{"id":575,"date":"2023-01-12T01:47:00","date_gmt":"2023-01-12T00:47:00","guid":{"rendered":"https:\/\/mortenknudsen.net\/?p=575"},"modified":"2023-01-15T11:09:06","modified_gmt":"2023-01-15T10:09:06","slug":"how-to-save-by-storing-your-syslog-and-defender-for-endpoint-long-term-logs-in-azure-data-explorer-cluster-using-azure-data-factory-and-azure-storage-account-export-while-keeping-kusto-q","status":"publish","type":"post","link":"https:\/\/mortenknudsen.net\/?p=575","title":{"rendered":"How to save $$$ by storing your Syslog and Defender for Endpoint long-term logs in Azure Data Explorer cluster using Azure Data Factory and Azure Storage Account export \u2013 while keeping Kusto query functionalities ?"},"content":{"rendered":"\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p class=\"wp-block-paragraph\">This blog is about <strong>keeping long-term Sentinel logs<\/strong>, giving you insight to the options today &#8211; with great opportunities to save money \ud83d\ude42<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">To be honest, I can get confused with the limitations and feature-set, as there are coming many great changes rapidly. Therefore  I have prepared an <strong>detailed overview<\/strong> with 2 tables covering  <strong>Decision #1 Export vs. Keep<\/strong> and <strong>Decision 2: Choosing our long-term log-storage solution<\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">I covered Azure LogAnalytics basic logs and archive logs in a previous <a href=\"https:\/\/mortenknudsen.net\/?p=450\" target=\"_blank\" rel=\"noreferrer noopener\">blog-post<\/a> &#8211; so I have decided to cover the solution, <strong>Azure Data Explorer<\/strong>, in this blog. <\/p>\n\n\n\n<p class=\"wp-block-paragraph\">In many cases, this solution can be a great option, where you can save lots of money. But on the flipside, it is also more complex. Hopefully this guide can get you up and running, so you can try it out. I will cover adding <strong>Syslog<\/strong> data, but it can also be used for e.g. Defender for Endpoint data (and more).<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Azure Data Explorer is an alternative to <strong>consumption-based log retention<\/strong>, where you  <strong>pay a fixed price for the infrastructure for long-term log-storage based<\/strong> on <strong>Azure Data Explorer cluster<\/strong> \u2013 and then use <strong>Azure Data Factory<\/strong> to transform your data. <\/p>\n<cite>If you want to get a tutorial on how to get a complete environment up and running using Azure Data Explorer, Azure Data Factory and export to Azure Storage Account, then keep reading, where I will try to take you through the steps.<\/cite><\/blockquote>\n\n\n\n<h2 class=\"wp-block-heading\">Decision #1 &#8211; Export vs. Keep<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">When we have to decide on a solution, we will have to decide on &#8220;should we export or keep data&#8221;. Below are the options:<\/p>\n\n\n\n<figure class=\"wp-block-table alignwide is-style-stripes has-small-font-size\"><table><tbody><tr><td>Option<\/td><td>Export<\/td><td>Export<\/td><td>Export<\/td><td>Export<\/td><td>Keep<\/td><td>Keep<\/td><\/tr><tr><td>Method<\/td><td>Continuously Export<\/td><td>Continuously Export<\/td><td>Ad-hoc export \u2013 <a href=\"https:\/\/www.powershellgallery.com\/packages\/Invoke-AzOperationalInsightsQueryExport\">Powershell<\/a><\/td><td>Schedule export via Query<br>(LogicApp, Function, Data Factory<\/td><td>LogAnalytics Retention<\/td><td>LogAnalytics Archive<\/td><\/tr><tr><td>Target<\/td><td>EventHub<\/td><td>Storage Account<\/td><td><\/td><td><\/td><td><\/td><td><\/td><\/tr><tr><td>Format<\/td><td>JSON<\/td><td>JSON<\/td><td>Any format<\/td><td>Any format<\/td><td><\/td><td><\/td><\/tr><tr><td>Limitations<\/td><td><a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/azure-monitor\/logs\/logs-data-export?tabs=portal#supported-tables\">Link<\/a><\/td><td><a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/azure-monitor\/logs\/logs-data-export?tabs=portal#supported-tables\">Link<\/a><\/td><td><\/td><td><\/td><td><\/td><td><\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\"><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Decision #2 &#8211; Choosing our l<strong>ong-term log-storage<\/strong> solution<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">The big question is what solution to choose for our long-term logs, and here the complexity starts, where we have to take many factors into consideration: <strong>platform-knowledge<\/strong> <strong>in-house<\/strong>, <strong>limitations<\/strong>, <strong>time2enable<\/strong>, <strong>management,<\/strong> <strong>performance<\/strong>, <strong>monthly cost, scalability, security<\/strong>, etc. <\/p>\n\n\n\n<h5 class=\"wp-block-heading\">Cost-factors<\/h5>\n\n\n\n<p class=\"wp-block-paragraph\">As mentioned above, many factors must be taken into account when you look at costs. Cost-differences cannot be concluded without asking some important questions. Here are 4 samples of these questions:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>For how long do you require interactive hunting capabilities &#8211; alternative can a search job be sufficient ?\n<ul class=\"wp-block-list\">\n<li>If it&#8217;s just limited hunting and audit\/compliance, you can come far by using loganalytics archive. <\/li>\n\n\n\n<li>If you need to query the data very often, go with Azure Data Explorer\/Azure Data Factor. <\/li>\n\n\n\n<li>I have shown some price below I compare a few scenarios also using LogAnalytics archive.<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>For how long do you keep your retention in Sentinel (short-term) ?\n<ul class=\"wp-block-list\">\n<li>If you only have a 90 days in Sentinel and consider longterm from &gt;91 days vs. if you keep shortterm in Sentinel for 1 year. <\/li>\n\n\n\n<li>If you keep shortterm only for 90 days and then move everything to longterm and keep for longer, you can gain pretty high savings moving to ADX\/ADX. <\/li>\n\n\n\n<li>If you keep short-term for 12 months in Sentinel, then the long-term might only be 12 months, which will make the cost difference smaller.<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>How long is your length you need to keep the longterm data ?\n<ul class=\"wp-block-list\">\n<li>Longer length ADX\/ADF outperforms LogAnalytics in cost (infrastructure payment vs. consumption payment)<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>What is your duplication management design, as this is one of the main differences between the EventHub vs ADF method. \n<ul class=\"wp-block-list\">\n<li>Azure Data Explorer combined with EventHub method stores some data (the first X months) in both Microsoft Sentinel and Azure Data Explorer, resulting in data duplication<\/li>\n\n\n\n<li>Azure Data Explorer combined with Azure Data Factory enables you to copy data from Azure Data Factory only when it nears its retention limit in Microsoft Sentinel \/ Log Analytics, avoiding duplication.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\"><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">I hope the below table will help you \ud83d\ude42<\/p>\n\n\n\n<figure class=\"wp-block-table alignwide is-style-stripes has-small-font-size\"><table><tbody><tr><td>Choice<\/td><td>LogAnalytics Retention &#8211; Analytics logs<br>(lifecycle stage 1)<\/td><td>LogAnalytics Retention &#8211; Basic logs (lifecycle stage 1)<\/td><td>LogAnalytics Archive (lifecycle stage 2)<\/td><td>Azure Data Explorer<\/td><td>Storage Account<\/td><\/tr><tr><td>Storage placement<\/td><td>LogAnalytics<\/td><td>LogAnalytics<\/td><td>LogAnalytics<\/td><td>Azure Data Explorer<\/td><td>Storage Account<\/td><\/tr><tr><td>Storage limitation<\/td><td>Unlimited<\/td><td>Unlimited<\/td><td>Unlimited<\/td><td>Unlimited<\/td><td>500 Tb pr storage account<\/td><\/tr><tr><td>Kusto Query Frontend<\/td><td>LogAnalytics<br>&nbsp;<br>Data available for interactive queries<\/td><td>LogAnalytics<br>&nbsp;<br>Data available for interactive queries<\/td><td>LogAnalytics<br>&nbsp;<br>Data available using search job or restore<\/td><td>Azure Data Explorer<br>&nbsp;<br>Data available for interactive queries<\/td><td>Azure Data Explorer<br>&nbsp;<br>Data available for interactive queries<\/td><\/tr><tr><td>Data move methods<\/td><td>No need<\/td><td>No need<\/td><td>No need<\/td><td>1:Continuesly Export to Storage Account<br>2:Data Factory Daily Move<\/td><td>Continuously Export to Storage Account<\/td><\/tr><tr><td>Kusto<\/td><td>Full support<br>Full Schema<\/td><td><a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/azure-monitor\/logs\/basic-logs-query?tabs=portal-1#limitations\">Limited support<\/a><br>Full Schema<\/td><td>Search