Project ExternalData

Using #AzureSentinel and #LogAnalytics you can use a data export rule to dedupe security logs to be sent to Azure Storage for audit and long term retention. Using a #PowerShell script you can operationalize and get back a base KQL query to use on searching against the security logs in Azure Storage.

Tooling: https://github.com/Azure/Azure-Sentinel/tree/master/Tools/externaldata Articles: https://swiftsolves.substack.com/p/azure-sentinel-data-export-to-azure & https://swiftsolves.substack.com/p/operationalize-against-your-archived