Today we are going to cover how to change an individual tables data retention. I am not the first to write about this, but this is my take on things. I will also be referring to other sites to pull information from and also acknowledge those sites. There are a couple of methods ARM and Workbooks, in this article we will be coving ARM. There are many use cases for this, but enough of that lets get to it.
First we need an ARM template. There are other methods to do this, but I am going to stick with ARM. The following site is the original content creator. I have also created a repository for you to get it from.
First we need to pick the table we want to change. One easy way is to go into the Log Analytics Workspace for Sentinel and click on the Tables within the blade. Search for the table name you can can see the current retention
Once you have the information, In the Azure Portal go to the Custom Deployment.
Click on Build your own template in the editor
Now just delete what is in there and copy over the arm template. I always suggest to open up in RAW view and copy it from there.
It will look something like this
Click Save, after you do that, the screen will show this.
Fill out the form. It will look something like this. You will need to get the name of the table you want to change. In this example, I am changing the ThreatIntelligenceIndicator table to 7 days. You can get the name of the table when you go into Log Analytics workspace and click on Tables within the blade.
Click Review and Create, Create. Should look something like this once it is complete.
To verify the setting has taken effect you can go back into Log Analytics and click on Tables and view the change.
This was just one method and a quick how-to. Hope you enjoyed it.
Ed_Tech_Jeff 