Configure data retention for logs in Microsoft Sentinel or Azure Monitor (2024)

Table of Contents
In this article Prerequisites Set the retention policy for a table Review interactive and total retention policies Clean up resources Next steps
  • Article

In this tutorial, you'll set a retention policy for a table in your Log Analytics workspace that you use for Microsoft Sentinel or Azure Monitor. These steps allow you to keep older, less used data in your workspace at a reduced cost.

Retention policies in a Log Analytics workspace define when to transition old records in data tables in the workspace to the low-cost, minimal-access long-term retention (formerly known as archive) state. By default, all tables in your workspace inherit the workspace's interactive retention setting and have no long-term retention (archive) policy. You can modify the interactive and long-term retention policies of individual tables, except for workspaces in the legacy Free Trial pricing tier.

In this tutorial, you learn how to:

  • Set the retention policy for a table
  • Review interactive and long-term retention policies

Prerequisites

To complete the steps in this tutorial, you must have the following resources and roles.

See Also
Windows 10 System and Security Logs: A Beginner’s GuideHow To Store Logs Outside & Keep Them Dry Throughout WinterWatchlists in Microsoft Sentinel - Microsoft SentinelWhy Is a SQL Log File Huge and How Should I Deal with It?

  • Azure account with an active subscription. Create an account for free.

  • Azure account with the following roles:

    Built-in RoleScopeReason
    Log Analytics ContributorAny of
    • Subscription
    • Resource group
    • Table
    		To set retention policy on tables in Log Analytics

  • Log Analytics workspace.

Set the retention policy for a table

In your Log Analytics workspace, change the interactive retention policy of the SecurityEvent table from the workspace default of 90 days to 180 days, and the total retention policy to 3 years. The total retention period is the sum of the interactive and long-term (archive) retention periods.

  1. Sign in to the Azure portal.

  2. In the Azure portal, search for and open Log Analytics workspaces.

  3. Select the appropriate workspace.

    See Also
    Discover SIEM-log | 4 key takeaways | Sumo Logic | Sumo Logic

  4. Under Settings, select Tables.

  5. Find the SecurityEvent table in the list, and open the context menu (...).

  6. Select Manage table.

    Configure data retention for logs in Microsoft Sentinel or Azure Monitor (1)

  7. Under Data retention settings, enter the following values.

    FieldValue
    Interactive retention180 days
    Total retention period3 years

    Configure data retention for logs in Microsoft Sentinel or Azure Monitor (2)

    See that the time graph shows that the long-term retention period equals the total retention period in days minus the interactive retention period in days. In this case, 915 days, or 2.5 years.

  8. Select Save.

Review interactive and total retention policies

On the Tables page for the table you updated, review the field values for Interactive retention and Total retention.

Configure data retention for logs in Microsoft Sentinel or Azure Monitor (3)

Clean up resources

No resources were created but you might want to restore the data retention settings you changed.

Next steps

Configure data retention for logs in Microsoft Sentinel or Azure Monitor (2024)
Top Articles
What Is the True Cost of Living in Seattle?
Got $5,000? These 3 Growth Stocks Are Cheap Buys Right Now. | The Motley Fool
Best Big Jumpshot 2K23
Visitor Information | Medical Center
Mate Me If You May Sapir Englard Pdf
Valley Fair Tickets Costco
Wellcare Dual Align 129 (HMO D-SNP) - Hearing Aid Benefits | FreeHearingTest.org
Comcast Xfinity Outage in Kipton, Ohio
Unlocking the Enigmatic Tonicamille: A Journey from Small Town to Social Media Stardom
David Packouz Girlfriend
Skip The Games Norfolk Virginia
Becky Hudson Free
Indiana Immediate Care.webpay.md
Builders Best Do It Center
Mephisto Summoners War
London Ups Store
25Cc To Tbsp
Nhl Wikia
Fraction Button On Ti-84 Plus Ce
Georgetown 10 Day Weather
Daytonaskipthegames
The EyeDoctors Optometrists, 1835 NW Topeka Blvd, Topeka, KS 66608, US - MapQuest
12 Facts About John J. McCloy: The 20th Century’s Most Powerful American?
Boise Craigslist Cars And Trucks - By Owner
Scripchat Gratis
Kabob-House-Spokane Photos
Annapolis Md Craigslist
Hannah Jewell
Purdue Timeforge
Devotion Showtimes Near The Grand 16 - Pier Park
Myra's Floral Princeton Wv
Craigslist Maryland Baltimore
Wcostream Attack On Titan
Manuel Pihakis Obituary
2487872771
Palmadise Rv Lot
Minecraft Jar Google Drive
Reli Stocktwits
El agente nocturno, actores y personajes: quién es quién en la serie de Netflix The Night Agent | MAG | EL COMERCIO PERÚ
School Tool / School Tool Parent Portal
Daily Times-Advocate from Escondido, California
Dee Dee Blanchard Crime Scene Photos
Bill Manser Net Worth
Gregory (Five Nights at Freddy's)
Charli D'amelio Bj
Port Huron Newspaper
Dyi Urban Dictionary
Bonecrusher Upgrade Rs3
Www Pig11 Net
Craigslist Marshfield Mo
Mytmoclaim Tracking
Solving Quadratics All Methods Worksheet Answers
Latest Posts
Why Was School Created?
Google Drive vs OneDrive 2024 - Which is Better?
Article information

Author: Annamae Dooley

Last Updated:

Views: 6155

Rating: 4.4 / 5 (45 voted)

Reviews: 84% of readers found this page helpful

Author information

Name: Annamae Dooley

Birthday: 2001-07-26

Address: 9687 Tambra Meadow, Bradleyhaven, TN 53219

Phone: +9316045904039

Job: Future Coordinator

Hobby: Archery, Couponing, Poi, Kite flying, Knitting, Rappelling, Baseball

Introduction: My name is Annamae Dooley, I am a witty, quaint, lovely, clever, rich, sparkling, powerful person who loves writing and wants to share my knowledge and understanding with you.