Jul 28 2021 07:27 AM
Hello Team,
Is there a possibility to forward logs from Azure Sentinel to an external On prem storage for long term retention ?
If yes, what are the pros and cons we need to consider
Jul 28 2021 07:56 AM
@pavankemi Azure Sentinel is built on Log Analytics Workspaces. So, yes, the data can be exported to on-premises. Best practice would be to use an Event Hub to accomplish it.
However, there's a cost involved in both the Event Hub and data egress, which would be the biggest drawback. But, there's also the aspect that once the data is on-prem is pretty much useless, i.e., you can't query it.
Instead, you might consider using ADX or even Blob storage in Azure to avoid large data egress costs. ADX provides the capability to still query the data. Here's a good explanation of how to use ADX with active Azure Sentinel data: https://cda.ms/2gw
Also see, Moving Azure Sentinel Data to ADX for Long Term Storage: https://cda.ms/2gv
Feb 08 2023 02:19 PM