Forum Discussion
Incident Management Retention vs Log Retention
Hi, I'm testing out Microsoft Sentinel with a couple of Use Cases to prove it's value internally. I was also looking for an Incident Management Platform and considering RTIR for our case management....
Hi,
Thanks for the reply.
And everything related to a case, as notes, etc, is retained in the cases as well?
Thanks
Thanks for the reply.
And everything related to a case, as notes, etc, is retained in the cases as well?
Thanks
Yes, that's stored in the SecurityIncident table
- The Sentinel UI also shows Incident data older than the Workspace Retention period, but you will see an Informational warning like this below, as only a small subset of Incident data is stored outside the workspace, so its only usable to visually look at/filter on (if you need the detail increase the retention as mentioned above).
"Investigation cannot be used to investigate this incident because some of the data related to this incident is no longer stored."
