Update sentinel-guidance.md

LSerki · Jun 25, 2024 · ca5bc03 · ca5bc03
1 parent a02d1ad
commit ca5bc03
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/docs/onboarding/sentinel-guidance.md b/docs/onboarding/sentinel-guidance.md
@@ -25,7 +25,7 @@ Steps 1-3 should be straightforward to complete under E5/A5 licencing. Once tele
 
 ### 2.1. SIEM Retention for threat hunting and investigations
 
-[Configuring retention for 12 months](https://learn.microsoft.com/en-us/azure/sentinel/configure-data-retention) is recommended to ensure logs are available for investigations and threat hunting. For high volume telemetry sources, [streaming events to object storage](https://learn.microsoft.com/en-us/defender-xdr/streaming-api-storage) is a validated alternative that can be queried in place with tools like [DuckDB to Azure Blob storage](https://duckdb.org/docs/extensions/azure.html) (supports [Amazon Security Lake](https://docs.aws.amazon.com/security-lake/latest/userguide/what-is-security-lake.html) via [S3 API](https://duckdb.org/docs/extensions/httpfs/s3api)), [Azure Data Explorer](https://learn.microsoft.com/en-us/azure/data-explorer/kusto/query/schema-entities/external-tables) and [Amazon Athena](https://docs.aws.amazon.com/athena/latest/ug/getting-started.html).
+[Configuring retention for 12 months](https://learn.microsoft.com/en-us/azure/sentinel/configure-data-retention) is recommended to ensure logs are available for investigations and threat hunting. For high volume telemetry sources, [streaming events to object storage](https://learn.microsoft.com/en-us/defender-xdr/streaming-api-storage) and using [lifecycle management to retain for 365 days](https://learn.microsoft.com/en-us/azure/storage/blobs/lifecycle-management-policy-configure?tabs=azure-portal#create-or-manage-a-policy) is a validated alternative that can be queried in place with tools like [DuckDB to Azure Blob storage](https://duckdb.org/docs/extensions/azure.html) (also supports [Amazon Security Lake](https://docs.aws.amazon.com/security-lake/latest/userguide/what-is-security-lake.html) via [S3 API](https://duckdb.org/docs/extensions/httpfs/s3api)), [Azure Data Explorer](https://learn.microsoft.com/en-us/azure/data-explorer/kusto/query/schema-entities/external-tables) and [Amazon Athena](https://docs.aws.amazon.com/athena/latest/ug/getting-started.html).
 
 !!! note "Simplify telemetry collection"
     Moving [Configuration Manager to Intune](https://learn.microsoft.com/en-us/mem/intune/fundamentals/deployment-guide-intune-setup), [Fileshares to SharePoint](https://learn.microsoft.com/en-us/sharepointmigration/fileshare-to-odsp-migration-guide) and [Identities from Active Directory to Entra](https://learn.microsoft.com/en-us/entra/architecture/road-to-the-cloud-migrate) are highly effective ways to improve security visibility while also reducing telemetry volume from self-managed platforms and servers.