This chapter covers Log Analytics Workspace for Security, a core component of Azure Monitor that aggregates, stores, and analyzes log data from across your Azure environment. For the AZ-500 exam, this topic is critical because it underpins security monitoring, threat detection, and incident response—approximately 15-20% of the Security Operations domain (Objective 4.2) focuses on log management and analysis. You will be tested on workspace design, data collection, retention policies, Kusto Query Language (KQL) for security queries, and integration with Azure Sentinel (now Microsoft Sentinel). Mastery of these concepts is essential for passing the exam and for real-world security operations.
Jump to a section
Think of a Log Analytics workspace as a high-tech security command center for a large corporate campus. The campus has hundreds of buildings (Azure resources), each with its own security cameras, badge readers, and alarms (data sources). All these devices generate streams of events—video feeds, access logs, sensor alerts—that need to be collected, stored, and analyzed. The command center is a central room with a massive wall of screens (dashboards) and a team of analysts (Kusto queries). Each data source sends its events to a specific input panel (data collection endpoint) on the command center wall. The events are then stored in a massive filing system (tables) organized by type—one cabinet for security camera logs, another for badge reader logs, etc. The filing system uses a standardized index card format (schema) so any analyst can quickly find what they need. When an incident occurs, analysts run queries (KQL) to correlate events across different cabinets—for example, cross-referencing badge access times with security camera footage to identify a tailgating event. The command center also has an automated alerting system that watches for specific patterns (query-based alerts) and pages the security team when a suspicious sequence is detected. Just as a command center must be properly sized to handle the volume of incoming data and retain historical records for compliance, the Log Analytics workspace must be configured with appropriate retention and archiving policies. Without a well-organized command center, critical clues can be missed—the same is true for a poorly configured workspace.
What is a Log Analytics Workspace?
A Log Analytics workspace is a unique environment for log data in Azure Monitor. It serves as the central repository where diagnostic logs, activity logs, metrics, and other telemetry from Azure resources are collected, stored, and analyzed. Each workspace has its own data repository, configuration, and permissions. Data is stored in tables, each with a predefined schema, and can be queried using Kusto Query Language (KQL). The workspace is the foundation for Azure Monitor features like alerts, dashboards, and workbooks, and it is the primary data store for Microsoft Sentinel.
Why It Exists for Security
Security operations require centralized logging to detect threats, investigate incidents, and meet compliance requirements. Without a Log Analytics workspace, logs would be scattered across individual resources, making correlation nearly impossible. The workspace provides a single pane of glass for security monitoring, enabling:
Correlation of events from multiple sources (e.g., Azure Activity logs, NSG flow logs, Windows Event Logs)
Long-term retention for forensic analysis (up to 730 days by default, extendable to 7 years via data archiving)
Role-based access control (RBAC) to restrict sensitive log data
Integration with Azure Sentinel for SIEM capabilities
How It Works Internally
Data flows into a Log Analytics workspace through several ingestion paths: 1. Azure Diagnostics – Azure resources (VMs, App Services, etc.) can send diagnostic data directly to the workspace using Azure Diagnostics extension or via Azure Monitor agent. 2. Azure Activity Log – Subscription-level events (e.g., resource creation, policy actions) are automatically sent to the workspace when configured. 3. Data Connectors – Microsoft Sentinel uses connectors to ingest logs from Microsoft 365, Azure AD, firewalls, and other sources. 4. HTTP Data Collector API – Custom applications can push data using a REST API with a workspace ID and key.
Once ingested, data is processed and stored in tables. Each table has a fixed schema defined by the data source. For example, the AzureActivity table contains columns like OperationName, Caller, Status, etc. The workspace uses a columnar storage format optimized for analytics. Data is automatically indexed based on the schema, and you can create custom fields using custom logs.
Key Components, Values, Defaults, and Timers
Workspace ID and Key – Every workspace has a unique ID and two access keys (primary and secondary) used for authentication when sending data via API.
Data Retention – Default is 30 days for workspaces in the Free tier (legacy) and 31 days for workspaces in Pay-as-you-go tier. You can configure retention up to 730 days (2 years). For longer retention, use data archiving (cold storage) with retrieval fees.
Data Ingestion Limits – Pay-as-you-go tier has no daily cap, but you can set a daily cap to limit costs. The default daily cap is unlimited. When the cap is reached, data ingestion stops for the day (except for some critical data types like Azure Activity logs).
Data Export – You can export data to Azure Storage or Event Hubs for long-term retention or real-time streaming. Export rules use KQL queries to filter data.
