1,295 questions
Microsoft stores additional metadata in your deployed region, so you do have longer than 90days for limited specific data like this.
Where does Sentinel store the information that are displayed in the Incident View?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(48, 73%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVD%3C/text%3E%3C/svg%3E)
Vinzent Deller
0
Reputation points
Hello,
I am currently wondering where Sentinel stores the information that is displayed in the Incident View. My Log Analytics has a data retention of 90 days, each table has 90 days retention without an archive period. In Sentinel I can view incidents that are older than 2 years. Where does Sentinel get this data from?
Regards
vinzent
Microsoft Security | Microsoft Sentinel
{count} votes
-
James Hamil 27,221 Reputation points Microsoft Employee Moderator2024-03-01T21:07:49.33+00:00 Hi @Deller, Vinzent , did you need any more help with this question? If not could you please mark "Accept Answer" on the appropriate answer so other users can reference it?
Thank you,
James
-
JamesTran-MSFT 36,911 Reputation points Microsoft Employee Moderator2024-03-05T17:20:02.5566667+00:00 I just wanted to check in and see if you had any other questions or if you were able to resolve this issue?
If you have any other questions, please let me know. Thank you for your time and patience throughout this issue.
If the information helped address your question, please Accept the answer. This will help us and also improve searchability for others in the community who might be researching similar information.
Sign in to comment
1 answer
Sort by: Most helpful
-
Clive Watson 7,866 Reputation points MVP Volunteer Moderator2024-02-14T12:28:15.1+00:00 -
Vinzent Deller 0 Reputation points
2024-02-14T14:12:20.44+00:00 Is this visible somewhere in the Azure portal?
-
Deleted
This comment has been deleted due to a violation of our Code of Conduct. The comment was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.
-
Clive Watson 7,866 Reputation points MVP Volunteer Moderator
2024-02-21T21:53:45.02+00:00 You can see older Incidents in the UI, if you select a Timerange above 90days - this one is 1st Aug 2022, and retention is 6mths.
However if you query the data, you should see alerts within your set Retention only (e.g. 90days)
SecurityAlert | where TimeGenerated > ago(365d) | summarize old_=min(TimeGenerated) | extend days_ = datetime_diff('day',now(), old_)
Sign in to comment -