Question. You mention to not enable the Defender 365 tables if not using them within analytic rules. What about ingesting them for long term retention? The MDE advanced hunting data is available just for 30 days of KQL query capabilities, then it is just 180 days but limited to the timeline feature (not practical for forensic investigation). With the Sentinel connector we could keep the raw logs for much longer than the default 30 days. If not the Sentinel connector someone could write script to ingest the raw logs through the Defender API to just a log analytics, but Sentinel seams to be a quick win here (especially if you have E5 licensed users - you get the 5MB/day allowance that includes the advanced hunting tables as well).
Question. You mention to not enable the Defender 365 tables if not using them within analytic rules. What about ingesting them for long term retention? The MDE advanced hunting data is available just for 30 days of KQL query capabilities, then it is just 180 days but limited to the timeline feature (not practical for forensic investigation). With the Sentinel connector we could keep the raw logs for much longer than the default 30 days. If not the Sentinel connector someone could write script to ingest the raw logs through the Defender API to just a log analytics, but Sentinel seams to be a quick win here (especially if you have E5 licensed users - you get the 5MB/day allowance that includes the advanced hunting tables as well).
Best Azure Channel!
Thank you very much!
𝖕𝖗𝖔𝖒𝖔𝖘𝖒 👊