Kusto Query Language (KQL) – The query language used to retrieve and analyze data. It is read-only and optimized for large datasets. Key operators include where, summarize, join, union, and extend.
Workspace Pricing Tier – Pay-as-you-go (Per GB) is the default. There is also a Capacity Reservation tier for predictable workloads. The Free tier is limited to 5 GB/day and 7-day retention (not recommended for production).
Linked Servers – You can link a workspace to a Log Analytics workspace in another region for cross-workspace queries (using workspace() function).
Configuration and Verification Commands
To create a Log Analytics workspace via Azure CLI:
az monitor log-analytics workspace create --resource-group MyResourceGroup --workspace-name MyWorkspace --location eastus --sku PerGB2018To set retention to 365 days:
az monitor log-analytics workspace update --resource-group MyResourceGroup --workspace-name MyWorkspace --retention-time 365To view workspace details:
az monitor log-analytics workspace show --resource-group MyResourceGroup --workspace-name MyWorkspaceTo query data using KQL (example from Azure Portal or using REST API):
AzureActivity
| where TimeGenerated > ago(7d)
| where OperationName == "Create Virtual Machine"
| project TimeGenerated, Caller, ResourceGroupHow It Interacts with Related Technologies
Azure Sentinel – Sentinel is a SIEM that sits on top of Log Analytics. Each Sentinel workspace is essentially a Log Analytics workspace with additional security features enabled. Sentinel uses the same KQL queries for detection rules and hunting.
Azure Monitor – The workspace is the store for Azure Monitor logs. Metrics are stored separately (in Metrics database), but logs from Azure Monitor (e.g., VM metrics sent to Log Analytics) are stored in the workspace.
Azure Policy – You can use Azure Policy to enforce deployment of Log Analytics workspaces and agents across resources, ensuring compliance.
Azure Storage – Diagnostic settings can send logs to both a workspace and a storage account simultaneously. Storage is often used for long-term archival at lower cost.
Event Hubs – Logs can be streamed to Event Hubs for real-time processing by third-party tools.
Security Considerations
RBAC – Workspace-level permissions control who can read/write data. Table-level RBAC allows restricting access to specific tables (e.g., only security admins can query SecurityEvent table).
Data Encryption – Data is encrypted at rest using Microsoft-managed keys by default. Customer-managed keys (CMK) can be configured for additional compliance.
Network Isolation – Workspaces can be configured to use private endpoints, preventing data from traversing the public internet.
Auditing – Workspace audit logs track configuration changes and query execution (for diagnostic purposes).
Common Pitfalls
Daily Cap – Setting a daily cap too low can cause data loss. Critical security logs may be dropped. Always monitor the _LogOperation table for ingestion warnings.
Retention Mismatch – Not setting retention long enough for compliance (e.g., 1 year for PCI DSS). Use data archiving to extend beyond 2 years.
Schema Drift – Custom logs with inconsistent schema can cause query failures. Use datatable operator or parse operators to handle variations.
Cross-Workspace Queries – Using workspace() function across regions can incur egress costs and latency.
Advanced Features
Intelligent Analytics – Azure Monitor uses machine learning to detect anomalies in log data, such as sudden spikes in failed logins.
Workbooks – Interactive reports that combine multiple queries and visualizations. Security workbooks are pre-built for common scenarios.
Log Analytics Agent vs. Azure Monitor Agent – The new Azure Monitor Agent (AMA) is the preferred agent for collecting data from VMs. It supports Windows, Linux, and multi-homing (sending to multiple workspaces).
Summary of Defaults
Retention: 30 days (Free) or 31 days (Pay-as-you-go)
Daily cap: Unlimited
Ingestion: Up to 1 GB/min per workspace (soft limit)
Query timeout: 10 minutes for interactive queries
Maximum query results: 500,000 rows (default) or 64 MB
For the exam, remember these numbers and the fact that you can increase retention up to 730 days, and beyond that use data export to Storage.
Create Log Analytics Workspace
Navigate to Azure Portal > Log Analytics workspaces > Add. Provide subscription, resource group, name, and region. Choose pricing tier (PerGB2018 recommended for production). The workspace ID and keys are generated automatically. This step establishes the container for all log data. For security, ensure the workspace is in the same region as most resources to minimize latency and egress costs. The workspace name must be globally unique within a resource group.
