Forum Discussion
dmarquesgn
Jan 31, 2022Iron Contributor
Incident Management Retention vs Log Retention
Hi,
I'm testing out Microsoft Sentinel with a couple of Use Cases to prove it's value internally. I was also looking for an Incident Management Platform and considering RTIR for our case management. But Sentinel has most of the stuff we need for starting with case management.
My question is if the incidents we manage are retained forever or if they are aligned with the Log retention period (which now I have 90 days)? That would make a huge difference on using Sentinel for case management as well.
Thanks
- Thijs LecomteBronze ContributorBy default, incidents are retained as your generic LA workspace retention.
You could setup table level retention to ensure your SecurityIncident and SecurityAlert tables are retained longer: https://m365securitybook.com/2021/12/21/configuring-table-level-retention-in-microsoft-sentinel/- dmarquesgnIron ContributorHi,
Thanks for the reply.
And everything related to a case, as notes, etc, is retained in the cases as well?
Thanks- Thijs LecomteBronze ContributorYes, that's stored in the SecurityIncident table