Microsoft Sentinel: Analytic vs Basic vs Archive (2024)

Below is an article about three different types of logs that can be ingested and retained in Microsoft Sentinel's Log Analytics Workspace.

Pre-requisites

Basic Knowledge around Microsoft Sentinel and Log Analytics Workspace

Overview

Microsoft Sentinel is considered to be the so called "expensive" SIEM platform in the market at the moment (which isn't true in the entirety). Microsoft Sentinel isn't an old-school traditional SIEM where it is feasible to dump all logs in one place and tick the checkbox for compliance.

Sentinel (and few other modern cloud SIEM platforms) follows a different approach where - you ingest "only the logs that are needful", rather than treating it as a storage box.

Logs from Log Analytics Workspace are primarily used by 3 components of Microsoft Sentinel:

Analytic Rules
Workbooks
Hunting Queries (or manual threat hunting in Logs)

The costs below are calculated for the region "Australia East", and are represented in "New Zealand Dollars" (NZD)

Analytic Logs

Analytic logs is the primary log type in Microsoft Sentinel. Until a year (or more) ago, Analytic logs was the only type of log that was supported in Log Analytics Workspace. Analytic Logs can be treated as the "hot storage" and has no restriction on using/manipulating the logs in Microsoft Sentinel.

Ingestion Cost

Below shows the "Ingestion" cost of 10GB/day of Analytic Log for 30 days:

Microsoft Sentinel: Analytic vs Basic vs Archive (1)

Retention Cost

Below shows the "Retention" cost of 10 GB/day of Analytic Log for 24 months:

Microsoft Sentinel: Analytic vs Basic vs Archive (2)

Pros

✅ Logs are stored as "Hot Storage" and can be accessed anytime

✅ Can be used in Analytic Rules, Workbooks, and Hunting Queries

✅ No limitations in using KQL operators over the Analytic Log

✅ Longer log retention (maximum: 2 years)

Cons

❌ Expensive! 😬

PS: Remember - premium cars don't come cheap 🤷♂️

Basic Logs

Key thing I love about the Microsoft Sentinel team is that - they listen 🙂

After several organizations started facing a cost issue, the Microsoft Sentinel team came up with a workaround solution. Even though it goes against the desired approach - some organizations would still want to have logs that have a high volume (Firewall logs, DNS logs, etc.). To cover the use case, Microsoft introduced a new type of log - "Basic logs". Basic logs are still considered to be "hot storage", since they are accessible anytime, although it has some limitations on the usability.

Ingestion Cost

Below shows the "Ingestion" cost of 10GB/day of Analytic Log for 30 days:

Microsoft Sentinel: Analytic vs Basic vs Archive (3)

Retention Cost

There is no Retention cost, since the fixed log retention is 8 days.

Pros

✅ Logs are stored as "Hot Storage" and can be accessed anytime

✅ Cheaper price

Cons

❌ Maximum log retention - 8 days

❌ Only a list of KQL operators can be used over the Basic Log

❌ Basic logs cannot be used in Analytic Rules, (most) Workbooks or in (most) Hunting queries

Archive Logs

Archive Logs were released in conjunction with Basic Logs. They are NOT of the type "hot storage" - but I wouldn't classify them as "cold storage" either. I like to call it as "warm storage" due to its easy accessibility and the capability to migrate the logs into hot storage in a few clicks. Their sole purpose is for long term log retention, and is not built to be used by Analytic Rules, Hunting Queries or Workbooks. The maximum log retention goes up to 12 years.

There is no ingestion cost for Archive Logs, since you CANNOT ingest logs directly into Archive Log table.

Ingestion Cost

There is no Ingestion cost, since the logs cannot be directly ingested into Archive Log Table.

Retention Cost

Below shows the "Retention" cost of 10 GB/day of Analytic Log for 24 months:

Microsoft Sentinel: Analytic vs Basic vs Archive (4)

It wouldn't be a fair comparison to have Pros and Cons, since the purpose of Archive Logs is entirely different from Analytic and Basic Logs. Archive Logs still have the capability to run (very limited) threat hunting as "Search Jobs" - but they do come at a very minimal cost.

Winner?

Analytic Log can be used in analytic rules, workbook and hunting queries with no limitations - but its expensive
Basic logs are cheap - but it cannot be used in an analytic rule, (most) workbooks, and (most) hunting queries. On top of it - the maximum log retention is just 8 days.
Archive logs are the cheapest of all, and can store logs up to 12 years - but it is not built for using it as a hot storage. It has "Search Jobs" for threat hunting, but it comes at a cost.

The question is: Analytic vs Basic vs Archive?

The answer is: Analytic + Basic + Archive 🙂

The key is knowing when to use what type of log table.

Analytic logs should be used for high value security data that requires scheduled monitoring and alerting.
Basic logs should be used for low detection value logs, but are valuable for investigating an incident (threat hunting)
Since Basic logs have a 8 days log retention, Archive logs should be used to store the basic logs for a longer duration - to increase the scope of threat hunting when it is required.

Conclusion

Each log type has its purpose in Microsoft Sentinel, and using it the right way can save cost without compromising the security posture of an organization.

