Microsoft
Microsoft
MicrosoftHi AndrePKI , when we draw data sources in the diagrams, we are talking about any data source, doesn't matter if it's a VM on prem, in the cloud, a PaaS or a SaaS service (like DfE). So Defender for Endpoint still could be split at source and sent to both Sentinel and ADX. You can also use a hybrid approach, where some sources are split at the sources and some others are only sent to Sentinel and data export is then used to forward into ADX. The architectures in this article are just conceptual and you can build different solutions that use multiple approaches for different data sources....sometimes you're even forced to do so due to technical limitations.
Whether 90 days is sufficient for a SOC or not is a bigger discussion...there are some things that you lose when you send the data over 90 days old to ADX, like entity history and trend or easier navigation of logs through our visual investigation. In any case, every customer can choose whatever they think it's best for their SOC in terms of retention.
Regards