Result in the Sentinel GUI (Incidents) / No results in logs (query)

JoePander · ‎Jun 06 2024

Hey guys,

I have a problem understanding how Sentinel works. In my Sentinel, I can search for incidents dating back to the year 2022. However, when I try to find the same incidents with a Kusto query, it returns no results. Interestingly, when I attach a tag to one of these old incidents, it pops up in my query search. It feels like there are other tables that we cannot query or some settings are not correctly configured in my instance.

Does anyone know where I can find some information about this issue?

Big thanks,

Joe

‎Jun 07 2024

Correct, some data is retained by Microsoft for much longer, but as you probably noticed its a small set of data. not everything.

‎Jun 07 2024

And if I assume correctly, there is no way (through configuration or payment) to access this data?

‎Jun 07 2024

Correct, if you need the data you need to retain it yourself by increasing Table retention and/or archiving.

‎Jun 19 2024

@JoePander Many Thanks for letting me know. I might try that approach. @ 3titik

‎Jun 07 2024

Correct, if you need the data you need to retain it yourself by increasing Table retention and/or archiving.

View solution in original post

Result in the Sentinel GUI (Incidents) / No results in logs (query)

Result in the Sentinel GUI (Incidents) / No results in logs (query)

Re: Result in the Sentinel GUI (Incidents) / No results in logs (query)

Re: Result in the Sentinel GUI (Incidents) / No results in logs (query)

Re: Result in the Sentinel GUI (Incidents) / No results in logs (query)

Re: Result in the Sentinel GUI (Incidents) / No results in logs (query)

Re: Result in the Sentinel GUI (Incidents) / No results in logs (query)

Products (49)

Special Topics (27)

Video Hub (462)

Most Active Hubs

Most Active Hubs

Video Hub

Result in the Sentinel GUI (Incidents) / No results in logs (query)