Configure Data Sources
Connect Azure resources to send logs to the workspace. For VMs, install the Azure Monitor Agent (AMA) via Azure Policy or manually. For Azure services, configure diagnostic settings to stream logs to the workspace. For example, for Azure SQL Database, enable diagnostic settings to send QueryStoreRuntimeStatistics and ErrorEvents to the workspace. Each data source maps to a specific table (e.g., `AzureDiagnostics` for many Azure services). Verify data ingestion by running a simple query like `AzureDiagnostics | take 10`.
Set Retention and Archiving
By default, data is retained for 31 days (Pay-as-you-go). To meet compliance, increase retention to 730 days via the workspace's Data Retention blade. For longer retention, enable data archiving to Azure Storage or Event Hubs. Archiving uses a KQL query to filter data. For example, archive all `SecurityEvent` data older than 90 days to a storage account. The archived data is stored in JSON or Parquet format and can be retrieved later (with retrieval cost).
Implement RBAC for Security
Use Azure RBAC to control access to the workspace. Assign roles like Log Analytics Reader (read data) or Log Analytics Contributor (create queries and alerts). For granular control, use table-level RBAC: restrict sensitive tables (e.g., `SecurityEvent`) to specific security teams. This prevents unauthorized users from viewing raw security logs. Also, configure workspace-level locks to prevent accidental deletion.
Create Security Alerts
Create alert rules based on KQL queries. For example, detect multiple failed logins: `SecurityEvent | where EventID == 4625 | summarize Count = count() by Account, bin(TimeGenerated, 5m) | where Count > 5`. Set the alert frequency (e.g., every 5 minutes) and action group (e.g., email, SMS, webhook). Use Azure Sentinel for advanced detection rules like fusion (machine learning) or scheduled queries. Test alerts with sample data to ensure they trigger correctly.
Enterprise Scenario 1: Centralized Security Monitoring for a Multi-Subscription Environment
A large enterprise with 50+ Azure subscriptions needs to monitor security events across all subscriptions. They deploy a single Log Analytics workspace in a central subscription and configure diagnostic settings on all resources to send logs to this workspace. They use Azure Policy to enforce the deployment of the Azure Monitor Agent on all VMs and enable diagnostic settings on key services (e.g., Azure SQL, Key Vault). The workspace receives over 100 GB of data per day. To manage costs, they set a daily cap of 200 GB and configure data archiving for data older than 90 days to a storage account. They use cross-workspace queries (using workspace() function) to correlate events from other workspaces used by isolated teams. The security team uses KQL to detect brute-force attacks across all subscriptions by querying the SigninLogs table from Azure AD connector. One common issue is that the daily cap is reached too early, causing critical logs to be dropped. They mitigate this by setting the cap to a higher value and monitoring the _LogOperation table for ingestion failures. They also use table-level RBAC to restrict access to SecurityEvent and SigninLogs tables to the SOC team only.
Enterprise Scenario 2: Compliance Logging for Healthcare (HIPAA)
A healthcare organization must retain diagnostic logs for 6 years to comply with HIPAA. They use a Log Analytics workspace with 730-day retention and configure data export to an Azure Storage account for long-term archival. They set up a daily export rule that moves logs older than 2 years to a cold storage tier (Azure Blob Storage - Cool or Archive). They also use customer-managed keys (CMK) for encryption to meet compliance requirements. The workspace is configured with private endpoints to ensure logs never traverse the internet. They encounter a problem where the export rule fails because the KQL query is too complex—they simplify it to filter on TimeGenerated only. They also set up alerts for any failed export jobs. The security team runs quarterly queries on archived data by restoring it to a staging workspace (paying retrieval fees). They use Azure Policy to audit that all resources have diagnostic settings enabled and that the workspace is using CMK.
Enterprise Scenario 3: Multi-Workspace Strategy for a Global Company
A global company with operations in multiple regions decides to use a separate Log Analytics workspace per region to keep data local for compliance (e.g., GDPR). They use Azure Sentinel in each region but also need a central view for global threat hunting. They use cross-workspace queries in Azure Sentinel workbooks to combine data from all workspaces. They also configure a central workspace for Azure Activity Logs from all subscriptions. The challenge is managing multiple workspaces: they use Azure Lighthouse to delegate permissions across tenants. They also set up a log analytics workspace for each business unit with its own retention and RBAC. They find that querying across workspaces is slow, so they use materialized views (via Azure Data Explorer) for common aggregations. They also use Azure Monitor Workbooks to create a single dashboard that queries all workspaces using the workspace() function. The key lesson is to plan the workspace architecture carefully to balance performance, cost, and compliance.
