Start an investigation by searching large datasets - Microsoft Sentinel (2024)

Table of Contents
In this article Search large datasets Supported log types Limitations of a search job Restore historical data from archived logs Limitations of log restore Bookmark search results or restored data rows Next steps
  • Article
  • Applies to:
    Microsoft Sentinel in the Azure portal, Microsoft Sentinel in the Microsoft Defender portal

One of the primary activities of a security team is to search logs for specific events. For example, you might search logs for the activities of a specific user within a given time-frame.

In Microsoft Sentinel, you can search across long time periods in extremely large datasets by using a search job. While you can run a search job on any type of log, search jobs are ideally suited to search logs in a long-term retention (formerly known as archive) state. If you need to do a full investigation on such data, you can restore that data into an interactive retention state—like your regular Log Analytics tables— to run high performing queries and deeper analysis.

Important

See Also
Geographical availability and data residency in Microsoft SentinelSentinel & Log Analytics - Where is my Data?New Blog Post | The Basic Logs for Microsoft Sentinel KQL LimitationsChoosing an Appropriate Retention Period for Microsoft Sentinel Workspaces

Microsoft Sentinel is now generally available within the Microsoft unified security operations platform in the Microsoft Defender portal. For more information, see Microsoft Sentinel in the Microsoft Defender portal.

Search large datasets

Use a search job when you start an investigation to find specific events in logs within a given time frame. You can search all your logs to find events that match your criteria and filter through the results.

Search in Microsoft Sentinel is built on top of search jobs. Search jobs are asynchronous queries that fetch records. The results are returned to a search table that's created in your Log Analytics workspace after you start the search job. The search job uses parallel processing to run the search across long time spans, in extremely large datasets. So search jobs don't impact the workspace's performance or availability.

Search results are stored in a table named with a _SRCH suffix.

The following image shows example search criteria for a search job.

Start an investigation by searching large datasets - Microsoft Sentinel (1)

See Also
two disadvantages of Microsoft sentinel using

Supported log types

Use search to find events in any of the following log types:

  • Analytics logs
  • Basic logs
  • Auxiliary logs

You can also search analytics or basic log data stored in long-term retention.

Limitations of a search job

Before you start a search job, be aware of the following limitations:

  • Optimized to query one table at a time.
  • Search date range is up to seven years.
  • Supports long running searches up to a 24-hour time-out.
  • Results are limited to one million records in the record set.
  • Concurrent execution per user is limited to five search jobs per workspace.
  • Limited to 100 search results tables per workspace.
  • Limited to 100 search job executions per day per workspace.

Search jobs aren't currently supported for the following workspaces:

  • Customer-managed key enabled workspaces
  • Workspaces in the China East 2 region

To learn more, see Search job in Azure Monitor in the Azure Monitor documentation.

Restore historical data from archived logs

When you need to do a full investigation on data stored in archived logs, restore a table from the Search page in Microsoft Sentinel. Specify a target table and time range for the data you want to restore. Within a few minutes, the log data is restored and available within the Log Analytics workspace. Then you can use the data in high-performance queries that support full KQL.

A restored log table is available in a new table that has a *_RST suffix. The restored data is available as long as the underlying source data is available. But you can delete restored tables at any time without deleting the underlying source data. To save costs, we recommend you delete the restored table when you no longer need it.

The following image shows the restore option on a saved search.

Start an investigation by searching large datasets - Microsoft Sentinel (2)

Limitations of log restore

Before you start to restore an archived log table, be aware of the following limitations:

  • Restore data for a minimum of two days.
  • Restore data more than 14 days old.
  • Restore up to 60 TB.
  • Restore is limited to one active restore per table.
  • Restore up to four archived tables per workspace per week.
  • Limited to two concurrent restore jobs per workspace.

To learn more, see Restore logs in Azure Monitor.

Bookmark search results or restored data rows

Similar to the threat hunting dashboard, bookmark rows that contain information you find interesting so you can attach them to an incident or refer to them later. For more information, see Create bookmarks.

Next steps

  • Search across long time spans in large datasets
  • Restore archived logs from search
Start an investigation by searching large datasets - Microsoft Sentinel (2024)
Top Articles
[Step-by-Step] How to Sync Outlook with OneDrive?
Understanding the Difference between RBAC Roles and Azure AD Roles
Chs.mywork
San Angelo, Texas: eine Oase für Kunstliebhaber
It may surround a charged particle Crossword Clue
Faridpur Govt. Girls' High School, Faridpur Test Examination—2023; English : Paper II
Usborne Links
THE 10 BEST River Retreats for 2024/2025
Big Y Digital Coupon App
Skip The Games Norfolk Virginia
Monticello Culver's Flavor Of The Day
MADRID BALANZA, MªJ., y VIZCAÍNO SÁNCHEZ, J., 2008, "Collares de época bizantina procedentes de la necrópolis oriental de Carthago Spartaria", Verdolay, nº10, p.173-196.
Dark Souls 2 Soft Cap
Culver's Flavor Of The Day Monroe
Myunlb
414-290-5379
Robert Malone é o inventor da vacina mRNA e está certo sobre vacinação de crianças #boato
Binghamton Ny Cars Craigslist
Kris Carolla Obituary
Theresa Alone Gofundme
Craigslist Portland Oregon Motorcycles
TBM 910 | Turboprop Aircraft - DAHER TBM 960, TBM 910
Craigslist Sparta Nj
Sprinkler Lv2
Forum Phun Extra
St. Petersburg, FL - Bombay. Meet Malia a Pet for Adoption - AdoptaPet.com
Self-Service ATMs: Accessibility, Limits, & Features
Busted Mcpherson Newspaper
Troy Gamefarm Prices
Foolproof Module 6 Test Answers
Villano Antillano Desnuda
Gunsmoke Tv Series Wiki
Viduthalai Movie Download
Otis Offender Michigan
Deleted app while troubleshooting recent outage, can I get my devices back?
Buhsd Studentvue
Dynavax Technologies Corp (DVAX)
Ursula Creed Datasheet
Toth Boer Goats
Ferguson Showroom West Chester Pa
Postgraduate | Student Recruitment
Tripadvisor Vancouver Restaurants
Walgreens On Secor And Alexis
2017 Ford F550 Rear Axle Nut Torque Spec
Ucla Basketball Bruinzone
Skyward Cahokia
DL381 Delta Air Lines Estado de vuelo Hoy y Historial 2024 | Trip.com
Benjamin Franklin - Printer, Junto, Experiments on Electricity
The top 10 takeaways from the Harris-Trump presidential debate
Bluebird Valuation Appraiser Login
Latest Posts
Avoid using default exports
The 5 Biggest Google Ads Trends for 2024 (+6 Predictions)
Article information

Author: Pres. Lawanda Wiegand

Last Updated:

Views: 5790

Rating: 4 / 5 (71 voted)

Reviews: 94% of readers found this page helpful

Author information

Name: Pres. Lawanda Wiegand

Birthday: 1993-01-10

Address: Suite 391 6963 Ullrich Shore, Bellefort, WI 01350-7893

Phone: +6806610432415

Job: Dynamic Manufacturing Assistant

Hobby: amateur radio, Taekwondo, Wood carving, Parkour, Skateboarding, Running, Rafting

Introduction: My name is Pres. Lawanda Wiegand, I am a inquisitive, helpful, glamorous, cheerful, open, clever, innocent person who loves writing and wants to share my knowledge and understanding with you.