cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Deviating retention period in Sentinel than in other Azure Data Sources

R_Moeller
Copper Contributor

‎Jan 21 2022 08:19 AM - edited ‎Jan 21 2022 08:22 AM

‎Jan 21 2022 08:19 AM - edited ‎Jan 21 2022 08:22 AM

Deviating retention period in Sentinel than in other Azure Data Sources

Hi community,

our company wants to set the retention period for logs of Microsoft Cloud components e.g. Teams, Exchange (Online), ...  to 30 days.

 

On the other hand, the data in Sentinel or should I better say in the respective Log Analytics Workspace should be stored for 90 days.

 

I do not know if the logs from the data sources are copied or linked when they are ingested in Sentinel (LAW).

If they were linked than i would expect that the data would be purged after the 30 day period and we never can reach the retention of 90 days needed by security.

 

Can someone point me in the right direction?

794 Views
0 Likes
2 Replies
Reply
2 Replies
Thijs Lecomte

‎Jan 21 2022 08:53 AM

‎Jan 21 2022 08:53 AM

Re: Deviating retention period in Sentinel than in other Azure Data Sources

After you ingest them into Sentinel, they are linked and the only retention they follow is the retention set on the workspace.
They don't follow the original retention from the product.

You can also set up table level RBAC if needed: https://m365securitybook.com/2021/12/21/configuring-table-level-retention-in-microsoft-sentinel/
0 Likes
Reply
Gary Bushey

‎Jan 21 2022 11:48 AM

‎Jan 21 2022 11:48 AM

Re: Deviating retention period in Sentinel than in other Azure Data Sources

You can also set table level retention if it is an absolute requirement to only keep data 30 days (which I would not recommend since you get 90 days of free storage in MS Sentinel)

https://docs.microsoft.com/en-us/azure/azure-monitor/logs/manage-cost-storage#retention-by-data-type
0 Likes
Reply