This chapter covers the design and configuration of Log Analytics workspaces specifically for security monitoring in Azure. Log Analytics workspaces are the core data repository for Azure Monitor, Azure Sentinel, and Microsoft Defender for Cloud, making them critical for security operations. On the AZ-500 exam, approximately 10-15% of questions touch on this topic area, including workspace architecture, data collection, retention, and integration with security services. Mastering this chapter will help you answer questions about cost optimization, data isolation, and query performance.
Jump to a section
Think of a Log Analytics workspace as the central security hub in a large corporate building. Every floor (Azure resource) has its own security cameras (diagnostic settings) that send video feeds (logs) to the hub. The hub has multiple storage rooms (tables) organized by type: one for access logs, one for system logs, one for network logs. Security analysts (queries) can go to any room and review footage. The hub also has a special filter (data collection rules) that can blur faces or remove irrelevant footage before storage to save space. When an incident occurs, the hub can alert the main security office (Azure Sentinel) which then triggers automated responses. The hub is designed to handle feeds from thousands of cameras across multiple buildings (subscriptions) and can retain footage for a set number of days (retention period) before automatically deleting it. If the hub runs out of storage space, it stops accepting new feeds, so you must monitor its capacity carefully.
What is a Log Analytics Workspace?
A Log Analytics workspace is a logical container in Azure that stores log data from various sources, including Azure resources, on-premises machines, and third-party solutions. It is the foundation for Azure Monitor logs, Azure Sentinel, and Microsoft Defender for Cloud. Each workspace has its own data repository, configuration, and permissions. Data is organized into tables, each with a specific schema. Workspaces are region-specific; data is stored in the region where the workspace is created.
Why It Exists for Security
Security operations require centralized logging for threat detection, investigation, and compliance. Log Analytics workspaces provide a scalable, cost-effective way to ingest, store, and query massive volumes of log data. They enable cross-resource querying, allowing security analysts to correlate events from multiple Azure services, such as Azure Active Directory sign-in logs, Azure Activity logs, and virtual machine security events. Without a workspace, logs would remain siloed in each resource, making holistic security monitoring impossible.
How It Works Internally
When a data source sends logs to a Log Analytics workspace, the data is ingested via the Azure Monitor data pipeline. The ingestion process involves: - Authentication: The source (e.g., a VM with the Log Analytics agent) authenticates using a workspace ID and key or managed identity. - Data Collection: The agent collects logs based on data collection rules (DCR) or legacy configuration. Data is sent to the ingestion endpoint. - Processing: The data pipeline processes the logs, applies any transformations (e.g., filtering, enrichment), and routes them to the appropriate table. - Indexing: Data is indexed for fast querying. Indexing is automatic; no manual index management is required. - Storage: Data is stored in Azure Blob Storage, optimized for log analytics. The workspace provides a query interface over this data.
Retention and archiving are managed at the table level. You can set a retention period (default 30 days for most tables, up to 730 days for Azure Sentinel) and enable archiving for up to 7 years. Archived data is stored in a lower-cost tier but requires a search job to query.
Key Components, Values, Defaults, and Timers
Workspace ID and Key: Used by agents to authenticate. The workspace ID is a GUID; the primary key is a base64-encoded string. Regenerate keys carefully as it breaks agent connectivity.
Tables: Each table has a predefined schema. Common security tables: SecurityEvent (Windows events), SigninLogs (Azure AD), AuditLogs (Azure AD), AzureActivity (resource logs), CommonSecurityLog (syslog from security appliances).
Retention Period: Default 30 days for Pay-as-You-Go pricing tier, 31 days for Per GB 2018 tier, and up to 730 days for Azure Sentinel-enabled workspaces. Can be set per table.
Archival Period: Up to 7 years after retention ends. Cost is ~$0.02/GB/month.
Ingestion Cost: $2.30/GB/day for Pay-as-You-Go (varies by region). Data volume is measured in GB ingested.
Query Limits: Queries can return up to 500,000 rows or 64 MB of data by default. Use pagination or aggregation for larger results.
Data Collection Rules (DCR): Define which data to collect, transformations, and destinations. Used by Azure Monitor Agent (AMA) and data collection endpoints.
Sentinel Pricing: Azure Sentinel charges $2.30/GB/day for ingested data, with a free tier of 5 GB/month.
