Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

Table Data Retention

Brass Contributor

Hi,

 

Can you control/set the data retention for different tables? Thinking we need to control ThreatIntelligenceIndicator and be able to reduce/increase at regular intervals.

 

Regards,

 

Tim

3 Replies
ThreatIntelligenceIndicator is a special table. My understanding is that the time generated value is updated regularly to support the 14 day lookback limit on the analytic rules. You should be able to store values in this table up to the record expiration date. You can set table-level retention but it would not be necessary in this case. https://cloudadministrator.net/2019/10/16/set-per-table-retention-in-log-analytics-via-arm-template/
Thanks Andrew for that.. Plus is there a way of clearing the ThreatIntelligenceIndictor table as we would like to start with a new TI source and in theory start again with out TI data...

Your TI analytic rules ignore duplicate and expired entries. You could just add new indicators knowing the old will be groomed when expired and will not impact new entries. I would just add new.

 

You could manually delete entries using the new Threat Intelligence view if you don't have a large number to remove.

 

For larger tables there is a purge option: ttps://docs.microsoft.com/en-us/rest/api/loganalytics/workspacepurge/purge