In the previous deployment step, you enabled the User and Entity Behavior Analytics (UEBA) feature to streamline your analysis process. In this article, you learn how to set up interactive and long-term data retention, to make sure your organization retains the data that's important in the long term. This article is part of the Deployment guide for Microsoft Sentinel.
Configure data retention
Retention policies define when to remove data, or mark it for long-term retention, in a Log Analytics workspace. Long-term retention lets you keep older, less used data in your workspace at a reduced cost. To set up data retention plans, consult Log retention plans in Microsoft Sentinel, and use one or both of these methods, depending on your use case:
After you enable Microsoft Sentinel on a Log Analytics workspace, consider these configuration options: Retain all data ingested into the workspace at no charge for the first 90 days. Retention beyond 90 days is charged per the standard Log Analytics retention prices.
From the Log Analytics workspaces menu in the Azure portal, select your workspace. Select Usage and estimated costs in the left pane. Select Data Retention at the top of the page. Move the slider to increase or decrease the number of days, and then select OK.
If a paid subscription ends or is terminated, Microsoft retains customer data stored in Microsoft 365 in a limited-function account for 90 days to enable the subscriber to extract the data. After the 90-day retention period ends, Microsoft disables the account and deletes the customer data.
Audit log retention policies are part of the new Microsoft Purview Audit (Premium) capabilities. An audit log retention policy lets you specify how long to retain audit logs in your organization. You can retain audit logs for up to 10 years.
Microsoft Sentinel is billed for the volume of data analyzed in Microsoft Sentinel and stored in Azure Monitor Log Analytics workspace. Data can be ingested as three different types of logs: Analytics Logs, Basic Logs and Auxiliary Logs (preview).
Analytics logs are the default log type for Log Analytics and offer a good balance between features and price. If you are starting with Microsoft Sentinel, all your tables will probably be Analytics logs. Analytics logs can be retained for 730 days, but they are also the most expensive log type.
For SQL Database, you can configure full long-term retention (LTR) backups for up to 10 years in Azure Blob Storage. After the LTR policy is configured, full backups are automatically copied to a different storage container weekly.
To enable LTR, you can define a policy using a combination of four parameters: weekly backup retention (W), monthly backup retention (M), yearly backup retention (Y), and week of the year (WeekOfYear). If you specify W, one backup every week is copied to long-term storage.
Built-in connectors enable connection to the broader security ecosystem for non-Microsoft products. For example, use Syslog, Common Event Format (CEF), or REST APIs to connect your data sources with Microsoft Sentinel.
Use the Exchange admin center to apply a retention policy to a single mailbox. Go to Recipients > Mailboxes. In User Mailbox, click Mailbox features. In the Retention policy list, select the policy you want to apply to the mailbox, and then click Save.
How long can SentinelOne retain data? SentinelOne enables effective threat hunting with an industry leading data retention of 365 days out of the box for malware and fileless attack incidents. We offer 14 days standard historical EDR data retention that is affordably upgradeable to 365 days.
Insights and Signals that are attached to Insights are retained in Cloud SIEM indefinitely. Signals that are not attached to Insights are retained in Cloud SIEM: For 30 days if suppressed.For 365 days if unsuppressed.
Introduction: My name is Edwin Metz, I am a fair, energetic, helpful, brave, outstanding, nice, helpful person who loves writing and wants to share my knowledge and understanding with you.
We notice you're using an ad blocker
Without advertising income, we can't keep making this site awesome for you.