More and more customers ask me what the options are to extend the retention in Microsoft Defender XDR beyond the default 30 days. 
Data like incidents, alerts and event timelines of devices remain available for 180 days. But in this particular case they're referring to the Advanced Hunting data being purged beyond 30 days. So you won't be able to use Kusto Query Language (KQL) to look for events in the "raw data". And for pro-active hunting purposes, I can agree with my customers; this is just too short.

In this session I'd like to demonstrate how you can leverage Azure Data Explorer (ADX) to archive data from Microsoft 356 Defender without having to make use of Microsoft Sentinel in between. Because relaying this data through Sentinel is not the preferred by most, due to the added costs that come along with it. Which can be huge in some cases.

I will not only go through all of the design choices related to Azure Event Hubs and Azure Data Explorer, I'll also demonstrate an open-source tool I've created (ArchivR), which helps fully automate the deployment to help customers setting things up with a few simple steps!