Exactly What AZ-500 Tests on This Topic
The AZ-500 exam (Objective 4.2: Configure and manage security monitoring and automation solutions) tests your ability to design and configure Log Analytics workspaces for security. Specific sub-objectives include: - 4.2.1 – Configure Log Analytics workspace for security: workspace creation, pricing tier, retention, and data sources. - 4.2.2 – Manage access to Log Analytics workspace: RBAC, table-level RBAC, workspace keys. - 4.2.3 – Configure data collection: Azure Monitor Agent, diagnostic settings, data connectors for Sentinel. - 4.2.4 – Query logs using KQL: basic filtering, aggregation, joining tables, and creating alerts. - 4.2.5 – Configure data retention and archiving: setting retention, exporting to storage, daily cap.
Common Wrong Answers and Why Candidates Choose Them
Wrong answer: 'Log Analytics workspace can store data indefinitely without additional cost.' – Candidates assume retention is unlimited because they see '730 days' as a maximum. Reality: 730 days is the max for hot storage; beyond that you must export to cold storage (additional cost). The exam tests this with a question about extending retention beyond 2 years.
Wrong answer: 'To collect logs from a VM, you must use the Log Analytics agent (Microsoft Monitoring Agent).' – Many candidates are still familiar with the old agent. The exam now focuses on the Azure Monitor Agent (AMA) as the recommended agent. The MMA is deprecated. The exam will present scenarios where you need to choose the correct agent.
Wrong answer: 'Setting a daily cap ensures no data is lost; it only delays ingestion.' – Actually, when the daily cap is reached, data ingestion stops entirely (except for some critical data types). This can cause permanent data loss. The exam expects you to know that the daily cap is a cost control measure that can result in missing security logs.
Wrong answer: 'You can use RBAC at the table level by default without any additional configuration.' – Table-level RBAC must be explicitly configured using custom roles. The exam tests whether you know the difference between workspace-level RBAC (built-in roles) and table-level RBAC (custom roles).
Specific Numbers, Values, and Terms That Appear Verbatim
Retention default: 31 days (Pay-as-you-go), 30 days (Free)
Maximum retention: 730 days (2 years)
Daily cap: Unlimited by default, can be set (in GB). When reached, ingestion stops.
Pricing tiers: Free (5 GB/day, 7-day retention), PerGB2018 (pay-as-you-go), Capacity Reservations
KQL operators: where, summarize, join, union, extend, project, take, count
Tables: AzureActivity, AzureDiagnostics, SecurityEvent, SigninLogs, CommonSecurityLog
Agent: Azure Monitor Agent (AMA), not MMA (Microsoft Monitoring Agent)
Edge Cases and Exceptions
Workspace in a different region – Ingesting data from resources in another region incurs egress charges. The exam may test whether you know to place the workspace in the same region as the majority of resources.
Multiple workspaces – A VM can send data to multiple workspaces (multi-homing) with the AMA. The exam may ask whether this is possible (yes).
Data export to Event Hubs – Used for real-time streaming. The exam may compare this to storage export (batch).
Legacy Free tier – Still exists but not recommended. The exam may ask about its limitations (5 GB/day, 7-day retention).
How to Eliminate Wrong Answers
If the question asks about 'long-term retention beyond 2 years', look for 'export to Azure Storage' – not 'increase retention' (max 730 days).
If the question involves 'agent for VM', the correct answer is 'Azure Monitor Agent' – not 'Log Analytics agent' (MMA) unless the scenario specifically mentions legacy.
If the question involves 'data loss prevention', remember that daily cap can cause data loss. The correct mitigation is to increase the cap or use a separate workspace for critical logs.
If the question involves 'access control to specific tables', the answer must include 'custom role with table-level RBAC' – not just built-in Reader role.
A Log Analytics workspace is the central repository for log data in Azure Monitor and the foundation for Microsoft Sentinel.
Default data retention is 31 days for Pay-as-you-go; maximum is 730 days. For longer retention, export to Azure Storage.
The daily cap, when reached, stops data ingestion and can cause loss of security logs—monitor the `_LogOperation` table.
Use the Azure Monitor Agent (AMA) for VM log collection; the legacy Log Analytics agent (MMA) is deprecated.
Table-level RBAC requires custom roles; built-in roles only provide workspace-level access.
Cross-workspace queries use the `workspace()` function and can incur egress costs if workspaces are in different regions.
KQL is the query language for Log Analytics; key operators include `where`, `summarize`, `join`, and `project`.
Diagnostic settings on Azure resources send logs to the workspace; configure them for all critical services.
Data can be exported to Event Hubs for real-time streaming or to Storage for batch archival.
