Merge pull request #303774 from javiersoriano/patch-13

prmerger-automator[bot] · web-flow · commit 3ac215281687 · 2025-08-04T08:47:47.000Z
Update manage-data-overview.md
diff --git a/articles/sentinel/manage-data-overview.md b/articles/sentinel/manage-data-overview.md
@@ -65,10 +65,10 @@ This table compares the two analytics and data lake tiers and their key characte
 | Ingestion cost                                         | Standard                                                     | Minimal                                                      | 
 | Query price included                                   | ✅                                                           | ❌                                                            | 
 | Optimized query performance                            | ✅                                                           | ❌ Slower queries.<br>Good for auditing. Not optimized for real-time analysis. |
-| Query capabilities                                     | [Full query capabilities](/azure/azure-monitor/logs/get-started-queries) in the Microsoft Defender and Azure portals and using APIs.    | - [Full KQL on a single table](/azure/azure-monitor/logs/basic-logs-query), which you can extend with data from an analytics table using [lookup](/azure/data-explorer/kusto/query/lookup-operator).<br>- Run scheduled KQL or Spark jobs.<br>- Use Notebooks. |
+| Query capabilities                                     | [Full query capabilities](/azure/azure-monitor/logs/get-started-queries) in the Microsoft Defender and Azure portals and using APIs.    | - [Full query capabilities](/azure/azure-monitor/logs/get-started-queries) including unions and joins.<br>- Run scheduled KQL or Spark jobs.<br>- Use Notebooks. |
 | Full set of real-time analytics features | ✅                                                           | ❌  Limitations on some features, including analytics rules, hunting queries, parsers, watchlists, workbooks, and playbooks.                                                           |
 | [Search jobs](investigate-large-datasets.md)                  | ✅                                                           | ✅                                                            |
-| [Summary rules](summary-rules.md)              | ✅                                                           | ✅ KQL limited to a single table                              |
+| [Summary rules](summary-rules.md)              | ✅                                                           | ✅  [Full KQL on a single table](/azure/azure-monitor/logs/basic-logs-query), which you can extend with data from an analytics table using [lookup](/azure/data-explorer/kusto/query/lookup-operator)                              |
 | [Restore](restore.md)                          | ✅                                                           | ❌                                                            |
 | [Data export](/azure/azure-monitor/logs/logs-data-export)                     | ✅                                                           | ❌                                                            |
 | Retention period                                  | 90 days for Microsoft Sentinel, 30 days for Microsoft Defender XDR.<br> Can be extended to up to two years at a prorated monthly long-term retention charge. | Same as analytics retention, by default. Can be extended to up to 12 years. |