jobs<br>&nbsp;<br>Data Restore<\/td><td>Full cmdlets support<br>Full Schema<\/td><td>Full cmdlets support<br>Full Schema<\/td><\/tr><tr><td>Search performance with date filter, <br>54.056 rows<\/td><td>Fast<br>5,2 sec<br><\/td><td>Not measured<\/td><td>Very Slow<br>&gt;2-15 min<\/td><td>Very fast<br>0,175 sec<\/td><td>Slow<br>150 sec \u2013 16 gb, 392 blobs<\/td><\/tr><tr><td>Search performance (full table query) \u201354.056 rows<\/td><td>5,8-7,5 sec<br>Returned 30.000 rows<\/td><td>Not measured<\/td><td>Very Slow<br>&gt;2-15 min<\/td><td>3,7 sec<br>Returned 54.056 rows<\/td><td>Failed<br>(hit limit 64 mb)<\/td><\/tr><tr><td>Performance scaling<\/td><td>ADX cluster<\/td><td>N\/A<\/td><td>N\/A<\/td><td>Autoscale compute<\/td><td>N\/A<\/td><\/tr><tr><td>Billing method<\/td><td>Consumption per Gb<\/td><td>Consumption per Gb<\/td><td>Consumption per Gb<\/td><td>Infrastructure (fixed)<br>+ some consumption<\/td><td>Consumption per Gb<\/td><\/tr><tr><td>Data Protection<\/td><td>RBAC<br>&nbsp;<br>Restrict access to databases, tables or even rows witin a table<\/td><td>RBAC<br>&nbsp;<br>Restrict access to databases, tables or even rows witin a table<\/td><td><\/td><td>RBAC<br>&nbsp;<br>Restrict access to databases, tables or even rows witin a table<\/td><td><a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/storage\/blobs\/immutable-policy-configure-version-scope\">immutable storage account<\/a><\/td><\/tr><tr><td>Retention length<br> (limit max days)<\/td><td>730 (2 years)<\/td><td>8 days<\/td><td><\/td><td>36.500<br>(100 years)<\/td><td>146.000<br> (400 years)<\/td><\/tr><tr><td>Archive <br>(limit max days)<\/td><td>2556<br>(7 years)<\/td><td>2556<br>(7 years)<\/td><td>2556<br>(7 years)<\/td><td>No need, run as retention<\/td><td>No need, run as retention<\/td><\/tr><tr><td>Retention targetting<\/td><td>Workspace<br>Individual Tables<\/td><td>Workspace<br>Individual Tables<\/td><td>Workspace<br>Individual Tables<\/td><td>Database<br>Individual Tables<\/td><td>Separate storage accounts per tables (max 10 export rules)<\/td><\/tr><tr><td>Setup complexity<\/td><td>Easy<\/td><td>Easy<\/td><td>Ad-hoc<\/td><td>Complex<br>(req knowledge about Data Explorer &amp; Data Factory)<\/td><td>Moderate<\/td><\/tr><tr><td>Monthly Cost (USD)<br>Example #1 \u2013 250 Gb Daily, 2 yr retention<\/td><td><strong>11.270-20.759<\/strong><br>&nbsp;<br>Scenario #1:<br><strong>Data Retention for 9 months incl. 3 free:<\/strong><br><strong>8.897<\/strong><br><strong>+ Archive for 12 months: 2373<\/strong><br><strong>Total: <\/strong>11.270<br><strong>&nbsp;<\/strong><br><strong>Scenario #2:<\/strong><br><strong>Data Retention for 24 months incl. 3 free:<\/strong><br><strong>Total: 20.759<\/strong><\/td><td><strong>4.745<\/strong><br><br><strong>Data Retention for 8 days + Archive for 24 months<\/strong><br><br><br><br><br><br><br><br><br><br><br><\/td><td>Prices are covered in examples under retention, as it is one solution<br><br><br><br><br><br><br><br><br><br><br><br><\/td><td><strong>3.052<\/strong><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><\/td><td><strong>2.372-4.050<\/strong><br>&nbsp;<br>ADX:<br>510<br>+<br>Storage:<br>Average 1862 first 24 months<br>Avr 0-12 month = 987<br>Avr 13-24 month = 2.738<br>&nbsp;<br>3.540 (24 months, full capacity, 186.000 Gb)<\/td><\/tr><tr><td>Monthly Cost (USD)<br>Example #2 \u2013 50 Gb Daily, 2 yr retention<\/td><td><strong>2.254-4.152<\/strong><br>&nbsp;<br>Scenario #1:<br><strong>Data Retention for 9 months incl. 3 free:<\/strong><br><strong>1779<\/strong><br><strong>+ Archive for 12 months: 475<\/strong><br><strong>Total: 2.254<\/strong><br><strong>&nbsp;<\/strong><br><strong>Scenario #2:<\/strong><br><strong>Data Retention for 24 months incl. 3 free:<\/strong><br><strong>Total: 4.152<\/strong><\/td><td><strong>949<\/strong><br><br><strong>Data Retention for 8 days + Archive for 24 months<\/strong><br><br><br><br><br><br><br><br><br><br><br><\/td><td>Prices are covered in examples under retention, as it is one solution<br><br><br><br><br><br><br><br><br><br><br><br><br><\/td><td><strong>2.329<\/strong><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><\/td><td><strong>890-1239<\/strong><br>&nbsp;<br>ADX:<br>510<br>+<br>Storage:<br>Average 380 first 24 months<br>Avr 0-12 month = 198<br>Avr 13-24 month = 562<br>&nbsp;<br>729 (24 months, full capacity, 37.200 Gb)<br><br><br><\/td><\/tr><tr><td>More info<\/td><td><a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/azure-monitor\/logs\/search-jobs?tabs=portal-1%2Cportal-2\">Search jobs<\/a><\/td><td><\/td><td><\/td><td><\/td><td><a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/azure-monitor\/logs\/azure-data-explorer-query-storage\">Link<\/a><\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\"><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Lets get started<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\"><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">By default, logs ingested into Microsoft Sentinel are stored in Azure Monitor Log Analytics. <\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Storing logs in Azure Data Explorer reduces costs while retains your ability to query your data, and is especially useful as your data grows. For example, while security data may lose value over time, you may be required to retain logs for regulatory requirements or to run periodic investigations on older data.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Azure Data Explorer is a big data analytics platform that is highly optimized for log and data analytics. Since Azure Data Explorer uses Kusto Query Language (KQL) as its query language, it&#8217;s a good alternative for Microsoft Sentinel data storage. Using Azure Data Explorer for your data storage enables you to run cross-platform queries and visualize data across both Azure Data Explorer and Microsoft Sentinel.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Microsoft Sentinel provides full SIEM and SOAR capabilities, quick deployment and configuration, as well as advanced, built-in security features for SOC teams. However, the value of storing security data in Microsoft Sentinel may drop after a few months, once SOC users don&#8217;t need to access it as often as they access newer data.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">If you only need to access specific tables occasionally, such as for periodic investigations or audits, you may consider that retaining your data in Microsoft Sentinel is no longer cost-effective. At this point, we recommend storing data in Azure Data Explorer, which costs less, but still enables you to explore using the same KQL queries that you run in Microsoft Sentinel.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">You can access the data in Azure Data Explorer directly from Microsoft Sentinel using the&nbsp;<a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/azure-monitor\/logs\/azure-monitor-data-explorer-proxy\">Log Analytics Azure Data Explorer proxy feature<\/a>. To do so, use cross cluster queries in your log search or workbooks.<\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p class=\"wp-block-paragraph\"><strong>&nbsp;Important<\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Core SIEM capabilities, including Analytic rules, UEBA, and the investigation graph, do not support data stored in Azure Data Explorer.<\/strong><\/p>\n<\/blockquote>\n\n\n\n<p class=\"wp-block-paragraph\">You may want to retain any data&nbsp;<em>with security value<\/em>&nbsp;in Microsoft Sentinel to use in detections, incident investigations, threat hunting, UEBA, and so on. Keeping this data in Microsoft Sentinel mainly benefits Security Operations Center (SOC) users, where typically, 3-12 months of storage are enough.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"548\" src=\"https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/store-data-in-sentinel-and-adx-in-parallel-1024x548.png\" alt=\"\" class=\"wp-image-580\" srcset=\"https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/store-data-in-sentinel-and-adx-in-parallel-1024x548.png 1024w, https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/store-data-in-sentinel-and-adx-in-parallel-300x161.png 300w, https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/store-data-in-sentinel-and-adx-in-parallel-768x411.png 768w, https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/store-data-in-sentinel-and-adx-in-parallel-1536x822.png 1536w, https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/store-data-in-sentinel-and-adx-in-parallel.png 1764w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">You can also configure all of your data,&nbsp;<em>regardless of its security value,<\/em>&nbsp;to be sent to Azure Data Explorer at the same time, where you can store it for longer. While sending data to both Microsoft Sentinel and Azure Data Explorer at the same time results in some duplication, the cost savings can be significant as you reduce the retention costs in Microsoft Sentinel.