Azure Sentinel Logs: Methods for Long-Term Storage

Methods for Sending Azure Sentinel Logs to Long-Term Storage

Question

Which methods can you use to send Azure Sentinel logs to long-term storage?

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

Correct Answers: A, B and D.

Option A, B and D are correct.

Using Powershell, Event Hub and logic apps, we can send sentinel logs for long term storage purposes.

Option C is incorrect.

KQL is used to run queries inside a workspace.

References:

Azure Sentinel is a cloud-native security information event management (SIEM) and security orchestration automated response (SOAR) solution from Microsoft that provides intelligent security analytics and threat intelligence across the enterprise. To ensure compliance with regulatory requirements and enable advanced analytics, it is often necessary to retain Azure Sentinel logs for an extended period of time. Long-term storage solutions, such as Azure Blob Storage or Azure Data Lake Storage, can be used for this purpose.

There are several methods that can be used to send Azure Sentinel logs to long-term storage, including:

A. PowerShell: Azure Sentinel provides a PowerShell module that can be used to automate common tasks, including exporting logs to long-term storage. The Export-AzSentinelLog cmdlet can be used to export logs from a workspace to a specified storage account, container, and folder.

B. Event Hub: Azure Event Hubs is a fully managed event ingestion service that can be used to collect, transform, and store event data from various sources, including Azure Sentinel. The Azure Sentinel connector for Event Hubs enables you to stream logs to a destination of your choice, such as Azure Blob Storage or Azure Data Lake Storage.

C. KQL Function: Kusto Query Language (KQL) is used to query and analyze data in Azure Sentinel. The KQL function can be used to create a query that retrieves logs from a workspace and exports them to a storage account or blob container.

D. Logic Apps: Azure Logic Apps is a cloud service that provides a visual interface for building workflows that integrate with various Azure services, including Azure Sentinel. Logic Apps can be used to create a workflow that retrieves logs from a workspace and stores them in a specified storage account or container.

In summary, there are multiple methods available to send Azure Sentinel logs to long-term storage, each with its advantages and disadvantages. The choice of method will depend on your specific requirements and the resources available.