There’s been a lot of talk recently about how long to actually store active data in a SIEM and then what to do with that data once it’s no longer relevant to active operations.
With Azure Sentinel, you get 90 days of active data retention. After that, you’ll want to export it to cold storage because the data will start to cost if it remains in the Log Analytics workspace (LAW). Fortunately, Azure Data Explorer (ADX) has come along which provides cheaper storage, but also allows querying utilizing the same KQL query language. So, you can effectively query current (in the LAW) and old data (in ADX) together. However, it’s important to understand, too, that a LAW is required for Azure Sentinel automated data analysis (i.e., Analytics Rules). You can’t run analytics against ADX.
So, there’s some awesome resources around this data export to ADX that I want to make clear because these seem to be getting lost in networking streams somewhere. Plus, I want to expose an awesome new(er) PowerShell script from my good buddy Sreedhar Ande. Sreedhar’s PowerShell script really is a timesaver for sending the data to long term storage.
Here’s the resources:
- On the Microsoft Docs platform: https://docs.microsoft.com/en-us/azure/sentinel/store-logs-in-azure-data-explorer?tabs=adx-event-hub
- HOWTO: Configure Azure Sentinel data export for long-term storage: https://www.linkedin.com/pulse/howto-configure-azure-sentinel-data-export-long-term-storage-lauren/
- The benefits of Using Azure Data Explorer for long term retention of Azure Sentinel logs: https://techcommunity.microsoft.com/t5/azure-sentinel/using-azure-data-explorer-for-long-term-retention-of-azure/ba-p/1883947
- Playbook method – Move Your Azure Sentinel Logs to Long-Term Storage with Ease: https://techcommunity.microsoft.com/t5/azure-sentinel/move-your-azure-sentinel-logs-to-long-term-storage-with-ease/ba-p/1407153
- Sreedhar’s PowerShell script – Azure Log Analytics Log Management using Azure Data Explorer: https://github.com/sreedharande/AzureDataExplorer
=========================
[Want to discuss this further? Hit me up on Twitter or LinkedIn]
[Subscribe to the RSS feed for this blog]
[Subscribe to the Weekly Azure Sentinel Newsletter]
2 thoughts on “Moving Azure Sentinel Data to ADX for Long Term Storage”
You must log in to post a comment.