☎️
Contrxl
  • 🏡Home
  • ❓Anonymity Tools
  • ⌨️Cisco
    • Networking Basics
      • Communication in a Connected World
      • Network Components, Types and Connections
      • Wireless and Mobile Networks
      • Home Networking Technologies
      • Communication Protocols
      • Network Media
      • The Access Layer
      • The Internet Protocol
      • IPv4 and Network Segmentation
  • 💾Intune
    • ADMX Configuration
    • App Deployment
    • App Updating/Patching
    • File Deployment
    • Remediations
  • 🎓Learning Links
  • 💻Microsoft
    • 📘Microsoft Portal Links
    • Configure SIEM Security Operations using Microsoft Sentinel
      • Create and Manage Microsoft Sentinel Workspaces
        • Introduction
        • Plan for the Microsoft Sentinel Workspace
        • Create a Microsoft Sentinel Workspace
        • Manage Workspaces Across Tenants Using Azure Lighthouse
        • Understand Microsoft Sentinel Permissions and Roles
        • Manage Microsoft Sentinel Settings
        • Configure Logs
  • 📰News & Information
  • 💡OSINT
    • IP & Domain OSINT
    • Email & Username OSINT
    • Vulnerability OSINT
  • 📚Projects
    • ‼️A Simulation Study of DDoS
  • ⚒️Tools
    • Burp Suite
      • Repeater
      • Intruder
      • Other Modules
    • GoPhish
    • Hydra
    • John the Ripper
    • Metasploit
      • Exploitation
      • Meterpreter
    • NMAP
    • Wireshark
  • 🖥️TryHackMe
    • Learning Paths
      • Complete Beginner
        • 1. Complete Beginner Intro
        • 2. Linux Fundamentals
        • 3. Introductory Networking
        • 3.1 Network Exploitation Basics
        • 4. OWASP Top 10 Exploits
        • 5. Upload Vulnerabilities
        • 5.1 An Example Methodology
        • 6. Cryptography - Hashing
        • 7. Cryptography - Encryption
        • 8. Active Directory Basics
        • 9. What the Shell?
        • 10. Linux Privesc
        • 11. More Linux Privesc
      • Jr Penetration Tester
        • Walking an Application
        • Content Discovery
        • Subdomain Enumeration
        • Authentication Bypass
        • IDOR
        • File Inclusion
        • SSRF
        • XSS (Cross-site Scripting)
        • Command Injection
        • SQL Injection
        • Passive Reconnaissance
        • Active Reconnaissance
        • Protocols and Servers
        • Protocol and Server Attacks
        • Vulnerabilities
        • Exploiting Vulnerabilities
        • Linux Privilege Escalation
        • Windows Privilege Escalation
      • CompTIA Pentest+
        • Planning and Scoping
          • Pentesting Fundamentals
          • Red Team Engagements
          • Governance and Regulation
        • Tools and Code Analysis
          • Metasploit: Introduction
          • Wireshark: The Basics
          • Burp Suite: The Basics
          • Hydra
          • Python Basics
        • Attacks and Exploits
          • Phishing
          • Windows Local Persistence
          • Breaching Active Directory
          • Lateral Movement & Pivoting
Powered by GitBook
On this page
  1. Microsoft
  2. Configure SIEM Security Operations using Microsoft Sentinel
  3. Create and Manage Microsoft Sentinel Workspaces

Configure Logs

Unit 7.

Microsoft Sentinel has three primary log types:

  • Analytics Logs

  • Basic Logs

  • Archive Logs

Data in each table is retained for a specified time after which it is removed or archived with a reduced retention fee. To access archived data, it must be retrieved from an Analytics Log table using one of the following methods:

  • Search Jobs

  • Restore

Analytical Logs

All tables in a workspace are of the type Analytical Logs by default, these are available to all features of a Log Analytics workspace and any other service that uses the workspace.

Basic Logs

Certain tables can be configured as Basic Logs to reduce the cost of storing high-volume verbose logs for debugging but not analytics. Tables configured for Basic Logs have reduced features, reduced cost and are only retained for 8 days.

KQL Language Limits

Queries against Basic Logs are optimised for simple data retrieval using the following operators:

  • where

  • extend

  • project

  • project-away

  • project-keep

  • project-rename

  • project-reorder

  • parse

  • parse-where

The following isn't supported:

  • join

  • union

  • aggregates (summarise)

Tables Supporting Basic Logs

Currently the following tables can be configured for Basic Logs:

  • All tables created with the Data Collection Rule (DCR)-based custom logs API.

  • ContainerLogV2, which Container Insights uses and includes verbose text-based log records.

  • AppTraces, which contains freeform log records for application traces in Application Insights.

Configure Log Type

To adjust the log type for an eligible table, select the workspace settings from the Microsoft Sentinel Settings area. The next screen is the Log Analytics portal:

  1. Select "Tables" tab.

  2. Select the table and then ... at the end of the row.

  3. Select Manage table.

  4. Change the Table Plan.

  5. Select Save.

Configure Table Retention

  1. Select "Tables" tab.

  2. Select the table and then ... at the end of the row.

  3. Select Manage table.

  4. Change the Total Retention Period.

  5. Select Save.

Last updated 10 months ago

💻
  • Analytical Logs
  • Basic Logs
  • KQL Language Limits
  • Tables Supporting Basic Logs
  • Configure Log Type
  • Configure Table Retention