Microsoft Security Tech Accelerator
Dec 06 2023, 07:00 AM - 12:00 PM (PST)
Microsoft Tech Community

Sentinel Data - where to after 90 days?

Brass Contributor

Hey all,


I currently have Sentinel and it's configured with data only stored in Log Analytics for 90 days. This has always been more than enough. However, I am now getting a new corporate directive to hold data for 1 year. I started researching the best methods and it appears I have 2 options - Azure Data Explorer or Archive. I know that ADX provides data querying ability where the Archive won't. So, in today's Sentinel, which of these is the preferred option?




4 Replies
It may come down to simplicity and cost. ADX requires setup and on-going management but gives you quick access to the data. There is also a BLOB storage but that has its own cost vs usage to assess.

Archive is more set and forget but is best suited for occasional use hence its low cost. So if you are only keeping the data for compliance or very occasional use then this is often the best choice. Do factor in the restore costs for the occasions yiu do need the data restored

 @Clive_Watson Thank you for your response.


When you say that ADX has "ongoing management" requirements what do you mean?

best response confirmed by DGMalcolm (Brass Contributor)

@DGMalcolm this isn't major, simply like many other Azure services you need to deploy it and run it.  Unlike log analytics where Microsoft run the underlying service, with ADX you manage the cluster and also the Eventhub service that sends the data to ADX.  

Great, thanks for the info and the follow up.