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Before going into details on how to do this, it is important to stress, that this method can be considered complex and it will require competency in Azure Data Factory, Azure Data Explorer, Azure LogAnalytics and Azure Storage. <\/p>\n\n\n\n<p class=\"wp-block-paragraph\">This solution can be used to store your security logs; Syslog, Defender for Endpoint logs (Advanced Hunting), Azure Activity, etc. <\/p>\n\n\n\n<p class=\"wp-block-paragraph\">I will in details cover setting up <strong>Syslog<\/strong> (<strong>CommonSecurityLog<\/strong>) in this post, but you can easily use it for these tables:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Azure\n<ul class=\"wp-block-list\">\n<li>Aadmanagedidentitysigninlogs<\/li>\n\n\n\n<li>Aadnoninteractiveusersigninlogs<\/li>\n\n\n\n<li>Aadserviceprincipalsigninlogs<\/li>\n\n\n\n<li>Auditlogs<\/li>\n\n\n\n<li>Signinlogs<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>Defender for Endpoint (Advanced Hunting) &#8211; requires Sentinel M365D connector\n<ul class=\"wp-block-list\">\n<li>DeviceEvents<\/li>\n\n\n\n<li>DeviceFileEvents<\/li>\n\n\n\n<li>DeviceLogonEvents<\/li>\n\n\n\n<li>DeviceRegistryEvents<\/li>\n\n\n\n<li>DeviceImageLoadEvents<\/li>\n\n\n\n<li>DeviceNetworkInfo<\/li>\n\n\n\n<li>DeviceProcessEvents<\/li>\n\n\n\n<li>DeviceFileCertificateInfo<\/li>\n\n\n\n<li>DeviceInfo<\/li>\n\n\n\n<li>DeviceNetworkEvents<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>Active Directory\n<ul class=\"wp-block-list\">\n<li>SecurityEvent<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\"><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Can I use the same Kusto queries for my security-hunting ?<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Yes, you can use the same Kusto queries searching in Azure Data Explorer (ADX) cluster, as you are using today. You can even search in both environments at the same time.<\/p>\n\n\n\n<pre class=\"wp-block-code has-small-font-size\"><code>\/\/ This query will search in the ADX-table CommonSecurityLog (long-term log-backup)\n\/\/\nunion adx('https:\/\/decxxxplatformmgmtp.westeurope.kusto.windows.net\/dedb-longterm-securitylogs').CommonSecurityLog \n| where DestinationIP == \"13.69.67.61\"\n| summarize total = count() by SourceIP<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code has-small-font-size\"><code>\/\/ This query will query both in the LogAnalytics CommonSecurityLog (short-term) \u2013 and in the ADX CommonSecuityLog (long-term)\n\/\/\n union CommonSecurityLog, adx('https:\/\/decxxxplatformmgmtp.westeurope.kusto.windows.net\/dedb-longterm-securitylogs').CommonSecurityLog\n| where TimeGenerated between (datetime(2023-01-01) .. datetime(2023-01-09))\n| where DestinationIP == \"13.69.67.61\"\n| summarize total = count() by SourceIP<\/code><\/pre>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"491\" src=\"https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/cost-2-query-1-1024x491.jpg\" alt=\"\" class=\"wp-image-579\" srcset=\"https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/cost-2-query-1-1024x491.jpg 1024w, https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/cost-2-query-1-300x144.jpg 300w, https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/cost-2-query-1-768x368.jpg 768w, https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/cost-2-query-1.jpg 1468w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\"><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Solution overview (highlevel)<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Before starting, I would like to credit the Microsoft team making this <a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/sentinel\/store-logs-in-azure-data-explorer?tabs=adx-event-hub\" target=\"_blank\" rel=\"noreferrer noopener\">blog<\/a>, which I have used to get my own knowledge up to speed. I have used a few pictures, statements and links from the article. I would also like to say thanks to the LogAnalytics product-team and Azure Data Explorer team for helping out with input.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The solution covers these steps:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">1: Azure LogAnalytics tables are exported to Azure Storage Account. <\/p>\n\n\n\n<p class=\"wp-block-paragraph\">This can for example be<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>CommonSecurityLog<\/li>\n\n\n\n<li>ActivityLog<\/li>\n\n\n\n<li>DeviceEvents<\/li>\n\n\n\n<li>DeviceFileEvents<\/li>\n\n\n\n<li>DeviceLogonEvents<\/li>\n\n\n\n<li>DeviceRegistryEvents<\/li>\n\n\n\n<li>DeviceImageLoadEvents<\/li>\n\n\n\n<li>DeviceNetworkInfo<\/li>\n\n\n\n<li>DeviceProcessEvents<\/li>\n\n\n\n<li>DeviceFileCertificateInfo<\/li>\n\n\n\n<li>DeviceInfo<\/li>\n\n\n\n<li>DeviceNetworkEvents<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">2: Azure Data Factory will run a daily copy job from Azure Storage Account to Azure Data Explorer when it nears its retention limit in Microsoft Sentinel \/ LogAnalytics, avoiding duplication of data<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Last Modified Time Scope (1 day of data)<ul><li>Start \u2013 last modified 86 days ago<\/li><\/ul>\n<ul class=\"wp-block-list\">\n<li>End \u2013 last modified 85 days ago<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">3: When data is transferred successful, Azure Data Factory will delete the data in the blob storage, which was just transferred into ADX. <\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"669\" height=\"327\" src=\"https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/ingest-data-to-adx-via-azure-storage-azure-data-factory.jpg\" alt=\"\" class=\"wp-image-658\" srcset=\"https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/ingest-data-to-adx-via-azure-storage-azure-data-factory.jpg 669w, https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/ingest-data-to-adx-via-azure-storage-azure-data-factory-300x147.jpg 300w\" sizes=\"auto, (max-width: 669px) 100vw, 669px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\"><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><\/p>\n\n\n\n<h1 class=\"wp-block-heading\">How to implement the solution<\/h1>\n\n\n\n<p class=\"wp-block-paragraph\">The implementation covers 7 steps:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Step 1: Azure Storage Account<\/li>\n\n\n\n<li>Step 2: Azure Data Explorer (ADX) cluster<\/li>\n\n\n\n<li>Step 3: Azure Data Factory (ADF)<\/li>\n\n\n\n<li>Step 4: Establishment of Schema\/Tables on ADX cluster<\/li>\n\n\n\n<li>Step 5: Create Copy-job in Azure Data Factory (ADF)<\/li>\n\n\n\n<li>Step 6: Finetune Copy job (last modified, testing)<\/li>\n\n\n\n<li>Step 7: Production ready &#8211; enable Delete data<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\"><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Step 1: Azure Storage Account<\/h2>\n\n\n\n<h5 class=\"wp-block-heading\">1.1 &#8211; Create Storage Account (blob)<\/h5>\n\n\n\n<p class=\"wp-block-paragraph\">Create an Azure Storage Account, used for export of LogAnalytics <\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><\/p>\n\n\n\n<h5 class=\"wp-block-heading\">1.2 &#8211; Configure LogAnalytics Export of tables to Storage Account blob<\/h5>\n\n\n\n<p class=\"wp-block-paragraph\">For more information, see&nbsp;<a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/azure-monitor\/logs\/logs-data-export?tabs=portal#enable-data-export\">Log Analytics workspace data export in Azure Monitor<\/a>.