Incident Case Data Retention // Incident Case Log Location

%3CLINGO-SUB%20id%3D%22lingo-sub-1230892%22%20slang%3D%22en-US%22%3EIncident%20Case%20Data%20Retention%20%2F%2F%20Incident%20Case%20Log%20Location%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1230892%22%20slang%3D%22en-US%22%3E%3CP%3ETwo%20separate%20questions%20for%20the%20community.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E1.%20What%20is%20the%20retention%20period%20for%20incident%20case%20data%3F%20Is%20it%20limited%20to%20the%20retention%20period%20you%20have%20for%20the%20associated%20workspace%3F%3C%2FP%3E%3CP%3E2.%20I%20know%20I%20can%20access%20the%20incident%20case%20data%20via%20the%20%22%3CSPAN%3EMicrosoft.SecurityInsights%2Fcases%22%20resource%20provider%2C%20but%20is%20this%20accessible%20via%20Log%20Analytics%20directly%3F%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EThank%20you%20for%20the%20help.%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1230956%22%20slang%3D%22en-US%22%3ERe%3A%20Incident%20Case%20Data%20Retention%20%2F%2F%20Incident%20Case%20Log%20Location%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1230956%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F579504%22%20target%3D%22_blank%22%3E%40kylemiller061%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E1.%20It%20maps%20to%20the%20Table%20retention%26nbsp%3B%3C%2FP%3E%0A%3CP%3E2.%20Some%20data%20is%20in%20the%20%3CSTRONG%3ESecurityAlert%3C%2FSTRONG%3E%20table%2C%20more%20columns%20are%20to%20be%20added%20(tbc)%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-cpp%22%3E%3CCODE%3ESecurityAlert%0A%7C%20summarize%20count()%2C%20last_record%20%3D%20arg_max(TimeGenerated%2C%20*)%20by%20AlertName%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1231256%22%20slang%3D%22en-US%22%3ERe%3A%20Incident%20Case%20Data%20Retention%20%2F%2F%20Incident%20Case%20Log%20Location%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1231256%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F239477%22%20target%3D%22_blank%22%3E%40Clive%20Watson%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EGotcha%2C%20so%20it%20looks%20like%20there%20is%20no%20way%20to%20directly%20access%20things%20like%20incident%20comments%20or%20labels%20from%20within%20Log%20Analytics%2C%20but%20rather%20we%20would%20need%20to%20access%20the%20Security%20Insights%20resource%20provider%20to%20get%20the%20full%20take%20data%20for%20trending%20on%20labels%2C%20dashboarding%20of%20incidents%20by%20assigned%20analysts%2C%20or%20searching%20comments%20etc.%20by%20pulling%20the%20data%20into%20a%20secondary%20platform%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhat%20are%20some%20of%20the%20communities%20solutions%20for%20this%3F%20Power%20BI%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1231441%22%20slang%3D%22en-US%22%3ERe%3A%20Incident%20Case%20Data%20Retention%20%2F%2F%20Incident%20Case%20Log%20Location%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1231441%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F579504%22%20target%3D%22_blank%22%3E%40kylemiller061%3C%2FA%3E%26nbsp%3BI%20have%20written%20a%20blog%20post%20about%20gathering%20this%20data%20in%20PowerBI%20here%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fwww.garybushey.com%2F2020%2F01%2F20%2Fazure-sentinel-incidents-in-powerbi%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fwww.garybushey.com%2F2020%2F01%2F20%2Fazure-sentinel-incidents-in-powerbi%2F%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHope%20it%20helps%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

Two separate questions for the community.

 

1. What is the retention period for incident case data? Is it limited to the retention period you have for the associated workspace?

2. I know I can access the incident case data via the "Microsoft.SecurityInsights/cases" resource provider, but is this accessible via Log Analytics directly?

 

Thank you for the help.

3 Replies

@kylemiller061

 

1. It maps to the Table retention 

2. Some data is in the SecurityAlert table, more columns are to be added (tbc)

SecurityAlert
| summarize count(), last_record = arg_max(TimeGenerated, *) by AlertName

 

@CliveWatson 

 

Gotcha, so it looks like there is no way to directly access things like incident comments or labels from within Log Analytics, but rather we would need to access the Security Insights resource provider to get the full take data for trending on labels, dashboarding of incidents by assigned analysts, or searching comments etc. by pulling the data into a secondary platform?

 

What are some of the communities solutions for this? Power BI?

 

@kylemiller061 I have written a blog post about gathering this data in PowerBI here: https://www.garybushey.com/2020/01/20/azure-sentinel-incidents-in-powerbi/

 

Hope it helps