Configuration and Verification Commands
To create a Log Analytics workspace using Azure CLI:
az monitor log-analytics workspace create --resource-group myRG --workspace-name myWorkspace --location eastus --sku PerGB2018To set retention for a table:
az monitor log-analytics workspace table update --resource-group myRG --workspace-name myWorkspace --name SecurityEvent --retention-time 90To enable archiving:
az monitor log-analytics workspace table update --resource-group myRG --workspace-name myWorkspace --name SecurityEvent --total-retention-time 365To query the workspace (KQL):
SecurityEvent
| where TimeGenerated > ago(1h)
| summarize count() by AccountInteraction with Related Technologies
Azure Sentinel: Built on Log Analytics workspaces. Enable Sentinel on a workspace to get advanced SIEM capabilities, including analytics rules, playbooks, and UEBA. The workspace must be in a supported region.
Microsoft Defender for Cloud: Uses Log Analytics workspaces for storing security alerts and recommendations. The workspace can be the default one created by Defender or a custom one.
Azure Monitor: The parent service. Log Analytics is part of Azure Monitor. Activity logs and metrics can be sent to a workspace.
Diagnostic Settings: Send resource logs (e.g., from Azure Key Vault, NSG flow logs) to a workspace. Each resource can have up to 5 diagnostic settings.
Azure Policy: Enforce workspace configuration, such as requiring diagnostic settings for all resources.
Best Practices for Security Design
Separate Workspaces for Different Environments: Use separate workspaces for production, development, and test to avoid data mixing and cost confusion.
Use a Centralized Workspace for Security: Collect all security logs into a single workspace (e.g., Azure Sentinel) for cross-correlation. For compliance, you may need separate workspaces for different regions.
Control Access with RBAC: Use built-in roles: Log Analytics Reader (read-only), Log Analytics Contributor (read and write), and custom roles. For table-level RBAC, use Azure RBAC with the microsoft.operationalinsights/workspaces/query/* permission.
Data Retention and Archiving: Balance cost and compliance. For security investigations, retain data for at least 90 days; for compliance, archive up to 7 years.
Cost Management: Monitor data ingestion with Azure Cost Management + Billing. Set daily caps to avoid surprise bills (though data loss may occur if cap is hit).
Use Private Links: For secure data ingestion, use Azure Private Link to connect VNets to the workspace, preventing data from going over the internet.
Common Misconfigurations and Troubleshooting
Agent Not Sending Data: Check workspace ID and key. Ensure the agent is running and can reach the ingestion endpoint (e.g., *.ods.opinsights.azure.com).
Data Not Appearing in Queries: Verify table name and schema. Data may take 5-10 minutes to appear (ingestion latency).
High Costs: Identify high-volume tables (e.g., SecurityEvent, CommonSecurityLog). Use DCR to filter out unnecessary events.
Retention Settings Not Applied: Retention is set per table, not per workspace. Ensure you update the correct table.
Query Timeouts: Queries that scan too much data can time out (10-minute timeout). Use time range filters and aggregations.
Exam-Specific Details
The AZ-500 exam expects you to know how to design workspaces for security, including choosing between a single workspace vs. multiple workspaces.
You must understand the difference between Log Analytics workspace and Application Insights workspace (Application Insights can share a workspace).
Know the default retention periods: 30 days for Pay-as-You-Go, 31 days for Per GB 2018, 90 days for Azure Sentinel (with 90-day free retention).
Be able to configure diagnostic settings to send logs to a workspace.
Understand how Azure Policy can enforce diagnostic settings.
Know that workspace keys can be regenerated from the Azure portal or CLI.
Understand that data cannot be moved between workspaces once ingested; you must re-ingest.
Know that you can query across workspaces using union with workspace() function.
Advanced Topics
Data Export: Use continuous export to send data to Azure Storage or Event Hubs for custom processing.
Customer-Managed Keys (CMK): Encrypt data at rest with your own key stored in Azure Key Vault. Requires dedicated cluster.
Dedicated Clusters: For large volumes (>500 GB/day), use a dedicated cluster for better performance and CMK support.
Workspace Insights: Use the Log Analytics workspace solution to monitor workspace health, ingestion, and query performance.
