You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/sentinel/billing-reduce-costs.md
+2-2Lines changed: 2 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -70,11 +70,11 @@ For more information about dedicated clusters, see [Log Analytics dedicated clus
70
70
71
71
## Reduce data retention costs with long-term retention
72
72
73
-
Microsoft Sentinel interactive data retention is free for the first 90 days. To adjust the data retention period in Log Analytics, select **Usage and estimated costs** in the left navigation, then select **Data retention**, and then adjust the slider.
73
+
Microsoft Sentinel retains data by default in interactive form for the first 90 days. To adjust the data retention period in Log Analytics, select **Usage and estimated costs** in the left navigation, then select **Data retention**, and then adjust the slider.
74
74
75
75
Microsoft Sentinel security data might lose some of its value after a few months. Security operations center (SOC) users might not need to access older data as frequently as newer data, but still might need to access the data for sporadic investigations or audit purposes.
76
76
77
-
To help you reduce Microsoft Sentinel data retention costs, Azure Monitor now offers long-term retention. Data that ages out of its interactive retention state can still be retained for up to twelve years, at a much-reduced cost, and with limitations on its usage. For more information, see [Configure interactive and long-term data retention policies in Azure Monitor Logs](../azure-monitor/logs/data-retention-archive.md).
77
+
To help you reduce Microsoft Sentinel data retention costs, Azure Monitor now offers long-term retention. Data that ages out of its interactive retention state can still be retained for up to twelve years, at a much-reduced cost, and with limitations on its usage. For more information, see [Manage data retention in a Log Analytics workspace](../azure-monitor/logs/data-retention-configure.md).
78
78
79
79
You can reduce costs even further by enrolling tables that contain secondary security data in the **Auxiliary logs** plan (now in Preview). This plan allows you to store high-volume, low-value logs at a low price, with a lower-cost 30-day interactive retention period at the beginning to allow for summarization and basic querying. To learn more about the Auxiliary logs plan and other plans, see [Log retention plans in Microsoft Sentinel](log-plans.md). While the auxiliary logs plan remains in Preview, you also have the option of enrolling these tables in the **Basic logs** plan. Basic logs offers similar functionality to auxiliary logs, but with less of a cost savings.
Copy file name to clipboardExpand all lines: articles/sentinel/log-plans.md
+13-14Lines changed: 13 additions & 14 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -48,7 +48,7 @@ This category consists of logs that hold critical security value for your organi
48
48
49
49
Some examples of primary data sources include logs from antivirus or enterprise detection and response (EDR) systems, authentication logs, audit trails from cloud platforms, threat intelligence feeds, and alerts from external systems.
50
50
51
-
Logs containing primary security data should be stored using the [**Analytics logs**](#analytics-logs-plan) plan.
51
+
Logs containing primary security data should be stored using the [**Analytics logs**](#analytics-logs-plan) plan described later in this article.
52
52
53
53
### Secondary security data
54
54
@@ -64,43 +64,42 @@ This category encompasses logs whose individual security value is limited but ar
64
64
65
65
Some examples of secondary data log sources are cloud storage access logs, NetFlow logs, TLS/SSL certificate logs, firewall logs, proxy logs, and IoT logs. To learn more about how each of these sources brings value to security detections without being needed all the time, see [Log sources to use for Auxiliary Logs ingestion](basic-logs-use-cases.md).
66
66
67
-
Logs containing secondary security data should be stored using the [**Auxiliary logs**](#auxiliary-logs-plan) plan.
67
+
Logs containing secondary security data should be stored using the [**Auxiliary logs**](#auxiliary-logs-plan) plan described later in this article.
68
68
69
69
## Log management plans
70
70
71
71
Microsoft Sentinel provides two different log storage plans, or types, to accommodate these categories of ingested data.
72
72
73
-
-[**Analytics logs** plan](#analytics-logs-plan)
74
-
-[**Auxiliary logs** plan](#auxiliary-logs-plan)
73
+
- The [**Analytics logs**](#analytics-logs-plan) plan is designed to store primary security data and make it easily and constantly accessible at high performance.