Workspace pricing tiers: Free (5 GB/day, 7-day retention), PerGB2018 (pay-as-you-go), Capacity Reservations.
These come up on the exam all the time. Here's how to tell them apart.
Log Analytics Workspace
Optimized for real-time querying and analytics using KQL
Supports alerting based on log data
Built-in integration with Azure Sentinel and other Azure services
Higher cost per GB for storage and ingestion
Maximum hot retention of 730 days
Azure Storage for Logs
Low-cost long-term archival storage
No native querying; must export to Log Analytics or use Azure Data Lake
Supports any retention period (indefinite)
Lower storage cost, but retrieval and processing costs apply
Ideal for compliance and backup of logs
Mistake
Log Analytics workspace can store data for an unlimited time.
Correct
The maximum retention for hot storage is 730 days (2 years). For longer retention, you must export data to Azure Storage or Event Hubs, which incurs additional costs.
Mistake
The daily cap is a safety measure to prevent overspending without data loss.
Correct
When the daily cap is reached, data ingestion stops for the day (except for some critical data types like Azure Activity logs). This can result in permanent loss of security logs.
Mistake
The Log Analytics agent (MMA) is the only agent for collecting VM logs.
Correct
The Azure Monitor Agent (AMA) is the current recommended agent. The MMA is deprecated. The exam focuses on AMA.
Mistake
Table-level RBAC is enabled by default for all tables.
Correct
Table-level RBAC must be explicitly configured using custom roles. By default, only workspace-level RBAC (e.g., Log Analytics Reader) is available.
Mistake
You cannot send data from a VM to multiple Log Analytics workspaces.
Correct
With the Azure Monitor Agent, you can configure multi-homing to send data to multiple workspaces simultaneously.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
You cannot extend hot retention beyond 730 days. To keep data longer, configure data export to Azure Storage. Go to the workspace > Data Export > Add export rule. Specify a KQL query to filter data (e.g., `SecurityEvent | where TimeGenerated < ago(730d)`) and a storage account. The exported data is stored in JSON or Parquet format. You can later re-ingest it into a workspace for analysis (with retrieval fees).
When the daily cap is reached, data ingestion stops for the rest of the day. This applies to all data types except for some critical ones like Azure Activity logs and some security logs (depending on configuration). Data is permanently lost—it is not queued or delayed. To avoid this, set the cap high enough for your needs, monitor the `_LogOperation` table for warnings, and consider using a separate workspace for critical security logs.
The Log Analytics agent (Microsoft Monitoring Agent) is the legacy agent, now deprecated. The Azure Monitor Agent (AMA) is the current recommended agent. AMA supports multi-homing (sending to multiple workspaces), uses a single agent for both logs and metrics, and has better performance and security. It uses data collection rules (DCRs) to define what data to collect. For the exam, always choose AMA unless the question explicitly mentions legacy scenarios.
Yes, use the `workspace()` function. For example: `workspace('WorkspaceID1').SecurityEvent | union workspace('WorkspaceID2').SecurityEvent`. This allows cross-workspace queries. However, note that this can incur egress costs if workspaces are in different regions, and there may be performance overhead. For frequent cross-workspace queries, consider using Azure Data Explorer or a single workspace architecture.
Use table-level RBAC by creating a custom role. First, create a custom role in Azure RBAC with permissions for `Microsoft.OperationalInsights/workspaces/tables/read`. Then assign that role to users or groups. In the workspace, go to Tables > Manage table > Set permissions. You can grant read access to specific tables (e.g., `SecurityEvent`) while denying access to others. Note that built-in roles like Log Analytics Reader grant access to all tables.
For the Pay-as-you-go tier (PerGB2018), default retention is 31 days. The Free tier has 7-day retention and a 5 GB/day limit. You can increase retention up to 730 days at additional cost. Pricing is based on data ingested (per GB) and data retention (per GB per month). Capacity Reservations offer discounts for committed usage. For the exam, remember the default 31 days and the maximum 730 days.
Use the HTTP Data Collector API. You need the workspace ID and one of the workspace keys (primary or secondary). Send a POST request to `https://<workspace-id>.ods.opinsights.azure.com/api/logs?api-version=2016-04-01` with a JSON payload containing a custom log name and records. The data appears in a custom table named `<CustomLogName>_CL`. Ensure the payload is in valid JSON and does not exceed 30 MB per request.
You've just covered Log Analytics Workspace for Security — now see how well it sticks with free AZ-500 practice questions. Full explanations included, no account needed.
Done with this chapter?