You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/sentinel/investigate-large-datasets.md
+6-16Lines changed: 6 additions & 16 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,6 +1,6 @@
1
1
---
2
2
title: Start an investigation by searching large datasets - Microsoft Sentinel
3
-
description: Learn about search jobs and restoring archived data in Microsoft Sentinel.
3
+
description: Learn about search jobs and restoring data from long-term retention in Microsoft Sentinel.
4
4
author: cwatson-cat
5
5
ms.topic: conceptual
6
6
ms.date: 03/03/2024
@@ -11,7 +11,7 @@ appliesto:
11
11
ms.collection: usx-security
12
12
13
13
14
-
#Customer intent: As a security analyst, I want to search and restore archived log data so that I can conduct thorough investigations on historical events.
14
+
#Customer intent: As a security analyst, I want to search and restore log data from long-term retention so that I can conduct thorough investigations on historical events.
15
15
16
16
---
17
17
@@ -49,9 +49,9 @@ You can also search analytics or basic log data stored in [long-term retention](
49
49
50
50
See [Search job limitations](/azure/azure-monitor/logs/search-jobs#limitations) in the Azure Monitor documentation.
51
51
52
-
## Restore historical data from archived logs
52
+
## Restore log data from long-term retention
53
53
54
-
When you need to do a full investigation on data stored in archived logs, restore a table from the **Search** page in Microsoft Sentinel. Specify a target table and time range for the data you want to restore. Within a few minutes, the log data is restored and available within the Log Analytics workspace. Then you can use the data in high-performance queries that support full KQL.
54
+
When you need to do a full investigation on log data in long-term retention, restore a table from the **Search** page in Microsoft Sentinel. Specify a target table and time range for the data you want to restore. Within a few minutes, the log data is restored and available within the Log Analytics workspace. Then you can use the data in high-performance queries that support full KQL.
55
55
56
56
A restored log table is available in a new table that has a *_RST suffix. The restored data is available as long as the underlying source data is available. But you can delete restored tables at any time without deleting the underlying source data. To save costs, we recommend you delete the restored table when you no longer need it.
57
57
@@ -61,17 +61,7 @@ The following image shows the restore option on a saved search.
61
61
62
62
### Limitations of log restore
63
63
64
-
Before you start to restore an archived log table, be aware of the following limitations:
65
-
66
-
67
-
- Restore data for a minimum of two days.
68
-
- Restore data more than 14 days old.
69
-
- Restore up to 60 TB.
70
-
- Restore is limited to one active restore per table.
71
-
- Restore up to four archived tables per workspace per week.
72
-
- Limited to two concurrent restore jobs per workspace.
73
-
74
-
To learn more, see [Restore logs in Azure Monitor](/azure/azure-monitor/logs/restore).
64
+
See [Restore limitations](/azure/azure-monitor/logs/restore#limitations) in the Azure Monitor documentation.
75
65
76
66
## Bookmark search results or restored data rows
77
67
@@ -80,4 +70,4 @@ Similar to the [threat hunting dashboard](hunting.md#use-the-hunting-dashboard),
80
70
## Next steps
81
71
82
72
-[Search across long time spans in large datasets](search-jobs.md)
83
-
-[Restore archived logs from search](restore.md)
73
+
-[Restore logs from long-term retention](restore.md)
0 commit comments