How is Microsoft Sentinel Data Retention handled?
All data ingested into your Microsoft Sentinel workspace is retained for 90 days by default.
Default Retention
All data ingested into your Microsoft Sentinel workspace is retained for 90 days by default. This applies to all datasources configured by Attic Security, including:
- Azure Activity Logs
- Office 365 Logs
- Microsoft Defender Alerts and Evidence
- Entra ID Logs (if enabled)
After 90 days, data is automatically purged from the Log Analytics Workspace.
Extending Retention
If your organization requires a longer retention period (for example, to meet compliance requirements), this can be adjusted in the Azure portal under the Log Analytics Workspace settings. Please note that extending retention beyond 90 days will incur additional storage costs billed by Microsoft through your Azure subscription.