Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

Azure Sentinel and Log Analytics retention settings change

Copper Contributor

I have been wondering about this one.  Are you able to restore the logs/events, If someone changes the retention settings from 365 days to 30 days in the Log Analytics workspace?  If you are able to restore these logs, how far back can you retrieve these logs? 

 

Are there any automated processes which can cause a retention period to change?

 

Is there a way to alert on the retention settings being changed in Log Analytics?  I have been testing in my personal environment, but it doesn't seem to be creating a Azure  Activity Log for this action. 

1 Reply
1. Please contact support for the best advise
2. Assuming you are logging "Administrative" events into the AzureActivity table (please check your diagnostic setting), then this example will get your last change

AzureActivity
| extend retentionInDays_ = tostring(parse_json(tostring(parse_json(tostring(Properties_d.requestbody)).properties)).retentionInDays)
| where isnotempty( retentionInDays_)
| summarize arg_max(TimeGenerated,Caller, CallerIpAddress,ActivityStatusValue, retentionInDays_, CategoryValue)

You can also check when the SKU was updated (lastSKUupdate) if you were not logging this into the workspace, using an ARG query https://ms.portal.azure.com/#blade/HubsExtension/ArgQueryBlade

e.g.

resources
| where type =~ 'microsoft.operationalinsights/workspaces'
| extend state = trim(' ', tostring(properties.provisioningState))
,sku = trim(' ', tostring(properties.sku.name))
,skuUpdate = trim(' ', tostring(properties.sku.lastSkuUpdate))
,retentionDays = trim(' ', tostring(properties.retentionInDays))
,dailyquotaGB = trim(' ', tostring(properties.workspaceCapping.dailyQuotaGb))