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"364\" src=\"https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/1-1-1024x364.jpg\" alt=\"\" class=\"wp-image-583\" srcset=\"https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/1-1-1024x364.jpg 1024w, https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/1-1-300x107.jpg 300w, https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/1-1-768x273.jpg 768w, https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/1-1-1536x547.jpg 1536w, https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/1-1.jpg 1973w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\"><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Step 2: Azure Data Explorer (ADX) cluster<\/h2>\n\n\n\n<h5 class=\"wp-block-heading\">2.1 &#8211; Create Cluster<\/h5>\n\n\n\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/data-explorer\/create-cluster-database-portal\" target=\"_blank\" rel=\"noreferrer noopener\">Create an Azure Data Explorer cluster and database<\/a><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/data-explorer\/manage-cluster-choose-sku\">Select the correct compute SKU for your Azure Data Explorer cluster<\/a><\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"917\" height=\"983\" src=\"https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/2.jpg\" alt=\"\" class=\"wp-image-584\" srcset=\"https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/2.jpg 917w, https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/2-280x300.jpg 280w, https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/2-768x823.jpg 768w\" sizes=\"auto, (max-width: 917px) 100vw, 917px\" \/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"985\" height=\"714\" src=\"https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/3.jpg\" alt=\"\" class=\"wp-image-585\" srcset=\"https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/3.jpg 985w, https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/3-300x217.jpg 300w, https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/3-768x557.jpg 768w\" sizes=\"auto, (max-width: 985px) 100vw, 985px\" \/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"920\" height=\"399\" src=\"https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/4.jpg\" alt=\"\" class=\"wp-image-586\" srcset=\"https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/4.jpg 920w, https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/4-300x130.jpg 300w, https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/4-768x333.jpg 768w\" sizes=\"auto, (max-width: 920px) 100vw, 920px\" \/><figcaption class=\"wp-element-caption\">Enable Purge must be enabled<\/figcaption><\/figure>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"919\" height=\"562\" src=\"https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/5.jpg\" alt=\"\" class=\"wp-image-587\" srcset=\"https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/5.jpg 919w, https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/5-300x183.jpg 300w, https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/5-768x470.jpg 768w\" sizes=\"auto, (max-width: 919px) 100vw, 919px\" \/><figcaption class=\"wp-element-caption\">Important to enable system-assigned identity<\/figcaption><\/figure>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"952\" height=\"435\" src=\"https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/6.jpg\" alt=\"\" class=\"wp-image-588\" srcset=\"https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/6.jpg 952w, https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/6-300x137.jpg 300w, https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/6-768x351.jpg 768w\" sizes=\"auto, (max-width: 952px) 100vw, 952px\" \/><figcaption class=\"wp-element-caption\">Choose depending on your network design<\/figcaption><\/figure>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"915\" height=\"493\" src=\"https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/7.jpg\" alt=\"\" class=\"wp-image-589\" srcset=\"https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/7.jpg 915w, https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/7-300x162.jpg 300w, https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/7-768x414.jpg 768w\" sizes=\"auto, (max-width: 915px) 100vw, 915px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">Choose Review + Create to deploy the cluster<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><\/p>\n\n\n\n<h5 class=\"wp-block-heading\">2.2 &#8211; Create database<\/h5>\n\n\n\n<p class=\"wp-block-paragraph\">When the cluster is running, we need to setup a database<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"987\" height=\"498\" src=\"https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/8.jpg\" alt=\"\" class=\"wp-image-590\" srcset=\"https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/8.jpg 987w, https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/8-300x151.jpg 300w, https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/8-768x388.jpg 768w\" sizes=\"auto, (max-width: 987px) 100vw, 987px\" \/><figcaption class=\"wp-element-caption\">Now we will continue on setting up Azure Data Factory (ADF)<\/figcaption><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\"><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Step 3: Azure Data Factory (ADF)<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">3.1 &#8211; Create Azure Data Factory environment (or re-use existing)<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"918\" height=\"628\" src=\"https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/adf1.jpg\" alt=\"\" class=\"wp-image-592\" srcset=\"https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/adf1.jpg 918w, https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/adf1-300x205.jpg 300w, https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/adf1-768x525.jpg 768w\" sizes=\"auto, (max-width: 918px) 100vw, 918px\" \/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"915\" height=\"355\" src=\"https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/adf2.jpg\" alt=\"\" class=\"wp-image-593\" srcset=\"https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/adf2.jpg 915w, https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/adf2-300x116.jpg 300w, https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/adf2-768x298.jpg 768w\" sizes=\"auto, (max-width: 915px) 100vw, 915px\" \/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"906\" height=\"735\" src=\"https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/adf3.jpg\" alt=\"\" class=\"wp-image-594\" srcset=\"https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/adf3.jpg 906w, https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/adf3-300x243.jpg 300w, https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/adf3-768x623.jpg 768w\" sizes=\"auto, (max-width: 906px) 100vw, 906px\" \/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"934\" height=\"419\" src=\"https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/adf4.jpg\" alt=\"\" class=\"wp-image-595\" srcset=\"https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/adf4.jpg 934w, https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/adf4-300x135.jpg 300w, https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/adf4-768x345.jpg 768w\" sizes=\"auto, (max-width: 934px) 100vw, 934px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">Choose Review + Create to start the ADF deployment<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">3.2 &#8211; Create Linked service for Azure Data Explorer (Kusto)<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"549\" src=\"https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/link6-1024x549.jpg\" alt=\"\" class=\"wp-image-596\" srcset=\"https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/link6-1024x549.jpg 1024w, https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/link6-300x161.jpg 300w, https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/link6-768x412.jpg 768w, https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/link6-1536x824.jpg 1536w, https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/link6-2048x1098.jpg 2048w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"717\" height=\"1024\" src=\"https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/link5-717x1024.jpg\" alt=\"\" class=\"wp-image-597\" srcset=\"https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/link5-717x1024.jpg 717w, https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/link5-210x300.jpg 210w, https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/link5.jpg 731w\" sizes=\"auto, (max-width: 717px) 100vw, 717px\" \/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"398\" src=\"https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/link1-1024x398.jpg\" alt=\"\" class=\"wp-image-601\" srcset=\"https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/link1-1024x398.jpg 1024w, https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/link1-300x117.jpg 300w, https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/link1-768x298.jpg 768w, https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/link1-1536x597.jpg 1536w, https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/link1.jpg 1586w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">3.3 &#8211; Create Linked service for Azure Storage Account<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Start my delegating the managed identity for the Data Factory<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">As we will only use Azure Blob storage as source (and not as sink), we only need to give <strong>Storage Blob Data