Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
SOLVED

Reducing retention period for Sentinel logs

Brass Contributor

I am currently configuring the long term retention that was recently released.  We did have a 365 day retention set but now we would like to move to a 6 month data retention and a  3 year or 7 year (depending on table) archive retention.

 

What is the best process for performing these actions?  Should I set my archive first and then reduce the active from 365 to 180?  I just want to confirm I wont lose 6 months worth of data.

 

Can I apply these archive rules to all my tables or are there only certain tables supported today?

3 Replies

@Robert Young 1) If you do change you retention time span from 1 year to 6 months, you will loose the other 6 months.  You would want to store that 6 months first.

2) There is a new feature in preview that can help with the archive portion.   Look at the "Search (preview)" menu entry in MS Sentinel and then click on the "Guides & Feedback" to see a listing of useful links.

3) You can set table level retention or retention by data type.  See this link for more information: Manage usage and costs for Azure Monitor Logs - Azure Monitor | Microsoft Docs

Gary, appreciate the feedback. Was hoping to set my archive and then adjust retention. I do not see anywhere in the docs that describes this action or feedback if anyone has tested this as of yet. Maybe I will attempt it on one of my non critical tables and see what happens. (metrics perhaps).
best response confirmed by Robert Young (Brass Contributor)
Solution
I reached out since there wasn't any info re this and they have now updated the FAQ:

If the tables are within the workspace are configured for archival, the data will just be moved to archive in order to maintain the total retention policy in place. Ex. 720 total days of retention, 365 days in the workspace and 365 days in archive. The workspace retention is changed to 180 days. Rather than the data being lost, the data between day 180 and day 365 will be marked for archival and moved to maintain the 720 total days of retention.
1 best response

Accepted Solutions
best response confirmed by Robert Young (Brass Contributor)
Solution
I reached out since there wasn't any info re this and they have now updated the FAQ:

If the tables are within the workspace are configured for archival, the data will just be moved to archive in order to maintain the total retention policy in place. Ex. 720 total days of retention, 365 days in the workspace and 365 days in archive. The workspace retention is changed to 180 days. Rather than the data being lost, the data between day 180 and day 365 will be marked for archival and moved to maintain the 720 total days of retention.

View solution in original post