74
+
75
+
- The [**Auxiliary logs**](#auxiliary-logs-plan) plan is designed to store secondary security data at very low cost for long periods of time, while still allowing for limited accessibility.
76
+
75
77
- A third plan, [**Basic logs**](#basic-logs-plan), is the predecessor of the auxiliary logs plan, and can be used as a substitute for it while the auxiliary logs plan remains in preview.
76
78
77
79
**Each of these plans preserves data in two different states:**
78
80
79
81
- The **interactive retention** state is the initial state into which the data is ingested. This state allows different levels of access to the data, depending on the plan, and costs for this state vary widely, depending on the plan.
82
+
80
83
- The **long-term retention** state preserves older data in its original tables for up to 12 years, at **extremely low cost**, regardless of the plan.
81
84
82
85
To learn more about retention states, see [Manage data retention in a Log Analytics workspace](../azure-monitor/logs/data-retention-configure.md).
83
86
84
-
### Analytics logs plan
87
+
The following diagram summarizes and compares these two log management plans.
85
88
86
-
**Analytics logs** are designed to store primary security data and make it easily and constantly accessible at high performance.
89
+
:::image type="content" border="false" source="media/log-plans/analytics-auxiliary-log-plans.png" alt-text="Diagram of available log plans in Microsoft Sentinel.":::
87
90
88
-
This plan keeps data in the **interactive retention** state for **90 days** by default, extensible for up to two years. This interactive state, while expensive, allows you to query your data in unlimited fashion, with high performance, at no charge per query.
91
+
### Analytics logs plan
92
+
93
+
The **Analytics logs** plan keeps data in the **interactive retention** state for **90 days** by default, extensible for up to two years. This interactive state, while expensive, allows you to query your data in unlimited fashion, with high performance, at no charge per query.
89
94
90
95
When the interactive retention period ends, data goes into the **long-term retention** state, while remaining in its original table. The long-term retention period is not defined by default, but you can define it to last up to 12 years. This retention state preserves your data at extremely low cost, for regulatory compliance or internal policy purposes. You can access the data in this state only by using a [**search job**](investigate-large-datasets.md) or [**restore**](restore.md) to pull out limited sets of data into a new table in interactive retention, where you can bring the full query capabilities to bear on it.
91
96
92
97
### Auxiliary logs plan
93
98
94
-
**Auxiliary logs** are designed to store secondary security data at very low cost for long periods of time, while still allowing for limited accessibility.
95
-
96
-
This plan keeps data in the **interactive retention** state for **30 days**. In the Auxiliary plan, this state has very low retention costs as compared to the Analytics plan. However, the query capabilities are limited: queries are charged per gigabyte of data scanned and are limited to a single table, and performance is significantly lower.
99
+
The **Auxiliary logs** plan keeps data in the **interactive retention** state for **30 days**. In the Auxiliary plan, this state has very low retention costs as compared to the Analytics plan. However, the query capabilities are limited: queries are charged per gigabyte of data scanned and are limited to a single table, and performance is significantly lower.
97
100
98
101
When the interactive retention period ends, data goes into the **long-term retention** state, remaining in its original table. Long-term retention in the auxiliary logs plan is similar to long-term retention in the analytics logs plan, except that the only option to access the data is with a [**search job**](investigate-large-datasets.md). [Restore](restore.md) is not supported for the auxiliary logs plan.
99
102
100
-
The following diagram summarizes and compares these two log management plans.
101
-
102
-
:::image type="content" border="false" source="media/log-plans/analytics-auxiliary-log-plans.png" alt-text="Diagram of available log plans in Microsoft Sentinel.":::
103
-
104
103
### Basic logs plan
105
104
106
105
A third plan, known as **Basic logs**, provides similar functionality to the auxiliary logs plan, but at a higher interactive retention cost (though not as high as the analytics logs plan). While the auxiliary logs plan remains in preview, basic logs can be an option for long-term, low-cost retention if your organization doesn't use preview features. To learn more about the basic logs plan, see [Table plans](../azure-monitor/logs/data-platform-logs.md#table-plans) in the Azure Monitor documentation.
0 commit comments