Azure Security Center using too much storage

Question

I have enabled Azure Security Center a year ago. After one year, the Storage account that is collecting Security Center data is 1.5 terabytes in size and costs are starting to add up.

Is there a way to clear out old security data?

Is there a way to limit security/audit data to a certain period of time like 2 months?

Answer 1

You can decide which types of raw data will be collected through Azure Security Center -> Security policy -> your_subscription_name -> Edit settings -> Data collection -> Windows security events. The different choices for data collection are described in the docs.

To configure a retention policy, go to your Log Analytics workspace -> Usage and estimated costs -> Data volume management -> Data Retention.

On deleting old data from Log Analytics, I found this answer on Azure forums (Jul 2018):

Log Analytics cost is incurred when data is sent into the service. Once the data has been made available for searching there is no cost saving by deleting the data (except in case of retention)

That said, there are cases where it might be useful to delete logs.

Specifically, to support GDPR, we have introduced Purge API – https://learn.microsoft.com/en-us/azure/log-analytics/log-analytics-personal-data-mgmt#how-to-export-and-delete-private-data Please note that this API must not be treated as general-purpose data delete API, but used for GDPR purposes only