Log Analytics workspaces is a type of Azure service where the logs can be collected and stored for analysis and retention. Logs from various sources can be piped to the Log Analytics Workspace and it is one of the crucial components for Microsoft Sentinel.
Log Analytics Workspace serves as the centralised repository for the logs. The logs are piped using connectors and agents. A retention policy can be set on Log Analytics workspace for compliance requirements. The logs are then used for analysis using Kusto Query Language (KQL). KQL helps to query, filter data to identify patterns, anomalies and potential threats in the environment. In addition to log storage, Log Analytics workspaces offers dashboards and data visualisation options using queries and metrics.
Log Analytics can be integrated with Microsoft Sentinel and with Microsoft Defender for Cloud. Sentinel utilises the data stored in Log Analytics workspaces to perform analysis, threat detection, threat hunting and for incident investigations.
To create a Log Analytics workspace, search for Sentinel from Azure portal and create Microsoft Sentinel. Note that to enable Microsoft Sentinel, Microsoft Sentinel Contributor permissions are required at resource group level. First we need to add a Log Analytics workspace. We can either select one from the existing Log Analytics workspaces or we can create new.
Log Analytics Workspace serves as the centralised repository for the logs. The logs are piped using connectors and agents. A retention policy can be set on Log Analytics workspace for compliance requirements. The logs are then used for analysis using Kusto Query Language (KQL). KQL helps to query, filter data to identify patterns, anomalies and potential threats in the environment. In addition to log storage, Log Analytics workspaces offers dashboards and data visualisation options using queries and metrics.
Log Analytics can be integrated with Microsoft Sentinel and with Microsoft Defender for Cloud. Sentinel utilises the data stored in Log Analytics workspaces to perform analysis, threat detection, threat hunting and for incident investigations.
To create a Log Analytics workspace, search for Sentinel from Azure portal and create Microsoft Sentinel. Note that to enable Microsoft Sentinel, Microsoft Sentinel Contributor permissions are required at resource group level. First we need to add a Log Analytics workspace. We can either select one from the existing Log Analytics workspaces or we can create new.
Once created Log analytics workspace and the sentinel dashboard is ready.
Microsoft Sentinel Roles
Data retention settings are defined under Log Analytics Workspace -> Settings -> Usage and estimated costs -> Data Retention
The default data retention is 31 days. We can change it as per the organisation's policy. Longer data retention will result in additional charges.