Aug 30 2022 05:57 AM
In Defender for Endpoint the log retention can be configured to max 180 days and in Advanced Search it is possible to query the events/data for the last 30 days.
Taking into consideration, that querying long-termin logs is very important (for forensics, retro-investigations, etc.) and that we need to save all security related events for 360 days, I am looking for the best solution. Basicly I would need some tables (DeviceNetworkEvents, DeviceProcessEvents, etc.) to be saved for 1 year.
I have read this article:
Long-term security log retention with Azure Data Explorer - Azure Example Scenarios | Microsoft Docs
So there is a solution to use 1) Azure Data Explorer or 2) dircetly the Azure Data Lake Storage. I have read that the Storage option is less complex. Would I be able to make KQL queries agains the Azure Data Lake Storage?
Any tip and hint that I should take into consideration? Thanks a lot for any feedback in advance.
Aug 30 2022 06:17 AM
Have you seen this yet?
Query data in Azure Data Lake using Azure Data Explorer
https://docs.microsoft.com/en-us/azure/data-explorer/data-lake-query-data
Aug 30 2022 08:35 AM