Deviating retention period in Sentinel than in other Azure Data Sources

Regular Visitor

Hi community,

our company wants to set the retention period for logs of Microsoft Cloud components e.g. Teams, Exchange (Online), ...  to 30 days.

 

On the other hand, the data in Sentinel or should I better say in the respective Log Analytics Workspace should be stored for 90 days.

 

I do not know if the logs from the data sources are copied or linked when they are ingested in Sentinel (LAW).

If they were linked than i would expect that the data would be purged after the 30 day period and we never can reach the retention of 90 days needed by security.

 

Can someone point me in the right direction?

2 Replies
After you ingest them into Sentinel, they are linked and the only retention they follow is the retention set on the workspace.
They don't follow the original retention from the product.

You can also set up table level RBAC if needed: https://m365securitybook.com/2021/12/21/configuring-table-level-retention-in-microsoft-sentinel/
You can also set table level retention if it is an absolute requirement to only keep data 30 days (which I would not recommend since you get 90 days of free storage in MS Sentinel)

https://docs.microsoft.com/en-us/azure/azure-monitor/logs/manage-cost-storage#retention-by-data-type