Reader<\/strong><\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"374\" src=\"https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/link7-1024x374.jpg\" alt=\"\" class=\"wp-image-602\" srcset=\"https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/link7-1024x374.jpg 1024w, https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/link7-300x110.jpg 300w, https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/link7-768x281.jpg 768w, https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/link7-1536x562.jpg 1536w, https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/link7.jpg 1917w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\"><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Now go into ADF and setup a new linked service for Blob storage. Remember to choose <strong>System Assigned Managed Identity<\/strong><\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"643\" height=\"1024\" src=\"https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/link3-643x1024.jpg\" alt=\"\" class=\"wp-image-600\" srcset=\"https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/link3-643x1024.jpg 643w, https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/link3-188x300.jpg 188w, https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/link3.jpg 766w\" sizes=\"auto, (max-width: 643px) 100vw, 643px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">Lastly you should now publish the 2 linked services.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"456\" src=\"https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/link2-1024x456.jpg\" alt=\"\" class=\"wp-image-599\" srcset=\"https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/link2-1024x456.jpg 1024w, https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/link2-300x134.jpg 300w, https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/link2-768x342.jpg 768w, https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/link2.jpg 1094w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\"><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Step 4: Establishment of Schema\/Tables on ADX cluster<\/h2>\n\n\n\n<h5 class=\"wp-block-heading\">4.1 &#8211; Create table based on sample<\/h5>\n\n\n\n<p class=\"wp-block-paragraph\">Now we will create the destination table in ADX, based on the schema from the source (Blob storage).<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">There are multiple ways to accomplish this, but the fastest way to do this is:<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Go into ADX, choose Database. Then go into Query &#8211; and right-click and choose &#8216;Create table&#8217;<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"883\" height=\"512\" src=\"https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/table1.jpg\" alt=\"\" class=\"wp-image-604\" srcset=\"https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/table1.jpg 883w, https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/table1-300x174.jpg 300w, https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/table1-768x445.jpg 768w\" sizes=\"auto, (max-width: 883px) 100vw, 883px\" \/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"797\" height=\"485\" src=\"https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/table2.jpg\" alt=\"\" class=\"wp-image-605\" srcset=\"https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/table2.jpg 797w, https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/table2-300x183.jpg 300w, https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/table2-768x467.jpg 768w\" sizes=\"auto, (max-width: 797px) 100vw, 797px\" \/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"619\" height=\"1024\" src=\"https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/table3-619x1024.jpg\" alt=\"\" class=\"wp-image-606\" srcset=\"https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/table3-619x1024.jpg 619w, https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/table3-181x300.jpg 181w, https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/table3.jpg 742w\" sizes=\"auto, (max-width: 619px) 100vw, 619px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\"><\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"615\" src=\"https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/table4-1024x615.jpg\" alt=\"\" class=\"wp-image-607\" srcset=\"https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/table4-1024x615.jpg 1024w, https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/table4-300x180.jpg 300w, https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/table4-768x462.jpg 768w, https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/table4-1536x923.jpg 1536w, https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/table4.jpg 1962w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">You can choose to ingest data or leave it with no data ingestion for the preliminary config. Just click &#8216;ingest data&#8217; and choose what you want.  Personally I like to see data coming in.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">If you unclick ingest data, remember to choose &#8216;create mapping&#8217;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Now choose Create table. It will create the table and mapping table and start to ingest data and verify schema is correct.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">When you have verified data looks correct, then you can choose to <strong>delete new data<\/strong>.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"965\" height=\"981\" src=\"https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/table5.jpg\" alt=\"\" class=\"wp-image-608\" srcset=\"https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/table5.jpg 965w, https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/table5-295x300.jpg 295w, https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/table5-768x781.jpg 768w\" sizes=\"auto, (max-width: 965px) 100vw, 965px\" \/><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li><\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">Alternative, I have also added a script on my <a href=\"https:\/\/github.com\/KnudsenMorten\/UseADXForLongtermLogBackup\" target=\"_blank\" rel=\"noreferrer noopener\">Github<\/a>, which can be used to export the schema of the table<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">On Github, I have also included the scripts ways of setting of the tables, staging table, mapping, etc.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"408\" src=\"https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/git-1024x408.jpg\" alt=\"\" class=\"wp-image-683\" srcset=\"https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/git-1024x408.jpg 1024w, https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/git-300x120.jpg 300w, https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/git-768x306.jpg 768w, https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/git.jpg 1182w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\"><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Step 5: Create Copy-job in Azure Data Factory (ADF)<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Lastly we need to configure the Copy-job in Azure Data Factory (ADF)<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">On the front page in ADF, choose <strong>New Ingest<\/strong><\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"514\" src=\"https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/copy0-1024x514.jpg\" alt=\"\" class=\"wp-image-610\" srcset=\"https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/copy0-1024x514.jpg 1024w, https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/copy0-300x150.jpg 300w, https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/copy0-768x385.jpg 768w, https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/copy0.jpg 1274w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"573\" src=\"https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/copy1-1024x573.jpg\" alt=\"\" class=\"wp-image-611\" srcset=\"https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/copy1-1024x573.jpg 1024w, https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/copy1-300x168.jpg 300w, https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/copy1-768x429.jpg 768w, https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/copy1.jpg 1377w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"603\" src=\"https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/copy4-1024x603.jpg\" alt=\"\" class=\"wp-image-614\" srcset=\"https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/copy4-1024x603.jpg 1024w, https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/copy4-300x177.jpg 300w, https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/copy4-768x452.jpg 