Merge pull request #300733 from guywi-ms/patch-547221

v-ccolin · web-flow · commit 31f86b106ce2 · 2025-06-24T10:51:15.000+01:00
Update search-jobs.md
diff --git a/articles/sentinel/investigate-large-datasets.md b/articles/sentinel/investigate-large-datasets.md
@@ -1,6 +1,6 @@
 ---
 title: Start an investigation by searching large datasets - Microsoft Sentinel
-description: Learn about search jobs and restoring archived data in Microsoft Sentinel.
+description: Learn about search jobs and restoring data from long-term retention in Microsoft Sentinel.
 author: cwatson-cat
 ms.topic: conceptual
 ms.date: 03/03/2024
@@ -11,7 +11,7 @@ appliesto:
 ms.collection: usx-security
 
 
-#Customer intent: As a security analyst, I want to search and restore archived log data so that I can conduct thorough investigations on historical events.
+#Customer intent: As a security analyst, I want to search and restore log data from long-term retention so that I can conduct thorough investigations on historical events.
 
 ---
 
@@ -47,26 +47,11 @@ You can also search analytics or basic log data stored in [long-term retention](
 
 ### Limitations of a search job
 
-Before you start a search job, be aware of the following limitations:
+See [Search job limitations](/azure/azure-monitor/logs/search-jobs#limitations) in the Azure Monitor documentation.
 
-- Optimized to query one table at a time.
-- Search date range is up to seven years.
-- Supports long running searches up to a 24-hour time-out.
-- Results are limited to one million records in the record set.
-- Concurrent execution per user is limited to five search jobs per workspace.
-- Limited to 100 search results tables per workspace.
-- Limited to 100 search job executions per day per workspace.
+## Restore log data from long-term retention
 
-Search jobs aren't currently supported for the following workspaces:
-
-- Customer-managed key enabled workspaces
-- Workspaces in the China East 2 region
-
-To learn more, see [Search job in Azure Monitor](/azure/azure-monitor/logs/search-jobs) in the Azure Monitor documentation.
-
-## Restore historical data from archived logs
-
-When you need to do a full investigation on data stored in archived logs, restore a table from the **Search** page in Microsoft Sentinel. Specify a target table and time range for the data you want to restore. Within a few minutes, the log data is restored and available within the Log Analytics workspace. Then you can use the data in high-performance queries that support full KQL.
+When you need to do a full investigation on log data in long-term retention, restore a table from the **Search** page in Microsoft Sentinel. Specify a target table and time range for the data you want to restore. Within a few minutes, the log data is restored and available within the Log Analytics workspace. Then you can use the data in high-performance queries that support full KQL.
 
 A restored log table is available in a new table that has a *_RST suffix. The restored data is available as long as the underlying source data is available. But you can delete restored tables at any time without deleting the underlying source data. To save costs, we recommend you delete the restored table when you no longer need it.
 
@@ -76,17 +61,7 @@ The following image shows the restore option on a saved search.
 
 ### Limitations of log restore
 
-Before you start to restore an archived log table, be aware of the following limitations:
-
-
-- Restore data for a minimum of two days.
-- Restore data more than 14 days old.
-- Restore up to 60 TB.
-- Restore is limited to one active restore per table.
-- Restore up to four archived tables per workspace per week.
-- Limited to two concurrent restore jobs per workspace.
-
-To learn more, see [Restore logs in Azure Monitor](/azure/azure-monitor/logs/restore).
+See [Restore limitations](/azure/azure-monitor/logs/restore#limitations) in the Azure Monitor documentation.
 
 ## Bookmark search results or restored data rows
 
@@ -95,4 +70,4 @@ Similar to the [threat hunting dashboard](hunting.md#use-the-hunting-dashboard),
 ## Next steps
 
 - [Search across long time spans in large datasets](search-jobs.md)
-- [Restore archived logs from search](restore.md)
+- [Restore logs from long-term retention](restore.md)
diff --git a/articles/sentinel/search-jobs.md b/articles/sentinel/search-jobs.md
@@ -1,27 +1,27 @@
 ---
-title: Search across long time spans in large datasets - Microsoft Sentinel
+title: Search for specific events across large datasets in Microsoft Sentinel
 description: Learn how to use search jobs to search large datasets.
-author: austinmccollum
+author: guywi-ms
 ms.topic: how-to
-ms.date: 03/17/2025
-ms.author: austinmc
+ms.date: 03/06/2025
+ms.author: guywild
 appliesto:
     - Microsoft Sentinel in the Microsoft Defender portal
     - Microsoft Sentinel in the Azure portal
 ms.collection: usx-security
 
 
-#Customer intent: As a security analyst, I want to search and analyze historical log data across large datasets so that I can investigate and identify specific events.
+#Customer intent: As a security analyst, I want to search through historical log data in a specific table so that I can find and analyze specific events.
 
 ---
 
-# Search across long time spans in large datasets
+# Search for specific events across large datasets in Microsoft Sentinel
 
-Use a search job when you start an investigation to find specific events in logs up to seven years ago. You can search events across all your logs, including events in Analytics, Basic, and Archived log plans. Filter and look for events that match your criteria.
+Use a search job when you start an investigation to scan through up to a year of data in a table for specific events. You can a run search job on any table, including tables with the Analytics, Basic, and Auxiliary log plans. The search job sends its results to a new Analytics table in the same workspace as the source data. 
 
-- For more information on search job concepts and limitations, see [Start an investigation by searching large datasets](investigate-large-datasets.md) and [Search jobs in Azure Monitor](/azure/azure-monitor/logs/search-jobs).
+This article explains how to run a search job in Microsoft Sentinel and how to work with the search job results.
 
-- Search jobs across certain data sets might incur extra charges. For more information, see [Microsoft Sentinel pricing page](billing.md).
+Search jobs across certain data sets might incur extra charges. For more information, see [Microsoft Sentinel pricing page](billing.md).
 
 [!INCLUDE [unified-soc-preview](includes/unified-soc-preview.md)]
 
@@ -51,7 +51,7 @@ Go to **Search** in Microsoft Sentinel from the Azure portal or the Microsoft De
 
    :::image type="content" source="media/search-jobs/search-job-advanced-kql-ellipsis.png" alt-text="Screenshot of KQL editor with revised search with ellipsis highlighted for Search job mode." lightbox="media/search-jobs/search-job-advanced-kql-ellipsis.png":::
 
-1. Specify the search job date range using the **Time range** selector. Don't include a time range in your KQL query as it is ignored.
+1. Specify the search job date range using the **Time range** selector. If your query also specifies a time range, Microsoft Sentinel runs the search job on the union of the time ranges.
 
 1. Resolve any KQL issues indicated by a squiggly red line in the editor.
 
@@ -91,5 +91,5 @@ View the status and results of your search job by going to the **Saved Searches*
 To learn more, see the following articles.
 
 - [Hunt with bookmarks](bookmarks.md)
-- [Restore archived logs](restore.md)
-- [Configure data retention and archive policies in Azure Monitor Logs (Preview)](/azure/azure-monitor/logs/data-retention-configure)
+- [Restore logs from long-term retention](restore.md)
+- [Manage data retention in a Log Analytics workspace](/azure/azure-monitor/logs/data-retention-configure)
