Table plan 'Auxiliary' is not supported
As you may have heard, Auxiliary Logs are a new low-cost data tier in Microsoft Sentinel. They’re designed as a space to keep verbose logs that might not be used in everyday incident response. Things like network, proxy and firewall logs. Lots of people have already written about this new log type – see here and here.
This blog is to help you if you’ve been getting this specific error:
I had several people report this error. My first instinct was that they must be trying to deploy Auxiliary Logs in an unsupported region. (See chart of supported reasons at the bottom of this post). But that wasn’t the case. They were trying to deploy in a supported region. So, what could it be?
The instructions on how to create an Auxiliary Log are a little vague. You do it via API with this command:
https://management.azure.com/subscriptions/{subscription_id}/resourceGroups/{resource_group}/providers/Microsoft.OperationalInsights/workspaces/{workspace_name}/tables/{table name_CL}?api-version=2023-01-01-preview
You need to fill in your tenant’s setting for the values subscription_id, resource_group, workspace_name, and table name_CL. But how do I even take that line of code and turn it into an actual Aux Log?
To me, the easiest way is to go to this link and click the “Try it” button in the upper left-hand corner of the code.
That will take you a sign in page. Go ahead and authenticate. Then you’ll get a page that looks like this. You can manually select your Subscription and type in the names of your resource group, workspace, and the name of the new Aux Log table you want to create. But the issue that caused the error - “Table plan 'Auxiliary' is not supported” - is the api-version. When you come to this page, there is a default api-version in the box. You have to change it to the correct version “2023-01-01-preview” for the table creation to work.
