Sentinel storage is based on Log Analytics? How can we extend past 730 day limit?

Iron Contributor

Hi All, we have a Customer that requires a retention limit of 3 years and at the moment we seem to be restricted via Log Analytics to a default of 730 days?

Is there any way of extending this beyond the 730 day limit via other storage mechanisims?

2 Replies
best response confirmed by David Caddick (Iron Contributor)

@David Caddick 


The workspace retention cannot be extended beyond 730 days as of now. We are working on a solution to stream data to a colder storage. For now, the available option is to create a program (Azure functions, PowerShell, Logic Apps) that will read the date using the Log Analytics API and send it external storage.


~ Ofer

Thanks @Ofer_Shezaf 


Here in Western Australia we have the local "Office of Auditor General" reviewing local State Govt. departments and insisting that the policy is 3 years, I am assuming it is similar in most states and internationally this is likely to have other policies that are longer than the existing 2 years?
We'll run with 2 Years (730 days) for now and make a determination on that later - can you advise what the best process is to formally request this so this request can be tracked? Should it be simply via a Support request?


Dave C