Sentinel Data - where to after 90 days?

DGMalcolm · ‎Oct 25 2022

Hey all,

I currently have Sentinel and it's configured with data only stored in Log Analytics for 90 days. This has always been more than enough. However, I am now getting a new corporate directive to hold data for 1 year. I started researching the best methods and it appears I have 2 options - Azure Data Explorer or Archive. I know that ADX provides data querying ability where the Archive won't. So, in today's Sentinel, which of these is the preferred option?

TIA

~DGM~

Clive_Watson · ‎Oct 26 2022

It may come down to simplicity and cost. ADX requires setup and on-going management but gives you quick access to the data. There is also a BLOB storage but that has its own cost vs usage to assess.

Archive is more set and forget but is best suited for occasional use hence its low cost. So if you are only keeping the data for compliance or very occasional use then this is often the best choice. Do factor in the restore costs for the occasions yiu do need the data restored

DGMalcolm · ‎Oct 27 2022

@Clive_Watson Thank you for your response.

When you say that ADX has "ongoing management" requirements what do you mean?

DGMalcolm · ‎Oct 27 2022

@DGMalcolm this isn't major, simply like many other Azure services you need to deploy it and run it. Unlike log analytics where Microsoft run the underlying service, with ADX you manage the cluster and also the Eventhub service that sends the data to ADX.

DGMalcolm · ‎Oct 28 2022

Great, thanks for the info and the follow up.

Sentinel Data - where to after 90 days?

Sentinel Data - where to after 90 days?

Re: Sentinel Data - where to after 90 days?

Re: Sentinel Data - where to after 90 days?

Re: Sentinel Data - where to after 90 days?

Re: Sentinel Data - where to after 90 days?

Products (52)

Special Topics (28)

Video Hub (447)

Most Active Hubs

Most Active Hubs

Video Hub

Sentinel Data - where to after 90 days?