Last Updated: 03/03/2025
This Archiving Logs guide will look to cover archiving functionality and how to configure it for your Microsoft Sentinel instance.
One of the key elements of setting up Microsoft Sentinel is going to be: “How long do I keep my logs for?”, and whilst there is no hard and fast answer to that question, there are a few options available to you in Microsoft Sentinel.
The Basics
Let’s get some of the basics out the way first when it comes to retention and archiving.
You have two tiers to choose from when it comes to overall data retention:
- Interactive Retention Tier
- This is your “Hot” tier and allows for interactive usage of your data.
- First 90 days are free of charge. Post 90 days are chargeable (Per GB per month).
- Maximum 2 years is configurable.
- Configured globally for all data, or granularly at the table level.
- Archiving Logs Tier
- “Cold” tier level storage. Data has basic interaction.
- Significantly cheaper than the Interactive Retention tier.
- Archive searches and restorations incur additional cost.
- Maximum 12 years total retention is configurable.
- No global setting. Configured at the table level.
As we can quickly see, there are pros and cons of using each tier. Whilst archiving logs does give us a cheaper rate, the data will not be interactable and to use the data we will need to conduct searches or restorations which will incur an additional cost.
Choosing the right combination of the two will all depend on:
- Cost/Budget
- Compliance Requirements
- Investigation Capabilities
Interactive Retention – The “Hot” Tier
The Interactive Retention tier is responsible for holding data that will be used by the different functions in Microsoft Sentinel. Data held in this tier can be queried and reported on. Whilst the default for a Log Analytics Workspace (LAW) is set at 30 days, we can adjust this to 90 days as a LAW attached to Microsoft Sentinel will benefit from 90 days of retention free of charge.
The interactive retention can be adjusted globally (for all active tables) or can be adjusted at the table level.
To adjust this globally for the Sentinel instance, navigate to the underpinning LAW and select ‘Usage and estimated costs’, and select the ‘Data Retention’
As noted, this will affect all tables within your Sentinel instance.
You may have a need to retain certain tables longer than others, in which case you can adjust this at the table level. To do this, navigate to the underpinning LAW, and select ‘Tables’, then select the table you want to adjust and select ‘Manage Table’.
Adjust the ‘Interactive Retention’ to your desired amount for that table.
Note: You cannot multi-select tables and bulk change this setting. However, there is a method to bulk change these with a Cloud Shell script.
To bulk change these, please refer to my Cloud Shell script here. The first part of the script will pull a .csv file of all your tables, you can then adjust the retention amounts for each, upload the file and bulk change using the second part of the script.
Archiving – The “Cold” Tier
Archiving logs does not have a global setting that affects all tables, therefore configuration is limited to the table level. Like when adjusting the retention period, we can navigate to the underpinning LAW workspace, navigate to ‘Tables’ and select ‘Manage Table’ on the table we want to configure.
This time, we need to edit the ‘Total retention period’ option to configure archiving. Archiving logs is calculated based on the ‘Total Retention period’ set minus the ‘Interactive retention’.
In my example, I have set the total retention to a year and have interactive retention set to 90 days. This calculates it as 275 days of archiving, totalling a year of total retention.
Whilst the above configuration is simple enough to do, having to do this for more than 100 tables might be a bit…boring. If we need to do a bulk change, we can use Cloud Shell to do this.
Bulk Table Changes for Archiving Logs
The Cloud Shell script for bulk changes of archiving logs is in my GitHub here.
First off, lets identify a table to test this out. I will use the first one in my list ‘AADNonInteractiveUserSignInLogs’.
Next, lets open a Cloud Shell instance. Once loaded, lets run the first part of the script that will give us a .csv export of all the tables and their current retention config.
Note: Please update the Resource Group and Workspace variables to ones appropriate for your environment.
Once we have ran this, we can then ‘download’ the file from Cloud Shell. When prompted, add in the file name and remember to include the .csv file extension.
Once we have downloaded the file, we can modify appropriately. For my example, I removed all the tables apart from ‘AADNonInteractiveUserSignInLogs’.
Rename the file, and upload back into Cloud Shell once your happy.
Now for the second part of the script, ensure that you reference the new file and if you are using a new session of Cloud Shell, rerun the variables for the Resource Group and Workspace Name. Also adjust the ‘-TotalRetentionInDays’ in the script to an amount you desire.
The command executed successfully, and the new configuration is displayed.
I checked the table in the LAW to ensure the changes have been implemented.
Note: The commands can be used in multiple ways. My method is to pull a list of tables to select which tables I want to modify. You can rework it to run without having to download & upload the .csv if you want to. Additionally, the ‘days’ are hardcoded in the script. Feel free to use it in any which way works for you.
Searching & Restoring from Archive
Once you have hit your “Hot” retention period amount, data will automatically be truncated to archive. However, seeing as the archived data is no longer interactive, you cannot simple query this from the logs section. You will instead need to use the ‘Search’ section of Microsoft Sentinel to search the archive and restore a table into the interactive retention tier.
Note: Initiating a search and/or restore will incur an additional change. Details on pricing are found here on the Microsoft Azure Monitor Pricing Page, under ‘Search Jobs’ & ‘Restore’.
Conclusion
Hopefully this guide has been helpful to understand what archiving is, the benefits of archiving and most importantly how to implement archiving for both ad-hoc tables and doing bulk changes.
It is worth reviewing your retention and archive settings periodically to ensure that you have the right balance of data retention for your organisations needs. And whilst archiving looks like a great way to save on some of the retention costs, you will need to consider how often you are likely to restore and how much time this could potentially take. In some cases, bumping up the “hot” retention is better as this won’t impede investigations in the event of a security incident.
Finally, If you haven’t already, please check out my Microsoft Sentinel Cheat Sheet, which is a handy document that covers the key areas of Microsoft Sentinel.
Thank you Gennaro, the bulk updating should really be native!!
Thanks Yusif!
I’m hoping to see it as a native feature in the future 🙂