Azure Log Analytics: From Beginner to Expert

Azure Log Analytics: From Beginner to Expert

Teleperformance - 12.18.2023
Andres Fernando - Cloud Center of Excellence

In today’s data-driven business landscape, Log Analytics Workspace (LAW) plays a critical role in extracting valuable insights from massive volumes of logs and telemetry data. Whether you’re a seasoned user or new to LAW, optimizing its usage can lead to significant cost savings and improved efficiency. This blog series explores strategies to get the most out of LAW.

Microsoft Azure LAW

Some may think that moving or provisioning resources in the cloud eliminates failures. However, this is not the case. Failures can still occur in the cloud. As more resources are moved into the cloud, it becomes crucial to monitor their health and performance to prevent critical issues that could impact the business. This is where the "active monitoring" of Azure resources comes in. The challenge lies in managing the activity, security, and performance information (logs) generated by each resource. Microsoft Azure offers a centralized log storage solution called LAW, where you can store all the information and easily create queries to gain better insights.

How does it work?

Data sources such as virtual machines, storage accounts, and Azure resources send their logs to the LAW, where the data is stored in tables. Once the data is available in the LAW, queries can be written using the Kusto Query Language (KQL) to retrieve specific information from multiple data sources. KQL is used in Azure Data Explorer, Azure Monitor Log Analytics, Azure Sentinel, and other platforms. More on KQL in the next blog.


Key considerations


Creating a LAW does not incur any additional costs. However, it is important to note that charges will apply for the data sent to the LAW (ingestion data) and for the duration that the data is stored (retention data). At Teleperformance, we tailor these policies to the specific needs of business units, ensuring that only relevant data is stored for optimal performance.


Security access to the data stored on the LAW is defined by IAM, ensuring that only users to whom you have granted access can access the information. At Teleperformance, we restrict access based on job roles and responsibilities, preventing unnecessary data access and potential misuse, which not only enhances security but also contributes to cost-effective data governance.


Designing a LAW involves several key factors to ensure its effectiveness. These include determining whether to have one LAW or multiple LAWs, as well as deciding whether to store operational data and security data together or separately. At Teleperformance, we address these questions upfront to avoid the need to make significant design changes in the future.

It is important to keep in mind the following points:

  • The cost of storing data in the LAW will depend on the amount and duration of data stored.
  • Since the LAW is a regional resource, additional charges may apply if data is transmitted from different Azure locations.

In terms of data, there are two main types to consider:

  1. Operational. This type of data relates to performance metrics and operational aspects.
  2. Security. This refers to data related to security measures and protocols.

This illustrates how data are sent to different LAWs:


The question now is: should these two types of data be combined or kept separate or when to use dedicated or combined workspaces?

Dedicated workspaces

Combined workspace

If you have segregated ownership of data between operational and security teams

If you can easily combine operational and security queries

If you have compliance requirements for keeping data in a particular region

If you want to take advantage of the commitment tiers (may incur cost)

If you have compliance requirements for data ownership (different subsidiaries/ companies, etc.

Because operational and security data is on the same workspace, reaching a commitment tier with more discounts can be easier.

If you have different billing compliance requirements

If Microsoft Sentinel and Microsoft Defender for Cloud are in use, consider using the same LAW for these data.

If you have different data retention compliance requirements



Maximizing the potential of LAW requires considering factors such as cost, security, and design from the beginning. Teleperformance has implemented strategies to assure businesses that their investment in LAW will result in actionable insights without any additional charges.

Image Linkedin
Image Twitter
Image Facebook
Image Email
Image Share