Forum Discussion
Incident Management Retention vs Log Retention
Hi, I'm testing out Microsoft Sentinel with a couple of Use Cases to prove it's value internally. I was also looking for an Incident Management Platform and considering RTIR for our case management....
By default, incidents are retained as your generic LA workspace retention.
You could setup table level retention to ensure your SecurityIncident and SecurityAlert tables are retained longer: https://m365securitybook.com/2021/12/21/configuring-table-level-retention-in-microsoft-sentinel/
You could setup table level retention to ensure your SecurityIncident and SecurityAlert tables are retained longer: https://m365securitybook.com/2021/12/21/configuring-table-level-retention-in-microsoft-sentinel/
- Hi,
Thanks for the reply.
And everything related to a case, as notes, etc, is retained in the cases as well?
Thanks- Yes, that's stored in the SecurityIncident table
- The Sentinel UI also shows Incident data older than the Workspace Retention period, but you will see an Informational warning like this below, as only a small subset of Incident data is stored outside the workspace, so its only usable to visually look at/filter on (if you need the detail increase the retention as mentioned above).
"Investigation cannot be used to investigate this incident because some of the data related to this incident is no longer stored."
