Friday, March 4, 2022

FAQ: Search, Basic Ingestion, Archive, and Data Restoration

With such a large and exciting suite of features introduced to Microsoft Sentinel, we anticipate many questions. Please see some common questions below and feel free to add more questions to the discussion at the bottom of the page!


Learning Materials:

Feature Documents

Search jobs in Azure Monitor (Preview) - Azure Monitor | Microsoft Docs

Search across long time spans in large datasets - Microsoft Sentinel | Microsoft Docs

Log Restore

Restore logs in Azure Monitor (Preview) - Azure Monitor | Microsoft Docs 

Restore archived logs from search - Microsoft Sentinel | Microsoft Docs

Basic Logs Ingestion

Configure Basic Logs in Azure Monitor (Preview) - Azure Monitor | Microsoft Docs

Archived Logs Configure data retention and archive in Azure Monitor Logs (Preview) - Azure Monitor | Microsoft Docs



What are some of the links for Microsoft Sentinel pricing resources?



1. When should I use the Search experience instead of regular KQL queries?

Regular KQL queries only supports search on log data within the standard interactive retention period of the workspace or the first 8 days of log data in the Basic Logs plan. Searches using regular KQL queries are subject to a 10-minute timeout making them less than ideal for searches across massive data volumes. KQL queries are ideal for interactive, searches across smaller data volumes.

The Sentinel search experience supports searching across multiple log plans within a single search job (Analytics, Basic, and/or Archived). Sentinel Search breaks up a single search into multiple parallel jobs and has a 24-hour timeout, making it ideal for search on massive data volumes.  (See the workspace overview documentation for more information on the different log plans) 


2. When should I use Search instead of Log Restore?

Microsoft Sentinel search is best used for searches returning log events that match a search term. Log Restore is built for restoring large chucks of log data or log events from a single specified table, without the need to specify a search term.


3. Why should I use the Archived Logs with Sentinel Search vs/ Continuous Data Export to Azure Data Explorer?

Using Search and Archived Logs allows for a simplified, maintenance free architecture while providing low-cost archive storage within the same Log Analytics workspace. Using Continuous Data Export with Azure Data Explorer adds additional development and maintenance overhead for hosting services that enable this integration. 


4. How long are Search and Restore tables kept in my workspace?

The tables that are created will inherit the interactive retention settings from the workspace. If the workspace is set to 90 days, then the tables will be retained for 90 days. Restored tables are available as long you need them and are billed per hour until they are deleted. 


5. If I have a table configured for Basic Logs, what is the difference between a search job or a query on that table?

A query on a Basic Log table is a single synchronous operation that uses a subset of the KQL language. A search job on a Basic Log table is a distributed asynchronous operation using the same KQL subset language.


6. Will I be charged when performing searches via the Sentinel Search UX on logs enabled for Basic Logs or Archived Logs?  

At the current time in the preview, no, you will not be charged for searches. In the future, search jobs will be charged at 0.005/GB across both Basic and Archived log data scanned.  Since the search results are re-ingested into the workspace, there will also be a small charge incurred for the ingestion of the search results at the regular Analytics Log ingestion rates.


7. Can a Search job search across multiple tables at one time?

Not at this time but search across multiple tables is in the roadmap.


8. How will Search handle RBAC on tables?

Search will honor the RBAC of tables set within the workspace. If a user without read permissions generates a Search job, they will not get results. Separate RBAC roles for Search and Log Restoration are on the feature roadmap.


9. Are there any tables that are not supported for Search?

No, each table within the workspace is eligible for Search jobs.


Basic Logs Ingestion

1. Are there any restrictions on what data can be configured for Basic Logs?

At the time, the following tables can be configured for Basic Logs - AppTraces, ContainerLog, and any Custom Log (requires migration to DCR-based custom logs). See link for more information on the new DCR-based custom logs. 


2. Can I convert a table from the Basic Logs to Analytics Logs and vice versa?

Yes, a table can be converted between table ingestion plans Analytics Logs to Basic Logs interchangeably or back and forth. Please note that the table ingestion plan can only be modified once per week.


3. How can Basic Logs be used by customers?

Basic logs are available accessible via limited KQL for 8 days after ingestion for interactive queries, the query API, and the new Search UX. Data from Basic Logs can be used for investigation, IOC search, ad hoc queries, and as part of Logic App playbook automation. Beyond the initial 8 days, Basic Logs can be configured as Archived Logs and are accessible via the new Search experience. Official documentation for Basic Logs use cases will be available soon.


4. What is the difference between a search job and a query on Basic logs? 

Interactive queries utilize a limited KQL experience in the portal. Search utilizing a new search job concept that performs an asynchronous search job and returns the results to a table within the Log Analytics workspace.


5. Is the latency of Basic Log queries vs. analytic queries the same? 

In most cases latency will not be noticeable but there is a chance that the query duration on a Basic Logs table might be slightly longer than an identical query on an Analytics Logs table.


6. If I have tables enabled for Basic Logs enabled in my workspace, does Sentinel charge for these logs? 

Yes. Sentinel charges for tables enabled for Basic Log ingestion. Basic logs cannot be excluded from the Sentinel charge. 


7. Can Basic logs be used for analytic rules?

No, Basic logs are not supported for neither Azure Monitor Alerts nor Microsoft Sentinel detections.


8. Do Basic Logs support the ingestion-time transformation?

Yes. For more information, see here.


Archived Logs and Log Restore

1. Are there any restrictions as to which tables can be archived?

No. Any table in the workspace can be set to archive storage for up to 7 years.


2. Is there a way to configure Archived Logs so that any future tables created within a workspace are automatically archived?

Not at this time. Archived Logs is currently only configurable on existing tables as the setting applies on a per table basis.


3. Can logs be configured to be sent straight to Archive?

Currently, logs must be ingested using the Basic Logs or Analytics Log plans before the log data is archived.


4. Can different tables have different retention policies or types?

Yes, tables can be configured to have different retentions than the workspace and from each other. Please note that if a table is given a unique retention, the default workspace retention remains unchanged.


5. Is Azure Data Explorer (ADX) or Azure Blobs used for Archived Log retention?

No, by using Archived Logs, Search, and Log Restore, logs will no longer need to be exported to other services for long-term retention. The logs can be archived, searched, or restored when needed while the data remains within the workspace the whole time.


6. Is there a comparison between archiving logs in Archived Logs vs. ADX?

Here is a sample comparison for an actual customer with 3TB ingest a day:




As mentioned, if there are any other questions, please add them to the discussion below and we will be happy to answer them!

Posted at