Incident Management Retention vs Log Retention

Iron Contributor


I'm testing out Microsoft Sentinel with a couple of Use Cases to prove it's value internally. I was also looking for an Incident Management Platform and considering RTIR for our case management. But Sentinel has most of the stuff we need for starting with case management.
My question is if the incidents we manage are retained forever or if they are aligned with the Log retention period (which now I have 90 days)? That would make a huge difference on using Sentinel for case management as well.

4 Replies
By default, incidents are retained as your generic LA workspace retention.
You could setup table level retention to ensure your SecurityIncident and SecurityAlert tables are retained longer:
Thanks for the reply.
And everything related to a case, as notes, etc, is retained in the cases as well?
Yes, that's stored in the SecurityIncident table
The Sentinel UI also shows Incident data older than the Workspace Retention period, but you will see an Informational warning like this below, as only a small subset of Incident data is stored outside the workspace, so its only usable to visually look at/filter on (if you need the detail increase the retention as mentioned above).

"Investigation cannot be used to investigate this incident because some of the data related to this incident is no longer stored."