How to Quickly Tell Which Microsoft Sentinel Tables are Configured as Basic Logs

Basic Logs, of course, is a preview feature for Microsoft Sentinel that enables customers a cheaper, but more limited way to ingest large volume, low security value logs. If you’ve not heard of this new feature yet, check out the following recent articles to catch up:

Over Twitter, a great question was raised last week about how to know which tables have been configure for Basic Logs and which ones have not.

Basic Logs is in preview and still a work in progress but there is one UI method to identify logs that have been configured as Basic Logs and a couple code-based methods including the API and CLI. For details see: Check table configuration.

However, a new way to quickly identify Basic Logs configured tables is coming and it’s also in preview. And this preview is by request only.

As shown in the image, when released, a new Tables blade will be available in the Log Analytics workspace where you can filter by the table plan.

You can request to be part of this preview at the following link: Azure Monitor Logs: DCR-based Custom Logs Preview Signup


[Want to discuss this further? Hit me up on Twitter or LinkedIn]

[Subscribe to the RSS feed for this blog]

[Subscribe to the Weekly Microsoft Sentinel Newsletter]

[Subscribe to the Weekly Microsoft Defender Newsletter]

[Learn KQL with the Must Learn KQL series and book]