Forum Discussion
Azure Sentinel and Log Analytics retention settings change
I have been wondering about this one. Are you able to restore the logs/events, If someone changes the retention settings from 365 days to 30 days in the Log Analytics workspace? If you are able to ...
1. Please contact support for the best advise
2. Assuming you are logging "Administrative" events into the AzureActivity table (please check your diagnostic setting), then this example will get your last change
AzureActivity
| extend retentionInDays_ = tostring(parse_json(tostring(parse_json(tostring(Properties_d.requestbody)).properties)).retentionInDays)
| where isnotempty( retentionInDays_)
| summarize arg_max(TimeGenerated,Caller, CallerIpAddress,ActivityStatusValue, retentionInDays_, CategoryValue)
You can also check when the SKU was updated (lastSKUupdate) if you were not logging this into the workspace, using an ARG query https://ms.portal.azure.com/#blade/HubsExtension/ArgQueryBlade
e.g.
resources
| where type =~ 'microsoft.operationalinsights/workspaces'
| extend state = trim(' ', tostring(properties.provisioningState))
,sku = trim(' ', tostring(properties.sku.name))
,skuUpdate = trim(' ', tostring(properties.sku.lastSkuUpdate))
,retentionDays = trim(' ', tostring(properties.retentionInDays))
,dailyquotaGB = trim(' ', tostring(properties.workspaceCapping.dailyQuotaGb))
2. Assuming you are logging "Administrative" events into the AzureActivity table (please check your diagnostic setting), then this example will get your last change
AzureActivity
| extend retentionInDays_ = tostring(parse_json(tostring(parse_json(tostring(Properties_d.requestbody)).properties)).retentionInDays)
| where isnotempty( retentionInDays_)
| summarize arg_max(TimeGenerated,Caller, CallerIpAddress,ActivityStatusValue, retentionInDays_, CategoryValue)
You can also check when the SKU was updated (lastSKUupdate) if you were not logging this into the workspace, using an ARG query https://ms.portal.azure.com/#blade/HubsExtension/ArgQueryBlade
e.g.
resources
| where type =~ 'microsoft.operationalinsights/workspaces'
| extend state = trim(' ', tostring(properties.provisioningState))
,sku = trim(' ', tostring(properties.sku.name))
,skuUpdate = trim(' ', tostring(properties.sku.lastSkuUpdate))
,retentionDays = trim(' ', tostring(properties.retentionInDays))
,dailyquotaGB = trim(' ', tostring(properties.workspaceCapping.dailyQuotaGb))