![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(275.2, 85%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ELF%3C/text%3E%3C/svg%3E)
Microsoft Security | Microsoft Sentinel
A cloud-native SIEM solution that provides intelligent security analytics and threat detection across systems
Hi Lee,
you may need to provide more details on how exactly you are deleting and restoring data.
Sentinel uses a log analytics workspace.
If an attacker deletes the workspace you should be able to restore it if you have soft delete enabled:
Check for soft-deleted workspaces
Get-AzOperationalInsightsDeletedWorkspace -ResourceGroupName "your-rg"
Restore if within 14 days
Restore-AzOperationalInsightsWorkspace -ResourceGroupName "your-rg" -Name "deleted-workspace-name" -Location "region"
Note: data cannot be restored at the table level, just the workspace level.
Recommendation: Use the Sentinel Data Lake mirroring feature to provide a copy of your data in the data lake for long retention periods. If your workspace is deleted you will still have a copy in the data lake! (per-table configuration).