of a cost savings.
91
+
You can reduce costs even further by enrolling tables that contain secondary security data in the **Auxiliary logs** plan. This plan allows you to store high-volume, low-value logs at a low price, with a lower-cost 30-day interactive retention period at the beginning to allow for summarization and basic querying. To learn more about the Auxiliary logs plan and other plans, see [Log retention plans in Microsoft Sentinel](log-plans.md). While the auxiliary logs plan remains in Preview, you also have the option of enrolling these tables in the **Basic logs** plan. Basic logs offers similar functionality to auxiliary logs, but with less of a cost savings.
92
92
93
93
## Use data collection rules for your Windows Security Events
Copy file name to clipboardExpand all lines: articles/sentinel/billing.md
-4Lines changed: 0 additions & 4 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -90,10 +90,6 @@ These two log types are best suited for use in playbook automation, ad-hoc query
90
90
91
91
To learn more about the difference between **interactive retention** and **long-term retention** (formerly known as archive), see [Manage data retention in a Log Analytics workspace](/azure/azure-monitor/logs/data-retention-archive).
92
92
93
-
> [!IMPORTANT]
94
-
>
95
-
> The **Auxiliary Logs** log type is currently in **PREVIEW**. See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
96
-
97
93
### Simplified pricing tiers
98
94
99
95
Simplified pricing tiers combine the data analysis costs for Microsoft Sentinel and ingestion storage costs of Log Analytics into a single pricing tier. The following screenshot shows the simplified pricing tier that all new workspaces use.
Copy file name to clipboardExpand all lines: articles/sentinel/log-plans.md
+3-15Lines changed: 3 additions & 15 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -18,11 +18,7 @@ These competing needs require a log management strategy that balances data acces
18
18
19
19
This article discusses categories of data and the retention states used to store and access your data. It also describes the log plans Microsoft Sentinel offers you to build a log management and retention strategy.
20
20
21
-
> [!IMPORTANT]
22
-
>
23
-
> The **Auxiliary Logs** log type is currently in **PREVIEW**. See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
@@ -64,9 +60,7 @@ This category encompasses logs whose individual security value is limited but ar
64
60
65
61
Some examples of secondary data log sources are cloud storage access logs, NetFlow logs, TLS/SSL certificate logs, firewall logs, proxy logs, and IoT logs. To learn more about how each of these sources brings value to security detections without being needed all the time, see [Log sources to use for Auxiliary Logs ingestion](basic-logs-use-cases.md).
66
62
67
-
Logs containing secondary security data should be stored using the [**Auxiliary logs**](#auxiliary-logs-plan) plan (now in Preview) described later in this article.
68
-
69
-
For a non-preview option, you can use [**Basic logs**](#basic-logs-plan) instead.
63
+
Logs containing secondary security data should be stored using the [**Auxiliary logs**](#auxiliary-logs-plan) plan described later in this article.
70
64
71
65
## Log management plans
72
66
@@ -76,8 +70,6 @@ Microsoft Sentinel provides two different log storage plans, or types, to accomm
76
70
77
71
- The [**Auxiliary logs**](#auxiliary-logs-plan) plan is designed to store secondary security data at very low cost for long periods of time, while still allowing for limited accessibility.
78
72
79
-
- A third plan, [**Basic logs**](#basic-logs-plan), is the predecessor of the auxiliary logs plan, and can be used as a substitute for it while the auxiliary logs plan remains in preview.
80
-
81
73
**Each of these plans preserves data in two different states:**
82
74
83
75
- The **interactive retention** state is the initial state into which the data is ingested. This state allows different levels of access to the data, depending on the plan, and costs for this state vary widely, depending on the plan.
@@ -102,14 +94,10 @@ The **Auxiliary logs** plan keeps data in the **interactive retention** state fo
102
94
103
95
When the interactive retention period ends, data goes into the **long-term retention** state, remaining in its original table. Long-term retention in the auxiliary logs plan is similar to long-term retention in the analytics logs plan, except that the only option to access the data is with a [**search job**](investigate-large-datasets.md). [Restore](restore.md) is not supported for the auxiliary logs plan.
104
96
105
-
### Basic logs plan
106
-
107
-
A third plan, known as **Basic logs**, provides similar functionality to the auxiliary logs plan, but at a higher interactive retention cost (though not as high as the analytics logs plan). While the auxiliary logs plan remains in preview, basic logs can be an option for long-term, low-cost retention if your organization doesn't use preview features. To learn more about the basic logs plan, see [Table plans](/azure/azure-monitor/logs/data-platform-logs#table-plans) in the Azure Monitor documentation.
108
-
109
97
## Related content
110
98
111
99
- For a more in-depth comparison of log data plans, and more general information about log types, see [Azure Monitor Logs overview | Table plans](/azure/azure-monitor/logs/data-platform-logs#table-plans).
112
100
113
-
- To set up a table in the Auxiliary logs plan, see [Set up a table with the Auxiliary plan in your Log Analytics workspace (Preview)](/azure/azure-monitor/logs/create-custom-table-auxiliary).
101
+
- To set up a table in the Auxiliary logs plan, see [Set up a table with the Auxiliary plan in your Log Analytics workspace](/azure/azure-monitor/logs/create-custom-table-auxiliary).
114
102
115
103
- To understand more about retention periods—which exist across plans—see [Manage data retention in a Log Analytics workspace](/azure/azure-monitor/logs/data-retention-configure).
Copy file name to clipboardExpand all lines: articles/sentinel/soc-optimization/soc-optimization-reference.md
+1-1Lines changed: 1 addition & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -43,7 +43,7 @@ The following table lists the available types of data value SOC optimization rec
43
43
44
44
| Type of observation | Action |
45
45
|---------|---------|
46
-
| The table wasn’t used by analytics rules or detections in the last 30 days but was used by other sources, such as workbooks, log queries, hunting queries. | Turn on analytics rule templates <br>OR<br>Move to [auxiliary logs (Preview) or basic logs](../billing.md#auxiliary-logs-and-basic-logs) if the table is eligible. |
46
+
| The table wasn’t used by analytics rules or detections in the last 30 days but was used by other sources, such as workbooks, log queries, hunting queries. | Turn on analytics rule templates <br>OR<br>Move to [auxiliary logs or basic logs](../billing.md#auxiliary-logs-and-basic-logs) if the table is eligible. |
47
47
| The table wasn’t used at all in the last 30 days. | Turn on analytics rule templates <br>OR<br> Stop data ingestion and remove the table or move the table to long term retention. |
48
48
| The table was only used by Azure Monitor. | Turn on any relevant analytics rule templates for tables with security value <br>OR<br>Move to a non-security Log Analytics workspace. |
0 commit comments