Forum Discussion
Sentinel Data - where to after 90 days?
Hey all,
I currently have Sentinel and it's configured with data only stored in Log Analytics for 90 days. This has always been more than enough. However, I am now getting a new corporate directive to hold data for 1 year. I started researching the best methods and it appears I have 2 options - Azure Data Explorer or Archive. I know that ADX provides data querying ability where the Archive won't. So, in today's Sentinel, which of these is the preferred option?
TIA
~DGM~
DGMalcolm this isn't major, simply like many other Azure services you need to deploy it and run it. Unlike log analytics where Microsoft run the underlying service, with ADX you manage the cluster and also the Eventhub service that sends the data to ADX.
4 Replies
- It may come down to simplicity and cost. ADX requires setup and on-going management but gives you quick access to the data. There is also a BLOB storage but that has its own cost vs usage to assess.
Archive is more set and forget but is best suited for occasional use hence its low cost. So if you are only keeping the data for compliance or very occasional use then this is often the best choice. Do factor in the restore costs for the occasions yiu do need the data restoredClive_Watson Thank you for your response.
When you say that ADX has "ongoing management" requirements what do you mean?
DGMalcolm this isn't major, simply like many other Azure services you need to deploy it and run it. Unlike log analytics where Microsoft run the underlying service, with ADX you manage the cluster and also the Eventhub service that sends the data to ADX.
