Microsoft Sentinel Workspace Settings Best Practices

Since Microsoft Sentinel leverages Azure Log Analytics as its data platform it is therefore beheld to the Log Analytics Workspace default settings. When creating a initial instance of Azure Sentinel and the corresponding Log Analytics Workspace there are few settings you need to further enable manually.

Workspace Data Retention Settings

Out of the box a Log Analytics Workspace has a default data retention period of 30 days. However Sentinel customers get 90 days of data retention for free, ensure you have updated the default data retention settings by following the below doc.

Workspace Auditing

It is fairly important you have the ability to audit operations and changes that occur with your Sentinel Instance.

Azure Activity Logs

Azure Activity logs are enabled by default on all Azure resources and will provide operational information such as when an Azure resource is modified. You should configure the Azure Activity Data connector, which is a free data source.


Another set of logs specific to the Azure Log Analytics workspace known as Audit Queries enable resource specific logs that provide information such as when a query was run, who ran it, what tool was used, the query text, and performance statistics describing the query’s execution.

These set of logs will enable your team to leverage the out of the box Workspace Audit and Workspace Usage Report workbooks. As a best practice configure diagnostic logging for the Sentinel workspace to send the Audit logs to the Sentinel workspace.

Note this is not a free data source and will incur data ingestion charges.

Configure query auditing

Exit mobile version