This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(185.6, 48%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDV%3C/text%3E%3C/svg%3E)
Hello,
I am currently wondering where Sentinel stores the information that is displayed in the Incident View. My Log Analytics has a data retention of 90 days, each table has 90 days retention without an archive period. In Sentinel I can view incidents that are older than 2 years. Where does Sentinel get this data from?
Regards
vinzent
Hi @Deller, Vinzent , did you need any more help with this question? If not could you please mark "Accept Answer" on the appropriate answer so other users can reference it?
Thank you,
James
I just wanted to check in and see if you had any other questions or if you were able to resolve this issue?
If you have any other questions, please let me know. Thank you for your time and patience throughout this issue.
If the information helped address your question, please Accept the answer. This will help us and also improve searchability for others in the community who might be researching similar information.
Microsoft stores additional metadata in your deployed region, so you do have longer than 90days for limited specific data like this.
Is this visible somewhere in the Azure portal?
This comment has been deleted due to a violation of our Code of Conduct. The comment was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.
You can see older Incidents in the UI, if you select a Timerange above 90days - this one is 1st Aug 2022, and retention is 6mths.
However if you query the data, you should see alerts within your set Retention only (e.g. 90days)
SecurityAlert
| where TimeGenerated > ago(365d)
| summarize old_=min(TimeGenerated)
| extend days_ = datetime_diff('day',now(), old_)