Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

Forward logs from Azure Sentinel to external on prem storage

Brass Contributor

Hello Team,

 

Is there a possibility to forward logs from Azure Sentinel to an external On prem storage for long term retention ?

 

If yes, what are the pros and cons we need to consider

3 Replies

@pavankemi Azure Sentinel is built on Log Analytics Workspaces. So, yes, the data can be exported to on-premises. Best practice would be to use an Event Hub to accomplish it.

 

However, there's a cost involved in both the Event Hub and data egress, which would be the biggest drawback. But, there's also the aspect that once the data is on-prem is pretty much useless, i.e., you can't query it.

 

Instead, you might consider using ADX or even Blob storage in Azure to avoid large data egress costs. ADX provides the capability to still query the data. Here's a good explanation of how to use ADX with active Azure Sentinel data: https://cda.ms/2gw 

 

Also see, Moving Azure Sentinel Data to ADX for Long Term Storage: https://cda.ms/2gv  

Hi Rod, top of the day to you. I have successfully ingested logs from Sentinel to ADX, however, historical events in Sentinel prior to creation of event hubs could not be found. Could you kindly guide on the standard practice to ingest old logs in Sentinel??