Long Term Security Log Retention Possibilitites

Copper Contributor

In Defender for Endpoint the log retention can be configured to max 180 days and in Advanced Search it is possible to query the events/data for the last 30 days. 

 

Taking into consideration, that querying long-termin logs is very important (for forensics, retro-investigations, etc.) and that we need to save all security related events for 360 days, I am looking for the best solution.  Basicly I would need some tables (DeviceNetworkEvents, DeviceProcessEvents, etc.) to be saved for 1 year. 

 

I have read this article:

Long-term security log retention with Azure Data Explorer - Azure Example Scenarios | Microsoft Docs

 

So there is a solution to use 1) Azure Data Explorer or 2) dircetly the Azure Data Lake Storage. I have read that the Storage option is less complex. Would I be able to make KQL queries agains the Azure Data Lake Storage? 

 

Any tip and hint that I should take into consideration? Thanks a lot for any feedback in advance. 

 

 

 

 

2 Replies

@CurlX2305 

 

Have you seen this yet?

 

Query data in Azure Data Lake using Azure Data Explorer

https://docs.microsoft.com/en-us/azure/data-explorer/data-lake-query-data 

Thank you, no I havent seen this yet, this will be helpful, thanks.