Table Data Retention

%3CLINGO-SUB%20id%3D%22lingo-sub-1764994%22%20slang%3D%22en-US%22%3ETable%20Data%20Retention%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1764994%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECan%20you%20control%2Fset%20the%20data%20retention%20for%20different%20tables%3F%20Thinking%20we%20need%20to%20control%20ThreatIntelligenceIndicator%20and%20be%20able%20to%20reduce%2Fincrease%20at%20regular%20intervals.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERegards%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ETim%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1765105%22%20slang%3D%22en-US%22%3ERE%3A%20Table%20Data%20Retention%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1765105%22%20slang%3D%22en-US%22%3EThreatIntelligenceIndicator%20is%20a%20special%20table.%20My%20understanding%20is%20that%20the%20time%20generated%20value%20is%20updated%20regularly%20to%20support%20the%2014%20day%20lookback%20limit%20on%20the%20analytic%20rules.%20You%20should%20be%20able%20to%20store%20values%20in%20this%20table%20up%20to%20the%20record%20expiration%20date.%20You%20can%20set%20table-level%20retention%20but%20it%20would%20not%20be%20necessary%20in%20this%20case.%20%3CA%20href%3D%22https%3A%2F%2Fcloudadministrator.net%2F2019%2F10%2F16%2Fset-per-table-retention-in-log-analytics-via-arm-template%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fcloudadministrator.net%2F2019%2F10%2F16%2Fset-per-table-retention-in-log-analytics-via-arm-template%2F%3C%2FA%3E%3C%2FLINGO-BODY%3E
Highlighted
Occasional Contributor

Hi,

 

Can you control/set the data retention for different tables? Thinking we need to control ThreatIntelligenceIndicator and be able to reduce/increase at regular intervals.

 

Regards,

 

Tim

3 Replies
Highlighted
ThreatIntelligenceIndicator is a special table. My understanding is that the time generated value is updated regularly to support the 14 day lookback limit on the analytic rules. You should be able to store values in this table up to the record expiration date. You can set table-level retention but it would not be necessary in this case. https://cloudadministrator.net/2019/10/16/set-per-table-retention-in-log-analytics-via-arm-template/
Highlighted
Thanks Andrew for that.. Plus is there a way of clearing the ThreatIntelligenceIndictor table as we would like to start with a new TI source and in theory start again with out TI data...
Highlighted

Your TI analytic rules ignore duplicate and expired entries. You could just add new indicators knowing the old will be groomed when expired and will not impact new entries. I would just add new.

 

You could manually delete entries using the new Threat Intelligence view if you don't have a large number to remove.

 

For larger tables there is a purge option: ttps://docs.microsoft.com/en-us/rest/api/loganalytics/workspacepurge/purge