Due to legal considerations, you may need store your Sentinel logs for long-term retention. By default, Azure Log analytics allows you to store logs for 90 days at no cost. Exporting data from Azure Log Analytics to an Azure Storage account enables low-cost retention and the ability to reallocate logs to different regions if necessary.
To perform this task, Microsoft provides a great Playbook in order to move logs from Azure Log Analytics to an Azure Storage Account. This Playbook creates a storage account with a default container to store the logs. Logs older than 90 days are moved automatically to the cold storage to avoid retention billing.
In this article, I will explain how to deploy and configure this Playbook.
Getting started
Go to the following repository to download the Playbook provided by Microsoft: https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/Move-LogAnalytics-to-Storage
Click on the following button to easily deploy the playbook:
You will get the following wizzard. Enter the required information:
- Playbook name
- Workspace name
- Workspace subscription
- Storage account name
Wait until the deployment has been done and go to the Azure Storage Account section. You should see a new storage account.
Open the storage account and confirm the presence of the container.
Open the LogicApp designer to edit the LogicApp and update the connection. You will see an exclamation mark to indicate an issue with a connector. It is normal because when deploying a LogicApp, the connections are not preserved.
After updating the failed connector, you will be able to see the content of the query
You can run the LogicApp or just wait until the next recurrence, then go to the container of your Azure Storage account, you should see new folders depending on the existing logs in your Sentinel logs.
Open one of these folders to confirm a list of JSON files appears, so that means your logs are exported to the Azure storage.
For legal reasons, you may need to query specific logs. Thanks to the KQL language, you will be able to query your exported logs very easily. Open the Log Analytics workspace, go to the Logs tab and run the following query:
1 |
let ActivityLogs = externaldata (TimeGenerated:datetime, OperationName:string, OperationNameValue:string, Level:string, ActivityStatus:string, SubscriptionID:string)[@"SAS TOKEN URL FOR BLOB"] with (format="multijson",recreate_schema=true); ActivityLogs |
Thanks to the externaldata operator, we can easily query the external files stored on Azure Storage. You just need to identify the right log file and then you will get the data.