Summary
A Log Analytics workspace is the backbone of Azure security monitoring. Proper design involves choosing the right number of workspaces, setting appropriate retention and archiving, controlling access, and integrating with Azure Sentinel and Defender for Cloud. On the exam, focus on configuration steps, default values, and best practices for isolation and cost management.
Create Log Analytics Workspace
In the Azure portal, navigate to Log Analytics workspaces and click Create. Provide a unique workspace name, select a subscription and resource group, and choose a region (preferably the same region as your resources to minimize data transfer costs). Select a pricing tier: Pay-as-You-Go (default) or Per GB 2018 (older, lower cost if volume >1 TB/month). For Azure Sentinel, you enable it later. After creation, note the workspace ID and primary key, as agents need them for authentication.
Configure Diagnostic Settings
For each Azure resource that generates security logs (e.g., VMs, Key Vaults, NSGs, Azure AD), configure diagnostic settings to stream logs to the workspace. In the Azure portal, go to the resource's Diagnostic settings, click Add diagnostic setting, select the log categories (e.g., AuditEvent, Security), and choose 'Send to Log Analytics workspace' as the destination. You can also send to storage or event hubs. For Azure AD, go to Azure AD > Monitoring > Audit logs and Sign-in logs, then click Export Data Settings to configure streaming.
Deploy Log Analytics Agents
For on-premises servers or Azure VMs that do not use Azure Monitor Agent (AMA), deploy the Log Analytics agent (MMA) or Azure Monitor Agent (recommended). For AMA, create a Data Collection Rule (DCR) defining which events to collect (e.g., Windows Security events, Syslog). Install the agent using Azure Arc or manually. The agent authenticates with the workspace ID and key. In the DCR, you can specify data sources like Windows Event Logs (e.g., Security, Application) and performance counters. The agent sends data to the workspace via HTTPS.
Set Retention and Archiving
By default, data is retained for 30 days (Pay-as-You-Go). For security, you may need longer retention. In the workspace, go to Tables, select a table (e.g., SecurityEvent), and set the retention period (up to 730 days). For compliance, enable archiving by setting total retention to a value greater than the interactive retention (up to 2555 days, i.e., 7 years). Archived data is stored at a lower cost but requires a search job to query. Note that retention changes apply to new data only; existing data is not affected.
Implement Access Control
Use Azure RBAC to control who can read or write to the workspace. Assign the Log Analytics Reader role to security analysts who need to run queries. Assign Log Analytics Contributor to engineers who manage workspace configuration. For granular control, use table-level RBAC: assign permissions on specific tables using the 'microsoft.operationalinsights/workspaces/query/*' action. Also, consider using Azure Private Link to restrict network access to the workspace from specific VNets, ensuring data does not traverse the public internet.
Enable Security Solutions
To use Azure Sentinel, enable it on the workspace from the Azure Sentinel blade. This adds SIEM capabilities, including analytics rules, playbooks, and threat intelligence. For Microsoft Defender for Cloud, you can connect the workspace to store security alerts. In Defender for Cloud, go to Environment settings and select the workspace under 'Log Analytics workspace'. Optionally, install solutions like Security and Audit (legacy) or use the newer Azure Monitor Agent for comprehensive security event collection.
Scenario 1: Large Enterprise with Multiple Regions
A global company with Azure deployments in US East, West Europe, and Southeast Asia needs centralized security monitoring. They create a single Log Analytics workspace in US East for all security logs to enable cross-region correlation. However, they face high data transfer costs and latency. To optimize, they deploy Azure Sentinel in each region and use cross-workspace queries via workspace() function. They also set up a dedicated cluster in US East for high-volume data (>1 TB/day) to get better performance and CMK encryption. They use Azure Policy to enforce diagnostic settings for all resources, ensuring no log gaps. The challenge is managing multiple workspaces: they use a Log Analytics workspace insights workbook to monitor ingestion and cost across workspaces.
Scenario 2: Compliance-Driven Financial Institution
A bank must retain audit logs for 7 years for regulatory compliance. They create a Log Analytics workspace with Azure Sentinel enabled. They set interactive retention to 90 days for fast queries, and archival retention to 7 years. They use table-level RBAC to restrict access to sensitive data (e.g., SigninLogs) to only senior security analysts. They also implement customer-managed keys (CMK) using a dedicated cluster to encrypt data at rest. They use continuous export to send logs to Azure Storage for long-term cold storage as a backup. The main issue is cost: archival storage is cheap, but queries on archived data require search jobs that are billed per GB scanned. They educate analysts to use time filters to minimize scan size.
