Azure Sentinel Blob Storage Query

%3CLINGO-SUB%20id%3D%22lingo-sub-1972622%22%20slang%3D%22en-US%22%3EAzure%20Sentinel%20Blob%20Storage%20Query%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1972622%22%20slang%3D%22en-US%22%3E%3CP%20data-unlink%3D%22true%22%3EI'm%20reviewing%20the%20use%20of%20Azure%20blob%20storage%20for%20Hot%2C%20Cool%20and%20Archive%20tiers%20for%20storing%20data%20from%20Azure%20Sentinels%20Log%20analytics%20for%20when%20data%20needs%20to%20be%20retained%20for%20a%20long%20portion%20of%20time.%3C%2FP%3E%3CP%20data-unlink%3D%22true%22%3E%26nbsp%3B%3C%2FP%3E%3CP%20data-unlink%3D%22true%22%3EI%20have%20reviewed%20the%20'Move%20Your%20Azure%20Sentinel%20Logs%20to%20Long-Term%20Storage%20with%20Ease'%20(%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-sentinel%2Fmove-your-azure-sentinel-logs-to-long-term-storage-with-ease%2Fba-p%2F1407153%22%20target%3D%22_blank%22%3Ehttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-sentinel%2Fmove-your-azure-sentinel-logs-to-long-term-storage-with-ease%2Fba-p%2F1407153%3C%2FA%3E)%26nbsp%3Bblog%20which%20details%20the%20use%20of%20a%20playbook%20to%20copy%20data%20to%20a%20new%20blob%20container.%3C%2FP%3E%3CP%20data-unlink%3D%22true%22%3EReviewing%20the%20blog%20post%20I%20believe%20the%20data%20shown%20in%20the%20example%20is%20hot%20storage.%3C%2FP%3E%3CP%20data-unlink%3D%22true%22%3E%26nbsp%3B%3C%2FP%3E%3CP%20data-unlink%3D%22true%22%3EIf%20the%20blob%20storage%20is%20using%20the%20cool%20storage%20tier%20does%20anyone%20know%20if%20this%20would%20be%20easily%20quarriable%20within%20Azure%20Sentinel%20using%20the%20same%20method%20and%20if%20this%20will%20cause%20any%20potential%20timeout%20issues%20I%20would%20need%20to%20consider%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1973044%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Sentinel%20Blob%20Storage%20Query%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1973044%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F553664%22%20target%3D%22_blank%22%3E%40arran1580%3C%2FA%3E%26nbsp%3BLooking%20at%20this%20article%2C%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fstorage%2Fblobs%2Fstorage-blob-storage-tiers%3Ftabs%3Dazure-portal%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EAccess%20tiers%20for%20Azure%20Blob%20Storage%20-%20hot%2C%20cool%2C%20and%20archive%20%7C%20Microsoft%20Docs%3C%2FA%3E%2C%20the%20latency%20is%20in%20milliseconds%20so%20I%20would%20think%20you%20would%20be%20able%20to%20access%20it%20easily%20enough%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

I'm reviewing the use of Azure blob storage for Hot, Cool and Archive tiers for storing data from Azure Sentinels Log analytics for when data needs to be retained for a long portion of time.

 

I have reviewed the 'Move Your Azure Sentinel Logs to Long-Term Storage with Ease' (https://techcommunity.microsoft.com/t5/azure-sentinel/move-your-azure-sentinel-logs-to-long-term-sto...) blog which details the use of a playbook to copy data to a new blob container.

Reviewing the blog post I believe the data shown in the example is hot storage.

 

If the blob storage is using the cool storage tier does anyone know if this would be easily quarriable within Azure Sentinel using the same method and if this will cause any potential timeout issues I would need to consider?

3 Replies

@arran1580 Looking at this article, Access tiers for Azure Blob Storage - hot, cool, and archive | Microsoft Docs, the latency is in milliseconds so I would think you would be able to access it easily enough

Don't forget to factor in the fact that cold storage has higher transaction and access costs so make sure you would access the data very infrequently

@Gary Bushey Thanks for this information. I will keep this in mind when considering the tier of Blob storage.