One thing that has always driven me nuts with Sentinel is the workflow for storing incidents long term and the artifacts surrounding them. For example, I know one person in our org that has been compromised 4 different times, and when I bring this up, the older incidents have already hit retention, so all of the data, including comments on an incident have been wiped out. It kind of hurts your argument when you want something to be done with this user when you don’t have the black & white data to back up your argument. Instead, you are left with a barren incident that lacks entities

So, I tried “Cases” in Defender, which stores the comments that you put in it as well as what you attach to the case. However, linked incidents still falls victim to retention. Comments on a sentinel incident don’t sync to the case, and worst off, there isn’t a good way to export Cases in a nice viewable format to give to legal or other teams.

So, I am just curious on what others do for this. Do you use something like notion and store the data and artifacts in notion so that you can pull at a later time if need be?

I feel like there should be a better way to do this and I was hoping that the data lake would help with something like this, but it doesn’t seem like it is going to cover all scenarios, like if I want to store a file or screenshot quickly, as opposed to uploading it to a blob and add the links to screenshots to the incident.