none
Data Storage Principle: Editing, manipulation and deletion security RRS feed

  • Question

  • Hi,

    I wasn't able to find any information on how the log entries are stored when sending them to "Log Analytics workspace”. How exactly is this architected?

    Is it possible to delete specific log entries, or worse to modify them after they have been recorded? If this would be possible, the solution wouldn’t suite the audit requirements for many projects and is not usable on any project that requires strict logging and auditing.

    I would appreciate any information on how Microsoft has thought about this specific topic.


    • Edited by CodeMonk3y Tuesday, January 14, 2020 7:52 AM
    Monday, January 13, 2020 12:41 PM

Answers

  • Thanks for reaching out! Normally the underlying architecture of Log Analytics workspace uses Kusto (Azure Data explorer) to store the data.

    Log Analytics is based on an append-only data platform, meaning that data can never be modified. As far as deletion, we do support a deletion mechanism - something we must do to ensure our customers are able to meet various data privacy regulations around the world (GDPR is a prominent example of such regulation). The bar of entry to use this command, however, is very high, and not even admins by default are able to execute this command without additional rights being granted to them. For more information , please refer this documentation.

    Hope this helps!

    • Marked as answer by CodeMonk3y Monday, January 13, 2020 5:29 PM
    Monday, January 13, 2020 4:48 PM
    Moderator

All replies

  • Thanks for reaching out! Normally the underlying architecture of Log Analytics workspace uses Kusto (Azure Data explorer) to store the data.

    Log Analytics is based on an append-only data platform, meaning that data can never be modified. As far as deletion, we do support a deletion mechanism - something we must do to ensure our customers are able to meet various data privacy regulations around the world (GDPR is a prominent example of such regulation). The bar of entry to use this command, however, is very high, and not even admins by default are able to execute this command without additional rights being granted to them. For more information , please refer this documentation.

    Hope this helps!

    • Marked as answer by CodeMonk3y Monday, January 13, 2020 5:29 PM
    Monday, January 13, 2020 4:48 PM
    Moderator
  • Hi,

    thank you for replying to my question so quickly! I get that the GDPR and some Audit regulations are in conflict at some points. However it is great to know that no modification is possible. 

    It should be possible to relate to the GDPR if people questioning the possible deletion. Many thanks again :)

    Monday, January 13, 2020 5:28 PM