768w, https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/copy4.jpg 1306w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"631\" src=\"https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/copy2-1024x631.jpg\" alt=\"\" class=\"wp-image-612\" srcset=\"https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/copy2-1024x631.jpg 1024w, https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/copy2-300x185.jpg 300w, https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/copy2-768x473.jpg 768w, https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/copy2-1536x947.jpg 1536w, https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/copy2.jpg 1987w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"604\" src=\"https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/copy3-1-1024x604.jpg\" alt=\"\" class=\"wp-image-615\" srcset=\"https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/copy3-1-1024x604.jpg 1024w, https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/copy3-1-300x177.jpg 300w, https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/copy3-1-768x453.jpg 768w, https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/copy3-1.jpg 1079w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"530\" src=\"https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/copy5-1024x530.jpg\" alt=\"\" class=\"wp-image-616\" srcset=\"https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/copy5-1024x530.jpg 1024w, https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/copy5-300x155.jpg 300w, https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/copy5-768x398.jpg 768w, https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/copy5.jpg 1327w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"596\" src=\"https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/copy6-1024x596.jpg\" alt=\"\" class=\"wp-image-617\" srcset=\"https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/copy6-1024x596.jpg 1024w, https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/copy6-300x175.jpg 300w, https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/copy6-768x447.jpg 768w, https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/copy6-1536x894.jpg 1536w, https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/copy6.jpg 1692w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"640\" src=\"https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/copy7-1024x640.jpg\" alt=\"\" class=\"wp-image-618\" srcset=\"https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/copy7-1024x640.jpg 1024w, https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/copy7-300x187.jpg 300w, https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/copy7-768x480.jpg 768w, https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/copy7-1536x960.jpg 1536w, https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/copy7.jpg 1756w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">In case of errors with mismatch, you will see this error. Typically I delete this particular value (Internal_workspaceResourceId)<\/figcaption><\/figure>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"446\" src=\"https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/copy8-1024x446.jpg\" alt=\"\" class=\"wp-image-619\" srcset=\"https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/copy8-1024x446.jpg 1024w, https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/copy8-300x131.jpg 300w, https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/copy8-768x334.jpg 768w, https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/copy8-1536x669.jpg 1536w, https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/copy8.jpg 1741w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"998\" height=\"1024\" src=\"https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/copy9-998x1024.jpg\" alt=\"\" class=\"wp-image-620\" srcset=\"https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/copy9-998x1024.jpg 998w, https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/copy9-292x300.jpg 292w, https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/copy9-768x788.jpg 768w, https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/copy9.jpg 1198w\" sizes=\"auto, (max-width: 998px) 100vw, 998px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">You can change the random names created by the wizard on the summary page shown above. Just click the Edit<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"548\" src=\"https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/copy10-1024x548.jpg\" alt=\"\" class=\"wp-image-621\" srcset=\"https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/copy10-1024x548.jpg 1024w, https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/copy10-300x160.jpg 300w, https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/copy10-768x411.jpg 768w, https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/copy10.jpg 1208w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\"><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Step 6: Finetune Copy job (last modified, testing)<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">6.1 &#8211; Suspend schedule (stop) + publish (as we will configure it first)<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"421\" src=\"https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/copy20-1024x421.jpg\" alt=\"\" class=\"wp-image-623\" srcset=\"https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/copy20-1024x421.jpg 1024w, https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/copy20-300x123.jpg 300w, https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/copy20-768x315.jpg 768w, https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/copy20.jpg 1444w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\"><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">6.2 &#8211; Rename Source, Sink, Copy data activity<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The wizard creates some odd names, which we will now rename<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"701\" src=\"https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/copy11-1024x701.jpg\" alt=\"\" class=\"wp-image-624\" srcset=\"https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/copy11-1024x701.jpg 1024w, https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/copy11-300x205.jpg 300w, https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/copy11-768x526.jpg 768w, https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/copy11-1536x1052.jpg 1536w, https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/copy11.jpg 1622w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"754\" src=\"https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/copy13-1024x754.jpg\" alt=\"\" class=\"wp-image-625\" srcset=\"https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/copy13-1024x754.jpg 1024w, https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/copy13-300x221.jpg 300w, https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/copy13-768x566.jpg 768w, https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/copy13-1536x1131.jpg 1536w, https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/copy13.jpg 1624w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"632\" height=\"156\" src=\"https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/copy14.jpg\" alt=\"\" class=\"wp-image-626\" srcset=\"https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/copy14.jpg 632w, https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/copy14-300x74.jpg 300w\" sizes=\"auto, (max-width: 632px) 100vw, 632px\" \/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"663\" height=\"146\" src=\"https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/copy15.jpg\" alt=\"\" class=\"wp-image-627\" srcset=\"https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/copy15.jpg 663w, https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/copy15-300x66.jpg 300w\" sizes=\"auto, (max-width: 663px) 100vw, 663px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\"><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">6.3 &#8211; Filtering by Last Modified<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">For testing we can just choose data from 60 min ago to 50 min ago (10 min). Choose what you want \ud83d\ude42<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1000\" height=\"467\" src=\"https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/copy16.jpg\" alt=\"\" class=\"wp-image-628\" srcset=\"https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/copy16.jpg 1000w, https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/copy16-300x140.jpg 300w, https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/copy16-768x359.jpg 