Scenario 3: Small Business with Limited Budget
A startup uses Azure for a web application. They need basic security monitoring without high cost. They create a single Log Analytics workspace in the same region as their resources. They use the Pay-as-You-Go pricing tier and set a daily cap of 5 GB to control costs. They collect only essential logs: Azure Activity logs, Azure AD sign-in logs, and Windows Security events (only critical and error events). They use Azure Monitor alerts to notify on suspicious sign-ins. They do not use Sentinel due to cost. The risk is that if the daily cap is hit, data is lost until the next day. They monitor ingestion daily and adjust the cap as needed. They also use Azure Policy to ensure all resources have diagnostic settings enabled.
What AZ-500 Tests on This Topic (Objective 4.2)
The AZ-500 exam objective 'Configure Log Analytics workspace for security' focuses on: (1) Designing workspace architecture (single vs. multiple workspaces), (2) Configuring data collection via diagnostic settings and agents, (3) Setting retention and archiving, (4) Implementing access control (RBAC and table-level), (5) Integrating with Azure Sentinel and Defender for Cloud. Expect 2-3 questions on this topic.
Common Wrong Answers and Why Candidates Choose Them
'Use a separate workspace for each resource': Candidates think isolation is better, but the exam emphasizes that a single workspace enables cross-resource queries and is recommended for security monitoring unless compliance or data sovereignty requires separation.
'Set retention to 730 days for all tables': While possible, it's costly. The exam expects you to know that default is 30 days and that you should set retention based on requirements (e.g., 90 days for security, 7 years for compliance via archiving).
'Workspace key is used for authentication only by agents': Candidates forget that the key can also be used by applications via the Log Analytics API. The exam tests that you can regenerate keys but must update all agents.
'Data is automatically moved between workspaces': No, data cannot be moved after ingestion. The exam tests that you must re-ingest data if you change workspaces.
Specific Numbers, Values, and Terms That Appear Verbatim
Default retention: 30 days (Pay-as-You-Go), 31 days (Per GB 2018).
Maximum retention: 730 days interactive, 2555 days total with archiving.
Ingestion cost: $2.30/GB/day (varies by region).
Azure Sentinel cost: $2.30/GB/day.
Number of diagnostic settings per resource: 5.
Query result limit: 500,000 rows or 64 MB.
Workspace ID format: GUID.
Agent authentication: workspace ID + key or managed identity.
Edge Cases and Exceptions the Exam Loves
Data collection rules (DCR): The exam may test that DCRs are used with Azure Monitor Agent (AMA), not the legacy Log Analytics agent.
Private Link: You can use Private Link to ingest data securely, but the workspace must be in the same region as the VNet.
Dedicated clusters: Required for CMK and large volumes (>500 GB/day).
Cross-workspace queries: Use union with workspace('workspaceID').TableName syntax.
Daily cap: If hit, data is dropped; no automatic recovery.
How to Eliminate Wrong Answers Using the Underlying Mechanism
If a question asks about cost optimization, remember that retention and archiving are per table, not per workspace. If a question mentions data isolation, consider regulatory requirements (e.g., GDPR) that may require separate workspaces per region. If a question involves query performance, know that using a dedicated cluster improves performance for large datasets. If a question mentions agent connectivity, check that the workspace ID and key are correct, and that the agent can reach the ingestion endpoint.
Log Analytics workspace is a logical container for log data, essential for Azure Monitor, Sentinel, and Defender for Cloud.
Default retention is 30 days (Pay-as-You-Go) or 31 days (Per GB 2018); can be increased up to 730 days interactive and 2555 days total with archiving.
Use a single workspace for centralized security monitoring unless compliance or data sovereignty requires multiple.
Diagnostic settings can send logs from Azure resources to a workspace; each resource can have up to 5 settings.
Azure Monitor Agent (AMA) uses Data Collection Rules (DCR) for granular data collection; legacy Log Analytics agent uses workspace ID and key.
Access control is via RBAC (Reader/Contributor roles) and table-level RBAC for granular permissions.
