SOLVED

Sentinel storage is based on Log Analytics? How can we extend past 730 day limit?

Frequent Contributor

Hi All, we have a Customer that requires a retention limit of 3 years and at the moment we seem to be restricted via Log Analytics to a default of 730 days?
https://docs.microsoft.com/en-us/azure/azure-subscription-service-limits#log-analytics-limits

Is there any way of extending this beyond the 730 day limit via other storage mechanisims?

2 Replies
best response confirmed by David Caddick (Frequent Contributor)
Solution

@David Caddick 

 

The workspace retention cannot be extended beyond 730 days as of now. We are working on a solution to stream data to a colder storage. For now, the available option is to create a program (Azure functions, PowerShell, Logic Apps) that will read the date using the Log Analytics API and send it external storage.

 

~ Ofer

Thanks @Ofer_Shezaf 

 

Here in Western Australia we have the local "Office of Auditor General" reviewing local State Govt. departments and insisting that the policy is 3 years, I am assuming it is similar in most states and internationally this is likely to have other policies that are longer than the existing 2 years?
We'll run with 2 Years (730 days) for now and make a determination on that later - can you advise what the best process is to formally request this so this request can be tracked? Should it be simply via a Support request?

 

Regards,
Dave C