Sentinel: Log Analytics
Sentinel Dumby
I am a Sentinel Dumby! But I can share fragments of hard-won knowledge! So this Sentinel Dumby series* will hopefully help explain things I think I know!
What you really need to know about Log Analytics for Microsoft Sentinel in September 2023 (and very little else!):
Microsoft Sentinel runs “on top” of a Log Analytics workspace
It’s a UI and functions and services and stuff, added to the LAW
Data within the LAW is “native” to it - outside is harder to get to
Records get added to Log Analytics tables, and are retained until they expire
Records can be Interactive - query-able live - for up to 2 years
Sentinel pricing includes 90 days of retention but doesn’t set the workspace for that automatically
Records can then be Archived - non-interactive but Search-or-Restore-able - for up to 7 years in total
Per-table settings as well as the workspace setting
Records are ~immutable once added
If you appear to be changing, deleting or updating something stored in Log Analytics, you’re really adding a newer record with different properties!
Check out the SecurityIncident table for a good example:
SecurityIncident | order by TimeGenerated, IncidentName
Table view of incidents Expand them, and note that each newer version changes a property or two each time…
Note no comments…
And note that if you take the latest version of any record, it reflects current reality (reasonably quickly - there can be UI-facing services and caching etc. in the way)
SecurityIncident | summarize arg_max(TimeGenerated,*) by IncidentName | order by LastModifiedTime
Our incident now has comments… Note above that LastModifiedTime is a metadata property and is unrelated to TimeGenerated… (ghostly) woooooo oooooo ooooo (spooky oooo)….
