Its Security Day with Mike

Explore the latest in technology and cybersecurity with insightful blog posts, expert tips, and in-depth analysis. Stay informed, stay secure!

How to Setup Sentinel Data Lake

Unlocking Scalable Security Analytics: How to Set Up Sentinel Data Lake

Posted by:

Mike Taylor

|

On:

|

, , , , , , , , , , , , , , , , ,

Introduction

In Part 1 of this series, we explained why pairing Microsoft Sentinel with a Data Lake matters. In Part 2, we demonstrated how the integration can save up to 75% annually. Now, in Part 3, you will walk through the onboarding process for Microsoft Sentinel Data Lake and see how it extends your existing Sentinel deployment with unified storage, advanced analytics, and cost efficiency.

The Microsoft Sentinel data lake, available in the Microsoft Defender portal, acts as a tenant-wide repository for collecting, storing, and managing large volumes of security-related data. Consequently, it provides unified visibility, advanced analytics, and machine learning that strengthen your ability to detect threats and respond quickly.

📚 Reference: Onboarding Microsoft Sentinel Data Lake

What Onboarding Does

When you enable the Microsoft Sentinel data lake, several important changes occur:

  • The setup provisions a data lake for your chosen subscription and resource group.
  • Your primary Sentinel workspace, along with other connected workspaces in the same region as your tenant’s home region, attaches automatically.
  • Sentinel mirrors analytics tier data into the data lake tier at no additional charge.
  • New data can flow into both tiers or directly into the data lake tier.
  • Microsoft assets such as Entra, Microsoft 365, and Azure Resource Graph ingest automatically.
  • Auxiliary log tables migrate from Microsoft Defender into the data lake, where analysts query them with KQL.

⏱ Importantly, data typically appears in the data lake within 90–120 minutes after ingestion begins.

Prerequisites

Before you begin, ensure that your environment meets the following requirements:

  • You already use Microsoft Defender and Microsoft Sentinel.
  • An Azure subscription and resource group exist for billing.
  • A primary Sentinel workspace connects to the Defender portal.
  • All workspaces that you plan to attach reside in the same region as your tenant’s home region.
  • Required roles are assigned:
    • Azure Subscription Owner for billing.
    • Microsoft Entra Global Administrator or Security Administrator for ingestion authorization.
    • Read access to every workspace being attached.

⚠️ During the preview period, Customer-Managed Keys (CMK) are not supported. Therefore, Microsoft-managed keys encrypt all data.

Step-by-Step Onboarding

Step 1: Sign in to the Defender Portal

First, navigate to https://security.microsoft.com. A banner at the top invites you to Get started with onboarding. If you dismiss the banner, you can instead continue by selecting System > Settings > Microsoft Sentinel > Data lake.


Step 2: Configure Subscription and Resource Group

Next, use the setup panel to select the subscription and resource group where billing will apply. Afterwards, click Set up data lake to start provisioning.

Step 3: Provisioning

The provisioning process usually takes up to 60 minutes. Meanwhile, the Defender portal displays a banner showing onboarding progress. After completion, new features become available, including data lake KQL queries and Sentinel cost management.

Policy and Compliance Notes

Sometimes, Azure Policy definitions block the deployment of required resources. In those cases, create a policy exemption scoped to the resource group for:

Microsoft.SentinelPlatformServices/sentinelplatformservices

This targeted exemption ensures that Sentinel Data Lake resources deploy successfully, while your broader governance policies remain intact.

Troubleshooting Common Errors

During setup, you may encounter errors such as:

  • DL101 – Region mismatch: Ensure the Sentinel workspace and tenant’s home region match.
  • DL102 – Resource availability: Retry provisioning when resources are temporarily unavailable.
  • DL103 – Policy restrictions: Update Azure policies to allow creation of required managed resources.

After Onboarding

Once onboarding completes, you can immediately:

  • Run Data Lake exploration KQL queries in the Defender portal.
  • Schedule and execute Microsoft Sentinel Data Lake jobs.
  • Manage retention policies across analytics and data lake tiers in one place.
  • Use cost management tools to monitor ingestion, storage, and query usage.

In addition, auxiliary log tables become available for KQL exploration, which simplifies investigation workflows and strengthens visibility across all connected data sources.

Conclusion

Onboarding Microsoft Sentinel Data Lake transforms your existing Sentinel environment into a tenant-wide, scalable security data platform. It unifies hot and cold data, integrates auxiliary logs, and enables advanced querying directly from the Defender portal. As a result, your SOC gains the flexibility to retain data longer, analyze it smarter, and control costs effectively.

If you missed the first two parts of the of the Unlocking Scalable Security Analytics series:

👉 Next week, we’ll dive into best practices for querying data in Sentinel Data Lake to optimize performance and reduce spend.

📚 Reference: Onboarding Guide

Posted by

Mike Taylor

in