PS: If you are a huge organization using Microsoft Sentinel, and haven't heard of "Commitment Tier" - you are losing money down the drain 🙂

FAQs

Microsoft Sentinel: Analytic vs Basic vs Archive? ›

Analytic logs should be used for high value security data that requires scheduled monitoring and alerting. Since Basic logs have a 8 days log retention, Archive logs should be used to store the basic logs for a longer duration - to increase the scope of threat hunting when it is required.

Read On ›

What are the limitations of basic logs in Sentinel? ›

One the limitations of Basic Logs is that it only supports a subset of the KQL operators, which means you won't be able to utilize Basic Logs data for Analytics Rules and other necessary Microsoft Sentinel functions.

Discover More Details ›

What are the different types of logs in Sentinel? ›

The logs that NXLog can forward to Microsoft Sentinel include Windows DNS Server logs, Linux audit logs, and AIX audit logs. NXLog can also send security logs directly to Microsoft Sentinel using the Microsoft Sentinel (om_azure) module.

What is the difference between analytic logs and basic logs? ›

Analytics logs can be retained for 730 days, but they are also the most expensive log type. Basic Logs can be enabled on a per table level and are cheaper than analytics logs ($ 0.50 compared to $2.6 per GB), but they have three main limitations: Retention is limited to 8 days.

See Details ›

What is the difference between data retention and data archive in Sentinel? ›

Retention policies define when to remove or archive data in a Log Analytics workspace. Archiving lets you keep older, less used data in your workspace at a reduced cost.

Find Out More ›

What is the difference between log analytics and sentinel? ›

Sentinel (and few other modern cloud SIEM platforms) follows a different approach where - you ingest "only the logs that are needful", rather than treating it as a storage box. Logs from Log Analytics Workspace are primarily used by 3 components of Microsoft Sentinel: Analytic Rules. Workbooks.

Tell Me More ›

Which of the following are considered limitations of a search job sentinel? ›

Limitations of a search job

Supports long running searches up to a 24-hour time-out. Results are limited to one million records in the record set. Concurrent execution per user is limited to five search jobs per workspace. Limited to 100 search results tables per workspace.

Show Me More ›

What are the 2 basic types of logs? ›

There are two basic types of logs:

System logs provide information about events happening at the OS (operating system) level. ...
Application logs provide information about events happening at the software level.

Explore More ›

Where are logs stored in Sentinel? ›

The data that comes into your Log Analytics workspace will be stored in one of the tables that you see listed under Logs. Let's look at an example of how to find what log agents are reporting: Open a new query tab. Build your query – Under LogManagement, select Heartbeat (table is Heartbeat).

How many levels of logs are there? ›

Logging levels are classified into various levels, such as DEBUG, INFO, WARN, ERROR, and FATAL. Each level represents a different level of log messages, allowing developers to control the information recorded.

Show Me More ›

What is the difference between analytics and logging? ›

The main difference between the two is that Analytics uses client-side data to gather the information while for log files these contain server-side information. This important distinction leads to totally different results. In fact it is important to analyze the data with respect to how the data was gathered.

Read The Full Story ›

What is the difference between log collection and SIEM? ›

While there are numerous differences between the two tools, the most prominent differentiator is that SIEM is tailored explicitly to cybersecurity while the purpose of log management is for non-security systems analysis and log collecting. If maintaining security is the priority, a SIEM is the right tool for the job.

See Details ›

What are basic logs? ›

Soo basicly the basic logs are type of logs for reduced cost Ingestion. They contain "basic" reduced information. They can be used in threat hunting because they offer basic query cababilities (don't expect much in threat hunting) and they can't be used for security alerts.

Get More Info Here ›

How long are logs kept in Sentinel? ›

Out of the box, Microsoft Sentinel provides 90 days of data retention for free.

What are the types of logs in Azure Sentinel? ›

Microsoft Sentinel is billed for the volume of data analysed in Microsoft Sentinel and stored in Azure Monitor Log Analytics workspace. Data can be ingested as two different types of logs: Analytics Logs and Basic Logs.

Where is sentinel data stored? ›

While Microsoft Sentinel is accessible in both the Microsoft Defender and Azure portals, Microsoft Sentinel data is stored in Azure regions.

View Details ›

What are the limitations of SP log? ›

The application of SP logging has some limitations:

The borehole must be uncased and filled with conductive fluid. (Keys, 1990).
SP logs are susceptible to multiple sources of interference. ...
SP logs are unreliable for determining the resistivity of fresh formation water.

What are the limitations of KQL? ›

Limitations. KQL is used for read-only requests to process data and return results. Create, update, or delete operations are not supported. When running KQL, there is a query timeout setting, so a query that is too complicated can return a bad request.

Learn More ›

What are two primary drawbacks of implementing single tenant with regional workspaces Microsoft Sentinel? ›

Disadvantages of Single Tenant with Regional Workspaces Model. Managing multiple workspaces across different regions can lead to increased complexity in terms of administration and maintenance. Each workspace requires individual attention, updates, and configurations, which can be time-consuming and error-prone.

Discover More Details ›