768w\" sizes=\"auto, (max-width: 1000px) 100vw, 1000px\" \/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"306\" height=\"151\" src=\"https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/copy17.jpg\" alt=\"\" class=\"wp-image-629\" srcset=\"https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/copy17.jpg 306w, https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/copy17-300x148.jpg 300w\" sizes=\"auto, (max-width: 306px) 100vw, 306px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\"><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>@addminutes(utcnow(),-60)<\/code><\/pre>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"437\" src=\"https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/copy18-1024x437.jpg\" alt=\"\" class=\"wp-image-630\" srcset=\"https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/copy18-1024x437.jpg 1024w, https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/copy18-300x128.jpg 300w, https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/copy18-768x327.jpg 768w, https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/copy18.jpg 1067w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\"><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Choose to Publish and Trigger now<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"607\" height=\"136\" src=\"https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/copy21.jpg\" alt=\"\" class=\"wp-image-631\" srcset=\"https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/copy21.jpg 607w, https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/copy21-300x67.jpg 300w\" sizes=\"auto, (max-width: 607px) 100vw, 607px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\"><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">6.4 &#8211; Monitoring<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">We will now verify data is coming into ADX using ADF Monitoring<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"455\" src=\"https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/copy22-1024x455.jpg\" alt=\"\" class=\"wp-image-633\" srcset=\"https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/copy22-1024x455.jpg 1024w, https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/copy22-300x133.jpg 300w, https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/copy22-768x341.jpg 768w, https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/copy22-1536x683.jpg 1536w, https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/copy22-2048x910.jpg 2048w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"182\" src=\"https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/copy23-1024x182.jpg\" alt=\"\" class=\"wp-image-634\" srcset=\"https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/copy23-1024x182.jpg 1024w, https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/copy23-300x53.jpg 300w, https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/copy23-768x136.jpg 768w, https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/copy23-1536x273.jpg 1536w, https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/copy23.jpg 1871w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1008\" height=\"822\" src=\"https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/copy24.jpg\" alt=\"\" class=\"wp-image-635\" srcset=\"https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/copy24.jpg 1008w, https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/copy24-300x245.jpg 300w, https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/copy24-768x626.jpg 768w\" sizes=\"auto, (max-width: 1008px) 100vw, 1008px\" \/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"245\" src=\"https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/copy25-1024x245.jpg\" alt=\"\" class=\"wp-image-636\" srcset=\"https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/copy25-1024x245.jpg 1024w, https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/copy25-300x72.jpg 300w, https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/copy25-768x183.jpg 768w, https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/copy25.jpg 1432w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\"><\/p>\n\n\n\n<h5 class=\"wp-block-heading\">6.5 &#8211; Verification using LogAnalytics query<\/h5>\n\n\n\n<p class=\"wp-block-paragraph\">We can now verify using standard Kusto queries<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>union adx('https:\/\/decxxxxplatformmgmtp.westeurope.kusto.windows.net\/dedb-longterm-securitylogs').CommonSecurityLog\n| where DestinationIP == \"13.69.67.61\"\n| summarize total = count() by SourceIP\n<\/code><\/pre>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"463\" src=\"https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/copy26-1024x463.jpg\" alt=\"\" class=\"wp-image-637\" srcset=\"https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/copy26-1024x463.jpg 1024w, https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/copy26-300x136.jpg 300w, https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/copy26-768x348.jpg 768w, https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/copy26-1536x695.jpg 1536w, https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/copy26-2048x927.jpg 2048w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\"><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>union CommonSecurityLog, adx('https:\/\/decxxxxxplatformmgmtp.westeurope.kusto.windows.net\/dedb-longterm-securitylogs').CommonSecurityLog\n| where TimeGenerated between (datetime(2023-01-01) .. datetime(2023-01-09))\n| where DestinationIP == \"13.69.67.61\"\n| summarize total = count() by SourceIP\n<\/code><\/pre>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"514\" src=\"https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/copy29-1024x514.jpg\" alt=\"\" class=\"wp-image-638\" srcset=\"https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/copy29-1024x514.jpg 1024w, https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/copy29-300x151.jpg 300w, https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/copy29-768x385.jpg 768w, https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/copy29-1536x771.jpg 1536w, https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/copy29.jpg 1951w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\"><\/p>\n\n\n\n<h5 class=\"wp-block-heading\">6.6 &#8211; Clear data testing<\/h5>\n\n\n\n<p class=\"wp-block-paragraph\">If we want to reset the test data in the ADX table, this can be done using this command (run as Query)<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>.clear table CommonSecurityLog data<\/code><\/pre>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"271\" src=\"https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/copy28-1024x271.jpg\" alt=\"\" class=\"wp-image-639\" srcset=\"https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/copy28-1024x271.jpg 1024w, https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/copy28-300x80.jpg 300w, https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/copy28-768x204.jpg 768w, https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/copy28-1536x407.jpg 1536w, https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/copy28.jpg 1901w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\"><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Step 7: Production ready &#8211; enable Delete data<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">When we are done testing, we need to do 2 things:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>enable support for deleting data in Azure Storage Account after successful copy to ADX<\/li>\n\n\n\n<li>enable schedule, so job will run daily<\/li>\n<\/ol>\n\n\n\n<p class=\"wp-block-paragraph\">We need to add an additional activity Delete<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"520\" src=\"https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/delete1-1024x520.jpg\" alt=\"\" class=\"wp-image-641\" srcset=\"https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/delete1-1024x520.jpg 1024w, https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/delete1-300x152.jpg 300w, https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/delete1-768x390.jpg 768w, https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/delete1-1536x780.jpg 1536w, https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/delete1-2048x1040.jpg 2048w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\"><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Now we need to link the 2 activities together with SUCCESFUL-status. <\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Click both boxes &#8211; and draw an arrow from the Copy_Files to the Delete and a connector will be made.