You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/sentinel/restore.md
+21-27Lines changed: 21 additions & 27 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -3,7 +3,7 @@ title: Restore archived logs from search - Microsoft Sentinel
3
3
description: Learn how to restore archived logs from search job results.
4
4
author: cwatson-cat
5
5
ms.topic: how-to
6
-
ms.date: 03/03/2024
6
+
ms.date: 09/25/2024
7
7
ms.author: cwatson
8
8
appliesto:
9
9
- Microsoft Sentinel in the Azure portal
@@ -15,28 +15,27 @@ ms.collection: usx-security
15
15
16
16
Restore data from an archived log to use in high performing queries and analytics.
17
17
18
-
Before you restore data in an archived log, see [Start an investigation by searching large datasets (preview)](investigate-large-datasets.md) and [Restore in Azure Monitor](/azure/azure-monitor/logs/restore).
Before you restore data in an archived log, see [Start an investigation by searching large datasets (preview)](investigate-large-datasets.md) and [Restore in Azure Monitor](/azure/azure-monitor/logs/restore).
23
+
22
24
## Restore archived log data
23
25
24
-
To restore archived log data in Microsoft Sentinel, specify the table and time range for the data you want to restore. Within a few minutes, the log data is available within the Log Analytics workspace. Then you can use the data in high-performance queries that support full Kusto Query Language (KQL).
26
+
To restore archived log data in Microsoft Sentinel, specify the table and time range for the data you want to restore. Within a few minutes, the log data is available within the Log Analytics workspace. Then you can use the data in high-performance queries that support full Kusto Query Language (KQL).
25
27
26
-
You can restore archived data directly from the **Search** page or from a saved search.
28
+
Restore archived data directly from the **Search** page or from a saved search.
27
29
28
-
1. For Microsoft Sentinel in the [Azure portal](https://portal.azure.com), under **General**, select **Search**. <br>For Microsoft Sentinel in the [Defender portal](https://security.microsoft.com/), select **Microsoft Sentinel** > **Search**.
29
-
1. Restore log data in one of two ways:
30
-
- At the top of **Search** page, select **Restore**.
31
-
:::image type="content" source="media/restore/search-page-restore.png" alt-text="Screenshot of restore button at the top of the search page.":::
32
-
- Select the **Saved Searches** tab and **Restore** on the appropriate search.
33
-
:::image type="content" source="media/restore/search-results-restore.png" alt-text="Screenshot of the restore link on a saved search.":::
30
+
1. In Microsoft Sentinel, select **Search**. In the [Azure portal](https://portal.azure.com), this page is listed under **General**. In the [Defender portal](https://security.microsoft.com/), this page is at the Microsoft Sentinel root level.
34
31
35
-
1. Select the table you want to restore.
36
-
1. Select the time range of the data that you want restore.
37
-
1. Select **Restore**.
32
+
1. Restore log data using one of the following methods:
38
33
39
-
:::image type="content" source="media/restore/restoration-page.png" alt-text="Screenshot of the restoration page with table and time range selected.":::
34
+
- Select :::image type="icon" source="media/restore/restore-button.png" border="false"::: **Restore** at the top of the page. In the **Restoration** pane on the side, select the table and time range you want to restore, and then select **Restore at the bottom of the pane**.
35
+
36
+
- Select **Saved searches**, locate the search results you want to restore, and then select **Restore**. If you have multiple tables, select the one you want to restore and then select **Actions > Restore** in the side pane. For example:
37
+
38
+
:::image type="content" source="media/restore/restore-azure.png" alt-text="Screenshot of restoring a specific site search.":::
40
39
41
40
1. Wait for the log data to be restored. View the status of your restoration job by selecting on the **Restoration** tab.
42
41
@@ -46,28 +45,23 @@ View the status and results of the log data restore by going to the **Restoratio
46
45
47
46
1. In Microsoft Sentinel, select **Search** > **Restoration**.
48
47
49
-
:::image type="content" source="media/restore/restoration-tab.png" alt-text="Screenshot of the restoration tab on the search page.":::
50
-
51
-
1. When your restore job is complete, select the table name.
48
+
1. When your restore job is complete and the status is updated, select the table name and review the results.
52
49
53
-
:::image type="content" source="media/restore/data-available-select-table.png" alt-text="Screenshot that shows rows with completed restore jobs and a table selected.":::
50
+
In the [Azure portal](https://portal.azure.com), results are shown in the **Logs** query page. In the [Defender portal](https://security.microsoft.com/), results are shown in the **Advanced hunting** page.
54
51
55
-
1. Review the results.
52
+
For example:
56
53
57
54
:::image type="content" source="media/restore/restored-data-logs-view.png" alt-text="Screenshot that shows the logs query pane with the restored table results.":::
58
55
59
-
The Logs query pane shows the name of table containing the restored data. The **Time range** is set to a custom time range that uses the start and end times of the restored data.
56
+
The **Time range** is set to a custom time range that uses the start and end times of the restored data.
60
57
61
58
## Delete restored data tables
62
59
63
-
To save costs, we recommend you delete the restored table when you no longer need it. When you delete a restored table, Azure doesn't delete the underlying source data.
60
+
To save costs, we recommend you delete the restored table when you no longer need it. When you delete a restored table, the underlying source data isn't deleted.
64
61
62
+
1. In Microsoft Sentinel, select **Search** > **Restoration** and identify the table you want to delete.
65
63
66
-
1. In Microsoft Sentinel, select **Search** > **Restoration**.
67
-
1. Identify the table you want to delete.
68
-
1. Select **Delete** for that table row.
69
-
70
-
:::image type="content" source="media/restore/delete-restored-table.png" alt-text="Screenshot of restoration tab that shows the delete button on each row.":::
64
+
1. Select **Delete** for that table row to delete the restored table.
0 commit comments