question

HUIACE-4516 avatar image
0 Votes"
HUIACE-4516 asked HUIACE-4516 commented

old data inLAW and sentinel questions

Hi amazing people in the community

I have another question for sentinel, so sentinel is a "add on" for the log analytic work space. what happens to the old data that is already in the LAW, will they get injected into sentinel?

Cheers

microsoft-sentinel
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

vipulsparsh-MSFT avatar image
0 Votes"
vipulsparsh-MSFT answered HUIACE-4516 commented

@HUIACE-4516 Thanks for reaching out.

Sentinel is for sure sits on top of Log analytics workspace from where it has access to data to generate insights.
If you have access to older data under LAWS which is under retention period (normally 30 days), Sentinel will have access to them and you can use them in any analytic rules.

Here is a great article which talks about workspace design choices for Azure Sentinel : https://techcommunity.microsoft.com/t5/azure-sentinel/best-practices-for-designing-an-azure-sentinel-or-azure-security/ba-p/832574





Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

thank you kind man that clears the cloud

0 Votes 0 ·

@HUIACE-4516 Came across this awesome decision tree for designing your workspace, this has more clarity and makes it easier to decide what to choose :
https://docs.microsoft.com/en-us/azure/sentinel/design-your-workspace-architecture#decision-tree

Might be helpful for people who come to this thread in near future as well.

0 Votes 0 ·

that is cool man, cheers

0 Votes 0 ·