|
| 1 | +--- |
| 2 | +title: Start an investigation by searching large datasets - Microsoft Sentinel |
| 3 | +description: Learn about search jobs and restoring archived data in Microsoft Sentinel. |
| 4 | +author: cwatson-cat |
| 5 | +ms.topic: conceptual |
| 6 | +ms.date: 01/21/2022 |
| 7 | +ms.author: cwatson |
| 8 | +--- |
| 9 | + |
| 10 | +# Start an investigation by searching for events in large datasets (preview) |
| 11 | + |
| 12 | +One of the primary activities of a security team is to search logs for specific events. For example, you might search logs for the activities of a specific user within a given time-frame. |
| 13 | + |
| 14 | +In Microsoft Sentinel, you can search across long time periods in extremely large datasets by using a search job. While you can run a search job on any type of log, search jobs are ideally suited to search archived logs. If you need to do a full investigation on archived data, you can restore that data into the hot cache to run high performing queries and analytics. |
| 15 | + |
| 16 | +> [!IMPORTANT] |
| 17 | +> The search job and restore features are currently in **PREVIEW**. The [Azure Preview Supplemental Terms](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) include additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability. |
| 18 | +> |
| 19 | +
|
| 20 | +## Search large datasets |
| 21 | + |
| 22 | +Use a search job when you start an investigation to find specific events in logs within a given time frame. You can search all your logs to find events that match your criteria and filter through the results. |
| 23 | + |
| 24 | +Search in Microsoft Sentinel is built on top of search jobs. Search jobs are asynchronous queries that fetch records. The results are returned to a search table that's created in your Log Analytics workspace after you start the search job. The search job uses parallel processing to run the search across long time spans, in extremely large datasets. So search jobs don't impact the workspace's performance or availability. |
| 25 | + |
| 26 | +Search results remain in a search results table that has a *_SRCH suffix. |
| 27 | + |
| 28 | +The following image shows example search criteria for a search job. |
| 29 | + |
| 30 | +:::image type="content" source="media/investigate-large-datasets/search-job-criteria.png" alt-text="Screenshot of search page with search criteria of administrator, time range last 1 year, and a table selected."::: |
| 31 | + |
| 32 | +### Supported log types |
| 33 | + |
| 34 | +Use search to find events in any of the following log types: |
| 35 | + |
| 36 | +- [Analytics logs](../azure-monitor/logs/data-platform-logs.md) |
| 37 | +- [Basic logs (preview)](../azure-monitor/logs/basic-logs-configure.md) |
| 38 | + |
| 39 | +You can also search analytics or basic log data stored in [archived logs (preview)](../azure-monitor/logs/data-retention-archive.md). |
| 40 | + |
| 41 | +### Limitations of a search job |
| 42 | + |
| 43 | +Before you start a search job, be aware of the following limitations: |
| 44 | + |
| 45 | +- Optimized to query one table at a time. |
| 46 | +- Search date range is up to one year. |
| 47 | +- Supports long running searches up to a 24-hour time-out. |
| 48 | +- Results are limited to one million records in the record set. |
| 49 | +- Concurrent execution is limited to five search jobs per workspace. |
| 50 | +- Limited to 100 search results tables per workspace. |
| 51 | +- Limited to 100 search job executions per day per workspace. |
| 52 | + |
| 53 | +To learn more, see [Search job in Azure Monitor](../azure-monitor/logs/search-jobs.md) in the Azure Monitor documentation. |
| 54 | + |
| 55 | +## Restore historical data from archived logs |
| 56 | + |
| 57 | +When you need to do a full investigation on data stored in archived logs, restore a table from the **Search** page in Microsoft Sentinel. Specify a target table and time range for the data you want to restore. Within a few minutes, the log data is restored and available within the Log Analytics workspace. Then you can use the data in high-performance queries that support full KQL. |
| 58 | + |
| 59 | +A restored log table is available in a new table that has a *_RST suffix. The restored data is available as long as the underlying source data is available. But you can delete restored tables at any time without deleting the underlying source data. To save costs, we recommend you delete the restored table when you no longer need it. |
| 60 | + |
| 61 | +The following image shows the restore option on a saved search. |
| 62 | + |
| 63 | +:::image type="content" source="media/investigate-large-datasets/search-results-restore.png" alt-text="Screenshot of the restore link on a saved search."::: |
| 64 | + |
| 65 | +### Limitations of log restore |
| 66 | + |
| 67 | +Before you start to restore an archived log table, be aware of the following limitations: |
| 68 | + |
| 69 | + |
| 70 | +- Restore data for a minimum of two days. |
| 71 | +- Restore data more than 14 days old. |
| 72 | +- Restore up to 60 TB. |
| 73 | +- Restore is limited to one active restore per table. |
| 74 | +- Restore up to four archived tables per workspace per week. |
| 75 | +- Limited to two concurrent restore jobs per workspace. |
| 76 | + |
| 77 | +To learn more, see [Restore logs in Azure Monitor](../azure-monitor/logs/restore.md). |
| 78 | + |
| 79 | +## Bookmark search results or restored data rows |
| 80 | + |
| 81 | +Similar to the [threat hunting dashboard](hunting.md#use-the-hunting-dashboard), bookmark rows that contain information you find interesting so you can attach them to an incident or refer to them later. For more information, see [Create bookmarks](hunting.md#create-bookmarks). |
| 82 | + |
| 83 | +## Next steps |
| 84 | + |
| 85 | +- [Search across long time spans in large datasets (preview)](search-jobs.md) |
| 86 | +- [Restore archived logs from search (preview)](restore.md) |
0 commit comments