In Defender for Endpoint the log retention can be configured to max 180 days and in Advanced Search it is possible to query the events/data for the last 30 days.
Taking into consideration, that querying long-termin logs is very important (for forensics, retro-investigations, etc.) and that we need to save all security related events for 360 days, I am looking for the best solution. Basicly I would need some tables (DeviceNetworkEvents, DeviceProcessEvents, etc.) to be saved for 1 year.
I have read this article:
Long-term security log retention with Azure Data Explorer - Azure Example Scenarios | Microsoft Docs
So there is a solution to use 1) Azure Data Explorer or 2) dircetly the Azure Data Lake Storage. I have read that the Storage option is less complex. Would I be able to make KQL queries agains the Azure Data Lake Storage?
Any tip and hint that I should take into consideration? Thanks a lot for any feedback in advance.
