Events
May 19, 6 PM - May 23, 12 AM
Calling all developers, creators, and AI innovators to join us in Seattle @Microsoft Build May 19-22.
Register todayGeographical availability and data residency in Microsoft Sentinel
After your data is collected, stored, and processed, compliance can become an important design requirement, with a significant impact on your Microsoft Sentinel architecture. Having the ability to validate and prove who has access to what data under all conditions is a critical data sovereignty requirement in many countries and regions, and assessing risks and getting insights in Microsoft Sentinel workflows is a priority for many customers.
This article can help you meet compliance requirements by describing where Microsoft Sentinel data is stored.
Microsoft Sentinel collects the following types of data:
- Raw data, such as event data collected from connected Microsoft services and partner systems. Data from multiple clouds and sources are streamed to the customer’s Azure Log Analytics workspace associated with Microsoft Sentinel, under the customer’s tenant’s subscription. This approach gives the customer the ability to choose region and retention and deletion policies.
- Processed data, such as incidents, alerts, and so on.
- Configuration data, such as connector settings, rules, and so on.
Data used by the service, including customer data, might be stored and processed in the following locations:
| Data type | Location |
|---|---|
| Raw data | Stored in the same region as the Azure Log Analytics workspace associated with Microsoft Sentinel. For more information, see Supported regions. Raw data is processed in one of the following locations: - For Log Analytics workspaces located in Europe, customer data is processed in Europe. - For Log Analytics workspaces located in Israel, customer data is processed in Israel. - For Log Analytics workspaces located in any of the China 21Vianet regions, customer data is processed in China 21Vianet. - For workspaces located in any other location, customer data is processed in a US region. |
| Processed data and configuration data | - When Microsoft Sentinel is onboarded to the Defender portal, processed data and configuration data might be stored and processed in Microsoft Defender XDR regions. For more information, see Data security and retention in Microsoft Defender XDR. - When Microsoft Sentinel isn't onboarded to the Defender portal, processed data and configuration data is stored and processed using the same methodology as raw data. |
Regions supported for Microsoft Sentinel raw data, and for processed and configuration data in workspaces not onboarded to the Defender portal, include:
| Continent | Country/Region | Azure Region |
|---|---|---|
| North America | Canada | • Canada Central • Canada East |
| United States | • Central US • East US • East US 2 • East US 2 EUAP • North Central US • South Central US • West US • West US 2 • West US 3 • West Central US Azure government • USGov Arizona • USGov Virginia • USNat East • USNat West • USSec East • USSec West |
|
| South America | Brazil | • Brazil South • Brazil Southeast |
| Asia and Middle East | • East Asia • Southeast Asia |
|
| China 21Vianet | • China East 2 • China North 3 |
|
| India | • Central India • Jio India West • Jio India Central |
|
| Israel | • Israel Central | |
| Japan | • Japan East • Japan West |
|
| Korea | • Korea Central • Korea South |
|
| Qatar | • Qatar Central | |
| UAE | • UAE Central • UAE North |
|
| Europe | • North Europe • West Europe |
|
| France | • France Central • France South |
|
| Germany | • Germany West Central | |
| Italy | • Italy North | |
| Norway | • Norway East • Norway West |
|
| Sweden | • Sweden Central | |
| Switzerland | • Switzerland North • Switzerland West |
|
| UK | • UK South • UK West |
|
| Australia | Australia | • Australia Central Australia Central 2 • Australia East • Australia Southeast |
| Africa | South Africa | • South Africa North |
Data from Microsoft Sentinel is retained until the earliest of the following dates:
- The customer removes Microsoft Sentinel from their workspace
- As per a retention policy set by the customer
Until that time, customers can always delete their data.
Customer data is kept and is available while the license is under a grace period or in suspended mode. At the end of this period, and no later than 90 days from contract termination or expiration, the data is erased from Microsoft's systems to make it unrecoverable.
Microsoft Sentinel may share data, including customer data, among the following Microsoft products:
- Microsoft Defender XDR
- Azure Log Analytics
For more information, see:
- Details about Azure regions, useful when designing your workspace architecture.
- Business continuity and disaster recovery for Microsoft Sentinel