How to use Log Analytics log data exported to Storage Accounts

The process of exporting logs from Sentinel or Log Analytics to Azure storage account blobs provides long-term retention benefits, immutability for legal hold, and geographical redundancy. In scenarios like incidents or legal cases, having data archived in these storage account blobs is crucial for investigations. Retrieving and analyzing this data involves methods like enabling export on the Log Analytics Workspace or using Logic Apps to export specific data. Querying data in a storage account can be done through externaldata() KQL function, creating external tables in Azure Data Explorer (ADX), or ingesting data into ADX tables. Each method has its advantages and disadvantages, such as performance, ease of querying, and cost considerations. It’s essential to choose the right approach based on your specific needs and requirements. By following these steps, you can effectively access and utilize archived logs for various purposes, ensuring data availability and integrity when needed.

Source: https://techcommunity.microsoft.com/t5/security-compliance-and-identity/how-to-use-log-analytics-log-data-exported-to-storage-accounts/ba-p/4264045