Forum Discussion

kylemiller061's avatar
kylemiller061
Copper Contributor
Mar 16, 2020

Incident Case Data Retention // Incident Case Log Location

Two separate questions for the community.

 

1. What is the retention period for incident case data? Is it limited to the retention period you have for the associated workspace?

2. I know I can access the incident case data via the "Microsoft.SecurityInsights/cases" resource provider, but is this accessible via Log Analytics directly?

 

Thank you for the help.

3 Replies

  • kylemiller061

     

    1. It maps to the Table retention 

    2. Some data is in the SecurityAlert table, more columns are to be added (tbc)

    SecurityAlert
    | summarize count(), last_record = arg_max(TimeGenerated, *) by AlertName

     

    • kylemiller061's avatar
      kylemiller061
      Copper Contributor

      CliveWatson 

       

      Gotcha, so it looks like there is no way to directly access things like incident comments or labels from within Log Analytics, but rather we would need to access the Security Insights resource provider to get the full take data for trending on labels, dashboarding of incidents by assigned analysts, or searching comments etc. by pulling the data into a secondary platform?

       

      What are some of the communities solutions for this? Power BI?

       

Resources