This section describes how to export Microsoft Sentinel data from Log Analytics into an Event Hub, where you can ingest it into Azure Data Explorer. This method enables you to copy data from Azure Data Factory only when it nears its retention limit in Microsoft Sentinel / Log Analytics, avoiding duplication. Export your data from Log Analytics into Azure Blob Storage, then Azure Data Factory is used to run a periodic copy job to further export the data into Azure Data Explorer. Via Azure Storage and Azure Data Factory. This method stores some data (the first X months) in both Microsoft Sentinel and Azure Data Explorer. Export data from Log Analytics into an Event Hub, where you can ingest it into Azure Data Explorer. Use one of the following procedures to export data from Microsoft Sentinel into Azure Data Explorer: Not all tables are supported for export, such as custom log tables, which are not supported.įor more information, see Log Analytics workspace data export in Azure Monitor and the list of supported tables. Exported a filtered subset of your data, or limiting the export to specific events, is not supported.īoth the Azure Monitor / Microsoft Sentinel workspace, and the destination location (an Azure Storage Account or Event Hub) must be located in the same geographical region. Once export is configured for a specific table, all data sent to that table is exported, with no exception. When configuring data for export, note the following considerations: Consideration Once configured, new data arriving at the Log Analytics ingestion endpoint, and targeted to your workspace for the selected tables, is exported to your Storage Account or Event hub. When configuring the data export rules, select the types of logs you want to export. Your data is directed to Log Analytics by default, but you can also configure it to export to an Azure Storage Account or Event Hub. The following image shows a sample flow of exported data through the Azure Monitor ingestion pipeline. Instead of sending your data directly to Azure Data Explorer, you can choose to export your data from Log Analytics into Azure Data Explorer via an Azure Event Hub or Azure Data Factory. Export data from Log Analytics into Azure Data Explorer The following image shows how you can retain all of your data in Azure Data Explorer, while sending only your security data to Microsoft Sentinel for daily use.įor more information about implementing this architecture option, see Azure Data Explorer monitoring. For more information, see Cross-resource query Azure Data Explorer by using Azure Monitor. This option also enables you to correlate data spread across data stores, such as to enrich the security data stored in Microsoft Sentinel with operational or long-term data stored in Azure Data Explorer. To do so, use cross cluster queries in your log search or workbooks. You can access the data in Azure Data Explorer directly from Microsoft Sentinel using the Log Analytics Azure Data Explorer proxy feature. At this point, we recommend storing data in Azure Data Explorer, which costs less, but still enables you to explore using the same KQL queries that you run in Microsoft Sentinel. If you only need to access specific tables occasionally, such as for periodic investigations or audits, you may consider that retaining your data in Microsoft Sentinel is no longer cost-effective. However, the value of storing security data in Microsoft Sentinel may drop after a few months, once SOC users don't need to access it as often as they access newer data.
#AZURE DATA STORAGE EXPLORER FULL#
Microsoft Sentinel provides full SIEM and SOAR capabilities, quick deployment and configuration, as well as advanced, built-in security features for SOC teams. When to integrate with Azure Data Explorer General architectures for long-term security log retention with Azure Data Explorer.Using Azure Data Explorer for your data storage enables you to run cross-platform queries and visualize data across both Azure Data Explorer and Microsoft Sentinel. Since Azure Data Explorer uses Kusto Query Language (KQL) as its query language, it's a good alternative for Microsoft Sentinel data storage.
About Azure Data ExplorerĪzure Data Explorer is a big data analytics platform that is highly optimized for log and data analytics. For example, while security data may lose value over time, you may be required to retain logs for regulatory requirements or to run periodic investigations on older data. Storing logs in Azure Data Explorer reduces costs while retains your ability to query your data, and is especially useful as your data grows. This article explains how to reduce retention costs in Microsoft Sentinel by sending them to Azure Data Explorer for long-term retention.
By default, logs ingested into Microsoft Sentinel are stored in Azure Monitor Log Analytics.
0 kommentar(er)
