Log Optimization - Can I drop all Perf & InsightsMetrics table logs

Question

Hello,

I am working on log optimization on Sentinel, I want a suggestion can I drop all logs of Perf & InsightsMetrics tables?

as I checked

Perf table stored - Performance counters from Windows and Linux agents that provide insight into the performance of hardware components operating systems and applications.

InsightsMetrics Stored -Health Check-related logs.

Please give me a suggestion can I drop the logs?
Thank you in advance.

Answer 1

Agreed. Performance data is not usually considered to be security data. Though it may be more convenient to store limited operational data in the Sentinel workspace. If you choose to use the Sentinel workspace, you might consider lowering the polling frequency to reduce the perf data size if gets too expensive. You could setup a separate workspace dedicated to operational monitoring data instead.

Answer 2

@Ganesh Tembare Thank you for reaching out to us, As I understand you are looking for suggestion whether you can drop all Perf & InsightsMetrics table logs from ingestion to Microsoft Sentinel.

According to me, health monitoring data, performance logs for Apps and VMs is a non security data, you will not have much benefit in storing non-security data in Microsoft Sentinel as it can incur additional cost.

However there are several options mentioned here - https://learn.microsoft.com/en-us/azure/sentinel/billing-reduce-costs where you can plan/implement to optimize cost - Separate non-security data in a different workspace

Reference: https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/faq-search-basic-ingestion-archive-and-data-restoration/ba-p/3205600

However I will check with my team internally on your ask and revert back.

Let me know if you have any further questions, feel free to post back.