Cost Management & Microsoft Sentinel Part 2
Today we will explore additional cost management options to use as part of your ongoing governance in Microsoft Sentinel. If you missed part 1, check it out here. Join me as we begin exploring some options that we can set to help control costs in our Log Analytics Workspace. Let’s dive into the world of Log Analytics Workspace configurations together!
First, let’s get logged into our test environment at https://portal.azure.com. Then browse to Log Analytics Workspaces.
Let’s go right into Tables. There is the obvious stop in ‘Usage and Estimated Costs’ that we will return to in a few steps.
Let’s choose the table Anomalies and look at the settings:
I know what you’re thinking…Andrew, you dropped a #3 in empty space?? Well…yes I did. That’s because I wanted to highlight that we have no archive period setup here, and we are keeping all this data for 1 year as a default period.
Let’s imagine for a moment that we decided to keep this data for 3 months in our “hot” data tier, then we can move it down in priority after that. Let’s see what that would look like!
Click on the elipses “…” on the right side, then choose Manage Table.
Now let’s see what we have here!
Well now, we have some options here. Let’s change the retention settings to meet our requirement for 6 months of “hot” tier data (interactive) and keeping data retention for a total of 1 year. This means we can reduce our storage costs for that last 6 months and move the data down to archive tier. It’s a complex description for the following changes in reality:
- Uncheck Use Default workspace settings
- Set Interactive retention to 180 days (6 months)
- Set Total retention period to 1 year
Notice that the visual bar display updates for you to show a colour-coded breakdown of how long the data will be retained at each tier, and overall. That grey part shows that your data will expire after 1 year and there is no further retention in the Log Analytics Workspace storage account.
Test this out by changing Total Retention Period to 7 years.
Now the Anomalies table will retain data for 7 years, 6.5 years of that is on the archive tier that is cheaper than interactive data tier. This will help you to reduce your data costs overall, choosing the settings on tables that you do not access in an interactive way can support an improved and more cost effective configuration for your data retention overall.
Once you save any changes, you will be able to see in the Tables dashboard that your Interactive and Archive period settings are now easy to find.
Learn more about Log Analytics workspace storage accounts here.
Remember to define all your requirements and build your LAW account architecture to meet the needs of your organization and compliance needs!