How to Quickly Tell Which Microsoft Sentinel Tables are Configured as Basic Logs

Knowing is half the battle

Basic Logs, of course, is a preview feature for Microsoft Sentinel that enables customers a cheaper, but more limited way to ingest large volume, low security value logs. If you’ve not heard of this new feature yet, check out the following recent articles to catch up:

• When to Use and When NOT to Use Basic Logs with Microsoft Sentinel

• The Basic Logs for Microsoft Sentinel KQL Limitations

Over Twitter, a great question was raised last week about how to know which tables have been configure for Basic Logs and which ones have not.

Madhu Perera @Madhu_Perera

Hi @rodtrent , is there an easy way to find out which Logs are Basic and which are Analytics in Azure Sentinel? Thank you.

9:54 PM ∙ Mar 25, 2022

Basic Logs is in preview and still a work in progress but there is one UI method to identify logs that have been configured as Basic Logs and a couple code-based methods including the API and CLI.

However, a new way to quickly identify Basic Logs configured tables is coming and it’s also in preview. And this preview is by request only.

As shown in the image, when released, a new Tables blade will be available in the Log Analytics workspace where you can filter by the table plan.

[Want to discuss this further? Hit me up on Twitter or LinkedIn]

[Subscribe to the RSS feed for this blog]

[Subscribe to the Weekly Microsoft Sentinel Newsletter]

[Subscribe to the Weekly Microsoft Defender Newsletter]

[Learn KQL with the Must Learn KQL series and book]