How to Quickly Tell Which Microsoft Sentinel Tables are Configured as Basic Logs

Basic Logs, of course, is a preview feature for Microsoft Sentinel that enables customers a cheaper, but more limited way to ingest large volume, low security value logs. If you’ve not heard of this new feature yet, check out the following recent articles to catch up:

Over Twitter, a great question was raised last week about how to know which tables have been configure for Basic Logs and which ones have not.

Basic Logs is in preview and still a work in progress but there is one UI method to identify logs that have been configured as Basic Logs and a couple code-based methods including the API and CLI.

However, a new way to quickly identify Basic Logs configured tables is coming and it’s also in preview. And this preview is by request only.

As shown in the image, when released, a new Tables blade will be available in the Log Analytics workspace where you can filter by the table plan.


[Want to discuss this further? Hit me up on Twitter or LinkedIn]

[Subscribe to the RSS feed for this blog]

[Subscribe to the Weekly Microsoft Sentinel Newsletter]

[Subscribe to the Weekly Microsoft Defender Newsletter]

[Learn KQL with the Must Learn KQL series and book]