Search
StarWind is a hyperconverged (HCI) vendor with focus on Enterprise ROBO, SMB & Edge

Move Microsoft Sentinel Logs to Azure Storage

  • February 23, 2022
  • 5 min read
IT Production Manager. Nicolas is primarily focused on Microsoft technologies, he is a Microsoft MVP in Cloud and Datacenter Management.
IT Production Manager. Nicolas is primarily focused on Microsoft technologies, he is a Microsoft MVP in Cloud and Datacenter Management.


Due to legal considerations, you may need store your Sentinel logs for long-term retention. By default, Azure Log analytics allows you to store logs for 90 days at no cost. Exporting data from Azure Log Analytics to an Azure Storage account enables low-cost retention and the ability to reallocate logs to different regions if necessary.

To perform this task, Microsoft provides a great Playbook in order to move logs from Azure Log Analytics to an Azure Storage Account. This Playbook creates a storage account with a default container to store the logs. Logs older than 90 days are moved automatically to the cold storage to avoid retention billing.

In this article, I will explain how to deploy and configure this Playbook.

Getting started

Go to the following repository to download the Playbook provided by Microsoft: https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/Move-LogAnalytics-to-Storage

Click on the following button to easily deploy the playbook:

Deploy to Azure

You will get the following wizzard. Enter the required information:

  • Playbook name
  • Workspace name
  • Workspace subscription
  • Storage account name

Custom deployment

Wait until the deployment has been done and go to the Azure Storage Account section. You should see a new storage account.

Storage accounts

Open the storage account and confirm the presence of the container.

Containers

Open the LogicApp designer to edit the LogicApp and update the connection. You will see an exclamation mark to indicate an issue with a connector. It is normal because when deploying a LogicApp, the connections are not preserved.

LogicApp designer

After updating the failed connector, you will be able to see the content of the query

Query

You can run the LogicApp or just wait until the next recurrence, then go to the container of your Azure Storage account, you should see new folders depending on the existing logs in your Sentinel logs.

Sentinel logs

Open one of these folders to confirm a list of JSON files appears, so that means your logs are exported to the Azure storage.

Your logs are exported to the Azure storage

For legal reasons, you may need to query specific logs. Thanks to the KQL language, you will be able to query your exported logs very easily. Open the Log Analytics workspace, go to the Logs tab and run the following query:

Thanks to the externaldata operator, we can easily query the external files stored on Azure Storage. You just need to identify the right log file and then you will get the data.

Azure Storage

Hey! Found Nicolas’s article helpful? Looking to deploy a new, easy-to-manage, and cost-effective hyperconverged infrastructure?
Alex Bykovskyi
Alex Bykovskyi StarWind Virtual HCI Appliance Product Manager
Well, we can help you with this one! Building a new hyperconverged environment is a breeze with StarWind Virtual HCI Appliance (VHCA). It’s a complete hyperconverged infrastructure solution that combines hypervisor (vSphere, Hyper-V, Proxmox, or our custom version of KVM), software-defined storage (StarWind VSAN), and streamlined management tools. Interested in diving deeper into VHCA’s capabilities and features? Book your StarWind Virtual HCI Appliance demo today!