You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/sentinel/restore.md
+20-30Lines changed: 20 additions & 30 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -3,7 +3,7 @@ title: Restore archived logs from search - Microsoft Sentinel
3
3
description: Learn how to restore archived logs from search job results.
4
4
author: cwatson-cat
5
5
ms.topic: how-to
6
-
ms.date: 03/03/2024
6
+
ms.date: 09/25/2024
7
7
ms.author: cwatson
8
8
appliesto:
9
9
- Microsoft Sentinel in the Azure portal
@@ -15,28 +15,27 @@ ms.collection: usx-security
15
15
16
16
Restore data from an archived log to use in high performing queries and analytics.
17
17
18
-
Before you restore data in an archived log, see [Start an investigation by searching large datasets (preview)](investigate-large-datasets.md) and [Restore in Azure Monitor](/azure/azure-monitor/logs/restore).
Before you restore data in an archived log, see [Start an investigation by searching large datasets (preview)](investigate-large-datasets.md) and [Restore in Azure Monitor](/azure/azure-monitor/logs/restore).
23
+
22
24
## Restore archived log data
23
25
24
-
To restore archived log data in Microsoft Sentinel, specify the table and time range for the data you want to restore. Within a few minutes, the log data is available within the Log Analytics workspace. Then you can use the data in high-performance queries that support full Kusto Query Language (KQL).
26
+
To restore archived log data in Microsoft Sentinel, specify the table and time range for the data you want to restore. Within a few minutes, the log data is available within the Log Analytics workspace. Then you can use the data in high-performance queries that support full Kusto Query Language (KQL).
27
+
28
+
Restore archived data directly from the **Search** page or from a saved search.
25
29
26
-
You can restore archived data directly from the **Search**page or from a saved search.
30
+
1. In Microsoft Sentinel, select **Search**. In the [Azure portal](https://portal.azure.com), this page is listed under **General**. In the [Defender portal](https://security.microsoft.com/), this page is at the Microsoft Sentinel root level.
27
31
28
-
1. For Microsoft Sentinel in the [Azure portal](https://portal.azure.com), under **General**, select **Search**. <br>For Microsoft Sentinel in the [Defender portal](https://security.microsoft.com/), select **Microsoft Sentinel** > **Search**.
29
-
1. Restore log data in one of two ways:
30
-
- At the top of **Search** page, select **Restore**.
31
-
:::image type="content" source="media/restore/search-page-restore.png" alt-text="Screenshot of restore button at the top of the search page.":::
32
-
- Select the **Saved Searches** tab and **Restore** on the appropriate search.
33
-
:::image type="content" source="media/restore/search-results-restore.png" alt-text="Screenshot of the restore link on a saved search.":::
32
+
1. Restore log data using one of the following methods:
34
33
35
-
1. Select the table you want to restore.
36
-
1. Select the time range of the data that you want restore.
37
-
1. Select **Restore**.
34
+
- Select :::image type="icon" source="media/restore/restore-button.png" border="false"::: **Restore** at the top of the page. In the **Restoration** pane on the side, select the table and time range you want to restore, and then select **Restore at the bottom of the pane**.
38
35
39
-
:::image type="content" source="media/restore/restoration-page.png" alt-text="Screenshot of the restoration page with table and time range selected.":::
36
+
- Select **Saved searches**, locate the search results you want to restore, and then select **Restore**. If you have multiple tables, select the one you want to restore and then select **Actions > Restore** in the side pane. For example:
37
+
38
+
:::image type="content" source="media/restore/restore-azure.png" alt-text="Screenshot of restoring a specific site search.":::
40
39
41
40
1. Wait for the log data to be restored. View the status of your restoration job by selecting on the **Restoration** tab.
42
41
@@ -46,28 +45,19 @@ View the status and results of the log data restore by going to the **Restoratio
46
45
47
46
1. In Microsoft Sentinel, select **Search** > **Restoration**.
48
47
49
-
:::image type="content" source="media/restore/restoration-tab.png" alt-text="Screenshot of the restoration tab on the search page.":::
50
-
51
-
1. When your restore job is complete, select the table name.
52
-
53
-
:::image type="content" source="media/restore/data-available-select-table.png" alt-text="Screenshot that shows rows with completed restore jobs and a table selected.":::
48
+
1. When your restore job is complete and the status is updated, select the table name and review the results.
54
49
55
-
1. Review the results.
50
+
In the [Azure portal](https://portal.azure.com), results are shown in the **Logs** query page. In the [Defender portal](https://security.microsoft.com/), results are shown in the **Advanced hunting** page.
56
51
57
-
:::image type="content" source="media/restore/restored-data-logs-view.png" alt-text="Screenshot that shows the logs query pane with the restored table results.":::
58
-
59
-
The Logs query pane shows the name of table containing the restored data. The **Time range** is set to a custom time range that uses the start and end times of the restored data.
52
+
In both portals, the **Time range** is set to a custom time range that uses the start and end times of the restored data.
60
53
61
54
## Delete restored data tables
62
55
63
-
To save costs, we recommend you delete the restored table when you no longer need it. When you delete a restored table, Azure doesn't delete the underlying source data.
64
-
56
+
To save costs, we recommend you delete the restored table when you no longer need it. When you delete a restored table, the underlying source data isn't deleted.
65
57
66
-
1. In Microsoft Sentinel, select **Search** > **Restoration**.
67
-
1. Identify the table you want to delete.
68
-
1. Select **Delete** for that table row.
58
+
1. In Microsoft Sentinel, select **Search** > **Restoration** and identify the table you want to delete.
69
59
70
-
:::image type="content" source="media/restore/delete-restored-table.png" alt-text="Screenshot of restoration tab that shows the delete button on each row.":::
60
+
1. Select **Delete** for that table row to delete the restored table.
0 commit comments