Beyond 90 Days: Exploring Long-Term Storage Options for Microsoft Sentinel Logs (2024)

FAQs

Which methods can you use to send Microsoft Sentinel logs to long term storage? ›

In your Log Analytics workspace, change the interactive retention policy of the SecurityEvent table from the workspace default of 90 days to 180 days, and the total retention policy to 3 years. The total retention period is the sum of the interactive and long-term (archive) retention periods.

After you enable Microsoft Sentinel on a Log Analytics workspace, consider these configuration options: Retain all data ingested into the workspace at no charge for the first 90 days. Retention beyond 90 days is charged per the standard Log Analytics retention prices.

While Microsoft Sentinel is accessible in both the Microsoft Defender and Azure portals, Microsoft Sentinel data is stored in Azure regions.

NXLog can be configured as a log collector agent for Microsoft Sentinel, collecting and forwarding logs to its Azure Log Analytics workspaces. The logs that NXLog can forward to Microsoft Sentinel include Windows DNS Server logs, Linux audit logs, and AIX audit logs.

There are various Azure Storage services you can use to store data. The most flexible option for storing blobs from many data sources is Blob storage. Blobs are basically files. They store pictures, documents, HTML files, virtual hard disks (VHDs), big data such as logs, database backups—pretty much anything.

One the limitations of Basic Logs is that it only supports a subset of the KQL operators, which means you won't be able to utilize Basic Logs data for Analytics Rules and other necessary Microsoft Sentinel functions.

For example, you may keep audit logs and firewall logs for two months. However, if your organization must follow strict laws and regulations, you may keep the most critical logs anywhere between six months and seven years. This timeframe is the log retention period.

Azure Virtual Machine backup policy supports a minimum retention range from seven days up to 9999 days. By default, backup of VMs are kept for 7 days in snapshot and 180 days in vault.

Microsoft Sentinel isn't actually free

Unlike many Microsoft security offerings, Microsoft Sentinel is not bundled into a specific Microsoft 365 plan, even at the highest subscription levels. Instead, like most other SIEM/SOAR products, it's priced based on data consumption.

What is the maximum amount of time data will be retained in the Microsoft 365 audit log? ›

Audit log retention policies are part of the new Microsoft Purview Audit (Premium) capabilities. An audit log retention policy lets you specify how long to retain audit logs in your organization. You can retain audit logs for up to 10 years.

Automated backup retention is a count and can be set from 1 to 365 backups. Transaction log retention is in days. For Cloud SQL Enterprise Plus edition instances, the range is from 1 to 35 days, with a default of 14 days.

The diagnostics logs are saved in a blob container named $logs in your storage account. You can view the log data using a storage explorer like the Microsoft Azure Storage Explorer, or programmatically using the storage client library or PowerShell.

Configure the Log Analytics agent

Or, from the Log Analytics workspace navigation menu, select Custom logs. In the Custom tables tab, select Add custom log. In the Sample tab, upload a sample of a log file from your device (e.g. access. log or error.

Append blobs are ideal for scenarios such as logging data from virtual machines. Page blobs store random access files up to 8 TiB in size. Page blobs store virtual hard drive (VHD) files and serve as disks for Azure virtual machines.

Many connectors are packaged with SIEM solutions for Microsoft Sentinel and provide real-time integration. These connectors include Microsoft sources and Azure sources like Microsoft Entra ID, Azure Activity, Azure Storage, and more.