Forward logs from Azure Sentinel to external on prem storage

Contributor

Hello Team,

 

Is there a possibility to forward logs from Azure Sentinel to an external On prem storage for long term retention ?

 

If yes, what are the pros and cons we need to consider

2 Replies

@pavankemi Azure Sentinel is built on Log Analytics Workspaces. So, yes, the data can be exported to on-premises. Best practice would be to use an Event Hub to accomplish it.

 

However, there's a cost involved in both the Event Hub and data egress, which would be the biggest drawback. But, there's also the aspect that once the data is on-prem is pretty much useless, i.e., you can't query it.

 

Instead, you might consider using ADX or even Blob storage in Azure to avoid large data egress costs. ADX provides the capability to still query the data. Here's a good explanation of how to use ADX with active Azure Sentinel data: https://cda.ms/2gw 

 

Also see, Moving Azure Sentinel Data to ADX for Long Term Storage: https://cda.ms/2gv