Azure Sentinel adds SIEM capabilities on top of a workspace; cost is $2.30/GB/day.
Data cannot be moved between workspaces; plan carefully before ingestion.
Daily cap stops ingestion when reached; data loss occurs until cap resets.
Private Link and CMK (via dedicated clusters) provide enhanced security for sensitive data.
These come up on the exam all the time. Here's how to tell them apart.
Single Log Analytics Workspace
Simplifies cross-resource queries across all data
Lower administrative overhead (one workspace to manage)
Cost-effective for small to medium environments
Easier integration with Azure Sentinel (single SIEM)
May violate data sovereignty if data must stay in specific regions
Multiple Log Analytics Workspaces
Enables data isolation per environment (prod/dev) or region
Allows separate retention and access policies per workspace
Can reduce data transfer costs if workspaces are in the same region as resources
More complex to query across workspaces (requires union with workspace() function)
Higher administrative overhead and potential for configuration drift
Mistake
Log Analytics workspace is the same as Azure Sentinel.
Correct
Azure Sentinel is built on top of a Log Analytics workspace, but they are different. The workspace provides storage and querying; Sentinel adds SIEM capabilities like analytics rules, playbooks, and threat intelligence. A workspace without Sentinel is just a log repository.
Mistake
You can change the region of a Log Analytics workspace after creation.
Correct
No, the region is fixed at creation time. Data is stored in that region. To move data, you must create a new workspace and re-ingest logs.
Mistake
Setting a daily cap guarantees no data loss.
Correct
The daily cap stops ingestion when the limit is reached. Any data beyond the cap is lost until the cap resets the next day. It does not buffer or queue data.
Mistake
All tables in a workspace have the same retention settings.
Correct
Retention is set per table. You can have different retention for SecurityEvent (90 days) and AzureActivity (30 days). This allows cost optimization.
Mistake
Log Analytics workspace data is automatically backed up.
Correct
Azure stores data redundantly within the region, but there is no built-in backup or export. For long-term retention, use continuous export to storage or enable archiving.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
First, create a Log Analytics workspace in a supported region (see Azure Sentinel documentation for region list). Then, in the Azure portal, navigate to Azure Sentinel, click 'Create', select the workspace, and click 'Add'. The workspace must have the Pay-as-You-Go or Per GB 2018 pricing tier. Once added, you can enable Sentinel features like analytics rules and playbooks.
Application Insights is a separate service for application performance monitoring. It can use a Log Analytics workspace as its data store (workspace-based Application Insights). This allows you to query application data alongside infrastructure logs. However, classic Application Insights uses its own storage. For AZ-500, know that workspace-based Application Insights is recommended for integration with Log Analytics.
Yes, you can change the retention period at any time. The new setting applies to new data ingested after the change. Existing data will be retained according to the previous setting until it ages out. For example, if you increase retention from 30 to 90 days, existing data that is already 40 days old will be deleted after 30 days (its original retention), not 90.
Use the `workspace()` function in KQL. For example: `union workspace('workspace1').SecurityEvent, workspace('workspace2').SecurityEvent | where TimeGenerated > ago(1d)`. You need read access to each workspace. This is useful for centralized security monitoring across multiple workspaces.
All agents and applications that use the old key will lose connectivity. You must update them with the new key. Regenerate keys from the Azure portal under Agents management. It's recommended to use managed identity instead of keys for agent authentication to avoid this issue.
Use the Pay-as-You-Go tier and set a daily cap to limit ingestion. Filter data using Data Collection Rules to only collect essential logs. Use table-level retention: set shorter retention for high-volume, low-value tables. Enable archiving for long-term retention at lower cost. Monitor usage with Azure Cost Management + Billing and set budgets and alerts.
Yes, install the Azure Monitor Agent (AMA) on the on-premises server (requires Azure Arc for management) or use the legacy Log Analytics agent. Configure a Data Collection Rule to specify which logs to collect. The agent sends data to the workspace over HTTPS. Ensure outbound connectivity to *.ods.opinsights.azure.com and *.oms.opinsights.azure.com.
You've just covered Log Analytics Workspace Design for Security — now see how well it sticks with free AZ-500 practice questions. Full explanations included, no account needed.
Done with this chapter?