How to execute microsoft sentinel's backups and recovery

Question

Hi,

I'm starting in Microsoft Sentinel and read a lot of documents but I couldn't find anything about backup and recovery.

Anybody know something about this?

Please give some advices

Thank you in advance

Best regards,

Answer 1

Hello @Nelba Sanchez ,

Microsoft Sentinel is a cloud-native SIEM and SOAR solution.
Since you don't get any infrastructure to operate for this, we could consider Microsoft Sentinel as a SaaS (Software as a Service), meaning that the High Availability and Failover capabilities are provided by Microsoft.
Since Microsoft Sentinel is built on the foundation of Azure Monitor Log Analytics (Log Analytics Workspace), the SLA for Sentinel are the same as for the Log Analytics. You can check the SLA details here.

If you're still looking to export the collected data from Azure Monitor Logs (Log Analytics Workspace) to another storage system (Storage Account, or custom vs Event Hub), then you need either to use the Data Export capabilities from the Log Analytics Workspace settings (to get the data streamed to an Azure Storage Account) or various other type of integrations with an Azure Event Hub.

Details on the Data Export capabilities and scenarios can be consulted here.

I hope this helps you.

Thank you!
BR,
George

Answer 2

Generally there is no traditional backup for Sentinel (no need unless you have a regulatory requirement). You can use continuous export to stream the data to a storage account or event hub. There are a few archival options for long-term storage including Azure storage and Azure Data Explorer. The workspace holds up to 2 years of data with new extended workspace storage options in preview. The workspace has locally (within the same region) redundant storage and is highly available. So you could copy the data elsewhere but there is no traditional recovery option.