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"564\" src=\"https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/delete2-1024x564.jpg\" alt=\"\" class=\"wp-image-642\" srcset=\"https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/delete2-1024x564.jpg 1024w, https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/delete2-300x165.jpg 300w, https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/delete2-768x423.jpg 768w, https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/delete2.jpg 1500w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">Change Filter by last modified in both copy and delete task to<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>@adddays(utcnow(),-86)\n\n@adddays(utcnow(),-85)<\/code><\/pre>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"662\" src=\"https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/delete3-1024x662.jpg\" alt=\"\" class=\"wp-image-643\" srcset=\"https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/delete3-1024x662.jpg 1024w, https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/delete3-300x194.jpg 300w, https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/delete3-768x497.jpg 768w, https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/delete3.jpg 1495w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\"><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Change the Schedule so the job is started. If needed, rename the schedule job to make it clear what task it runs.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Lastly publish &#8211; and we are done \ud83d\ude42<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><\/p>\n\n\n\n<h1 class=\"wp-block-heading\" id=\"design-considerations\">Design considerations<\/h1>\n\n\n\n<p class=\"wp-block-paragraph\">When storing your Microsoft Sentinel data in Azure Data Explorer, consider the following elements:<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table><thead><tr><th>Consideration<\/th><th>Description<\/th><\/tr><\/thead><tbody><tr><td><strong>Cluster size and SKU<\/strong><\/td><td>Plan carefully for the number of nodes and the VM SKU in your cluster. These factors will determine the amount of processing power and the size of your hot cache (SSD and memory). The bigger the cache, the more data you will be able to query at a higher performance.<br><br>We encourage you to visit the&nbsp;<a href=\"https:\/\/dataexplorer.azure.com\/AzureDataExplorerCostEstimator.html\">Azure Data Explorer sizing calculator<\/a>, where you can play with different configurations and see the resulting cost.<br><br>Azure Data Explorer also has an autoscale capability that makes intelligent decisions to add\/remove nodes as needed based on cluster load. For more information, see&nbsp;<a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/data-explorer\/manage-cluster-horizontal-scaling\">Manage cluster horizontal scaling (scale out) in Azure Data Explorer to accommodate changing demand<\/a>.<\/td><\/tr><tr><td><strong>Hot\/cold cache<\/strong><\/td><td>Azure Data Explorer provides control over the data tables that are in hot cache, and return results faster. If you have large amounts of data in your Azure Data Explorer cluster, you may want to break down tables by month, so that you have greater granularity on the data that&#8217;s present in your hot cache.<br><br>For more information, see&nbsp;<a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/data-explorer\/kusto\/management\/cachepolicy\">Cache policy (hot and cold cache)<\/a><\/td><\/tr><tr><td><strong>Retention<\/strong><\/td><td>In Azure Data Explorer, you can configure when data is removed from a database or an individual table, which is also an important part of limiting storage costs.<br><br>For more information, see&nbsp;<a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/data-explorer\/kusto\/management\/retentionpolicy\">Retention policy<\/a>.<\/td><\/tr><tr><td><strong>Security<\/strong><\/td><td>Several Azure Data Explorer settings can help you protect your data, such as identity management, encryption, and so on. Specifically for role-based access control (RBAC), Azure Data Explorer can be configured to restrict access to databases, tables, or even rows within a table. For more information, see&nbsp;<a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/data-explorer\/security\">Security in Azure Data Explorer<\/a>&nbsp;and&nbsp;<a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/data-explorer\/kusto\/management\/rowlevelsecuritypolicy\">Row level security<\/a>.<\/td><\/tr><tr><td><strong>Data sharing<\/strong><\/td><td>Azure Data Explorer allows you to make pieces of data available to other parties, such as partners or vendors, and even buy data from other parties. For more information, see&nbsp;<a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/data-explorer\/data-share\">Use Azure Data Share to share data with Azure Data Explorer<\/a>.<\/td><\/tr><tr><td><strong>Other cost components<\/strong><\/td><td>Consider the other cost components for the following methods:<br><br><strong>Exporting data via an Azure Event Hub<\/strong>:<br>&#8211; Log Analytics data export costs, charged per exported GBs.<br>&#8211; Event hub costs, charged by throughput unit.<br><br><strong>Export data via Azure Storage and Azure Data Factory<\/strong>:<br>&#8211; Log Analytics data export, charged per exported GBs.<br>&#8211; Azure Storage, charged by GBs stored.<br>&#8211; Azure Data Factory, charged per copy of activities run.<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\"><\/p>\n","protected":false},"excerpt":{"rendered":"<p>This blog is about keeping long-term Sentinel logs, giving you insight to the options today &#8211; with great opportunities to &#8230; <\/p>\n<p class=\"read-more-container\"><a title=\"How to save $$$ by storing your Syslog and Defender for Endpoint long-term logs in Azure Data Explorer cluster using Azure Data Factory and Azure Storage Account export \u2013 while keeping Kusto query functionalities ?\" class=\"read-more button\" href=\"https:\/\/mortenknudsen.net\/?p=575#more-575\" aria-label=\"Read more about How to save $$$ by storing your Syslog and Defender for Endpoint long-term logs in Azure Data Explorer cluster using Azure Data Factory and Azure Storage Account export \u2013 while keeping Kusto query functionalities ?\">Read more<\/a><\/p>\n","protected":false},"author":1,"featured_media":658,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"_uf_show_specific_survey":0,"_uf_disable_surveys":false,"ngg_post_thumbnail":0,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_post_was_ever_published":false},"categories":[54,42,58],"tags":[117,116,18,104,113,5,9,115,114,112,24],"class_list":["post-575","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-azure-loganalytics","category-defender-for-endpoint","category-sentinel","tag-adf","tag-adx","tag-azure","tag-cost","tag-log","tag-loganalytics","tag-logging","tag-long-term","tag-longterm","tag-retention","tag-sentinel","infinite-scroll-item","resize-featured-image"],"featured_image_src":"https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/ingest-data-to-adx-via-azure-storage-azure-data-factory.jpg","author_info":{"display_name":"Morten Knudsen","author_link":"https:\/\/mortenknudsen.net\/?author=1"},"jetpack_featured_media_url":"https:\/\/mortenknudsen.net\/wp-content\/uploads\/2023\/01\/ingest-data-to-adx-via-azure-storage-azure-data-factory.jpg","jetpack_sharing_enabled":true,"jetpack_likes_enabled":true,"_links":{"self":[{"href":"https:\/\/mortenknudsen.net\/index.php?rest_route=\/wp\/v2\/posts\/575","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/mortenknudsen.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mortenknudsen.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mortenknudsen.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mortenknudsen.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=575"}],"version-history":[{"count":65,"href":"https:\/\/mortenknudsen.net\/index.php?rest_route=\/wp\/v2\/posts\/575\/revisions"}],"predecessor-version":[{"id":771,"href":"https:\/\/mortenknudsen.net\/index.php?rest_route=\/wp\/v2\/posts\/575\/revisions\/771"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/mortenknudsen.net\/index.php?rest_route=\/wp\/v2\/media\/658"}],"wp:attachment":[{"href":"https:\/\/mortenknudsen.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=575"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mortenknudsen.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=575"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mortenknudsen.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=575"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}