Sentinel: Limitations of Basic log tables
(They're quite limited)
Basic logs in Log Analytics (Azure Monitor Logs) are conceptually interesting:
They cost about 1/5 of regular Analytics logs to ingest (Analytics is the default mode)
They only live for 8 days before either evaporating or moving to the Archive tier
They’re not directly usable with Sentinel’s detection logic (analytics rules)
Primary use-cases are Search-and-hunt, enrichment, and compliance*
So: they’re potentially interesting for storage of large high-volume low-value security logs.
You can convert custom tables to Basic logs using Log Analytics’ Tables interface. The same Data Collection Rule (DCR) you’d use with a “real” log can be used to send data to a Basic log as well (no change at the DCR needed).
But then…
Once you’re populating your Basic table with data, you’ll need to sort out:
the notional workflow you’re going to use with these logs
And actually try it!
For example:
Queries have to be pretty basic! There’s a list of allowed operators here.
no “order by” or “top” or “summarize” is possible… and they’re pretty useful
“where” works. We like “where”. And parsing. So specifics can be extracted.
… but it’s basically (ha) 4 operators and variations
Enrichment Playbooks (i.e. Logic Apps) or other programs/functions could be constructed to automatically pull useful data from a Basic log - most likely based on detections in Analytics logs - and populate a custom Analytics table with the result set for hunting (or more advanced KQL activities)
Search Jobs can be run interactively to locate useful batches of information (e.g. all with this IP address in this time range (including Archived logs)) and save the results into an Analytics Search Table (ChosenNameHere_SRCH) for later interactive hunting
But again: try it before committing to it. No sorting, no summaries, no TI Map rules… you need a good use-case**.
Big savings, but you build your capability around it.
*if you wish, you can read “we just need to store these logs because someone said so and we never look at them and they’re fine in the Archive tier as long as we can search them back out if we ever need them” for “compliance” :)
** see *