Hi amazing people in the community
I have another question for sentinel, so sentinel is a "add on" for the log analytic work space. what happens to the old data that is already in the LAW, will they get injected into sentinel?
Cheers
Hi amazing people in the community
I have another question for sentinel, so sentinel is a "add on" for the log analytic work space. what happens to the old data that is already in the LAW, will they get injected into sentinel?
Cheers
@HUIACE-4516 Thanks for reaching out.
Sentinel is for sure sits on top of Log analytics workspace from where it has access to data to generate insights.
If you have access to older data under LAWS which is under retention period (normally 30 days), Sentinel will have access to them and you can use them in any analytic rules.
Here is a great article which talks about workspace design choices for Azure Sentinel : https://techcommunity.microsoft.com/t5/azure-sentinel/best-practices-for-designing-an-azure-sentinel-or-azure-security/ba-p/832574
Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.
@HUIACE-4516 Came across this awesome decision tree for designing your workspace, this has more clarity and makes it easier to decide what to choose :
https://docs.microsoft.com/en-us/azure/sentinel/design-your-workspace-architecture#decision-tree
Might be helpful for people who come to this thread in near future as well.
4 people are following this question.