Beyond 90 Days: Exploring Long-Term Storage Options for Microsoft Sentinel Logs

🔎Beyond 90 Days: Exploring Long-Term Storage Options for Microsoft Sentinel Logs🔎

As a MSSP, you may find that the default 90-day free retention period for logs can sometimes not be sufficient to cover your service offering.

In this post, we explore available options for storing and searching Sentinel logs beyond this period.

📌 Retention and Archive Policies in Log Analytics Workspaces:

These policies determine when to remove or archive data and can help manage the cost of storing data in the workspace. Archiving allows you to keep older, less frequently used data in your workspace at a reduced cost. When you no longer use the logs but still need to keep the data for compliance or occasional investigation, you can archive the logs to save costs. Archived data stays in the same table as the data that's available for interactive queries, and you can access and analyze it through search jobs or the restore option.

📌Azure Data Explorer (ADX):

A powerful big data analytics platform that is optimized for log and data analytics. ADX uses Kusto Query Language (KQL) as its query language, making it an excellent choice for storing Microsoft Sentinel data. When you export logs to ADX, they are automatically converted to compressed, partitioned Parquet format and can be easily queried.

ADX is well-suited for users who need to run periodic investigations on their historical data and can also be useful for security-related investigations when combined with other data sources.

📌Exporting Data to an Azure Storage Account:

This option is recommended for users who rarely need to perform queries on the data or have specific querying needs. Data export in a Log Analytics workspace lets you continuously export data per selected tables in your workspace, and you can export to an Azure Storage account of type StorageV1 or later, in the same region as your workspace. The exported data can be shifted between tiers using lifecycle management, and you can query specific logs using KQL language and the "externaldata" operator.

📌Storage account export via Logic Apps

This option is recommended for users who rarely need to perform queries on the data and have their storage account set in a different region than their log analytics workspace. It allows you to specify which data you want to retrieve from the Log Analytics workspace and send it to a storage account on a regular schedule. By filtering and aggregating your log data in the query, you can limit the amount of data processed by your Logic Apps workflow.

💡My piece of advice:

1- Familiarize with your data.

2- Be clear about your service offering and capabilities with your customer. 3- Understand your clients' needs.