How to Know When Data Retention Values Have Changed for Microsoft Sentinel

Operational Operations

Customers ask periodically to be notified when – or at least to know when – the Log Analytics workspace data retention changes.

Here’s a quick KQL query to accomplish that.

union Operation 
| where OperationStatus == "Succeeded"
| where OperationCategory == "Workspace Configuration"
| project TimeGenerated, Detail

An example of the results:

In the details: What happened and who did it

This query can be used in a Workbook, a Hunting query, or even as an Analytics Rule (to be notified when it happens).

The latest version of this query will always be located here: SentinelKQL/DataRetentionChanges.txt at master · rod-trent/SentinelKQL (github.com)

---

[Want to discuss this further? Hit me up on Twitter or LinkedIn]

[Subscribe to the RSS feed for this blog]

[Subscribe to the Weekly Microsoft Sentinel Newsletter]

[Subscribe to the Weekly Microsoft Defender Newsletter]

[Subscribe to the Weekly Azure OpenAI Newsletter]

[Learn KQL with the Must Learn KQL series and book]

[Learn AI Security with the Must Learn AI Security series and book]