Merge pull request #302813 from EdB-MSFT/lake-updates-1607-2

prmerger-automator[bot] · web-flow · commit 4aa2980a3c67 · 2025-07-16T09:36:34.000Z
Lake updates 1607 2
diff --git a/articles/sentinel/graph/notebooks.md b/articles/sentinel/graph/notebooks.md
@@ -7,7 +7,7 @@ ms.author: edbaynash
 ms.topic: how-to  
 ms.service: microsoft-sentinel
 ms.subservice: sentinel-graph
-ms.date: 07/15/2025
+ms.date: 07/16/2025
  
 
 # Customer intent: As a security engineer or data scientist, I want to explore and analyze security data in the Microsoft Sentinel data lake using Jupyter notebooks, so that I can gain insights and build advanced analytics solutions.
@@ -179,7 +179,7 @@ The following table lists common errors you may encounter when working with note
 
 ### Spark compute
 
-| **Error message** | Display surface | Message description  | Root cause | Suggested action |
+| Error message| Display surface | Message description  | Root cause | Suggested action |
 |-------------------|-----------------|----------------------|------------|------------------|
 | **LIVY_JOB_TIMED_OUT: Livy session has failed. Session state: Dead. Error code: LIVY_JOB_TIMED_OUT. Job failed during run time with state=[dead]. Source: Unknown.**  | In-Line. | Session timed out or user stopped the session. | Session timed out or user stopped the session.  | Execute the cell again.  |
 | **Not enough capacity is available. User requested for X vCores but only {number-of-cores} vCores are available.** | Output channel – “Window”. | Spark compute pool not available. | Compute pool hasn't started or is being used by other users or jobs. | Retry with a smaller pool, stop any active Notebooks locally, or stop any active Notebook Job Runs. |
@@ -190,7 +190,7 @@ The following table lists common errors you may encounter when working with note
 
 ### VS Code Runtime
 
-| **Error message** | Display surface | Message description  | Root cause | Suggested action |
+| Error message | Display surface | Message description  | Root cause | Suggested action |
 |-------------------|-----------------|----------------------|------------|------------------|
 | **Kernel with id – k1 - has been disposed.** | Output channel – “Jupyter”. | Kernel not connected. | VS Code lost connection to the compute kernel. | Reselect the Spark pool and execute a cell. |
 | **ModuleNotFoundError: No module named 'MicrosoftSentinelProvider'.** | Inline. | Module not found. | Missing import for example, Microsoft Sentinel Library library | Run the setup/init cell again. |
@@ -199,15 +199,15 @@ The following table lists common errors you may encounter when working with note
 
 ### Interactive notebooks
 
-| **Error message** | Display surface | Message description  | Root cause | Suggested action |
+| Error message | Display surface | Message description  | Root cause | Suggested action |
 |-------------------|-----------------|----------------------|------------|------------------|
 | **{"level": "ERROR", "run_id": "...", "message": "Error loading table {table-name}: No container of kind 'DeltaParquet' found for table '...\|{table-name}'."}.** | Inline. | The specified source table doesn't exist.  | One or more source tables don't exist in the given workspaces. The table may have been recently deleted from your workspace | Verify if source tables exist in the workspace. |
 | **{"level": "ERROR", "run_id": "...", "message": "Database Name {table-name} doesnt exist."}.** | Inline. | The workspace or database name provided in the query is invalid or inaccessible.  | The referenced database doesn't exist. | Confirm the database name is correct. |
 | **401 Unauthorized.** | Output channel – “Window”. | Gateway 401 error. | Gateway has a 1 hour timeout that was reached. | Run a cell again to establish a new connection. |
 
 ### Library
 
-| **Error message** | Display surface | Message description  | Root cause | Suggested action |
+| Error message| Display surface | Message description  | Root cause | Suggested action |
 |-------------------|-----------------|----------------------|------------|------------------|
 | **403 Forbidden.** | Inline. | Access denied. | User doesn’t have permission to read/write/delete the specified table. | Verify user has the role required. |
 | **TableOperationException: Error saving DataFrame to table {table-name}_SPRK: 'schema'.** | Inline. | Schema mismatch on write. | save_as_table() is writing data that doesn’t match the existing schema. | Check the dataframe schema and align it with the destination table. |
@@ -218,7 +218,7 @@ The following table lists common errors you may encounter when working with note
 
 ### Jobs
 
-| **Error message** | Display surface | Message description  | Root cause | Suggested action |
+| Error message | Display surface | Message description  | Root cause | Suggested action |
 |-------------------|-----------------|----------------------|------------|------------------|
 | **Job Run status shows the Status as Failed.** | Inline. | Job Run failure. | The notebook is corrupted or contains unsupported syntax for scheduled execution. | Open the Notebook Run Snapshot and validate that all cells run sequentially without manual input. |
 
diff --git a/articles/sentinel/graph/sentinel-lake-overview.md b/articles/sentinel/graph/sentinel-lake-overview.md
@@ -1,13 +1,13 @@
 ---  
-title: Microsoft Sentinel data lake overview(preview).
+title: Microsoft Sentinel data lake overview (preview)
 titleSuffix: Microsoft Security  
 description: An overview of Microsoft Sentinel data lake, a cloud-native platform that extends Microsoft Sentinel with highly scalable, cost-effective long-term storage, advanced analytics, and AI-driven security operations.
 author: EdB-MSFT  
 ms.service: microsoft-sentinel  
 ms.subservice: sentinel-graph
 ms.topic: conceptual
 ms.custom: references_regions
-ms.date: 07/09/2025
+ms.date: 07/16/2025
 ms.author: edbaynash  
 
 ms.collection: ms-security  
@@ -40,7 +40,7 @@ Microsoft Sentinel data lake, built on Azure's scalable infrastructure, facilita
 + Support for multiple analytics engines to unlock insights from your security data. 
 + Native integration with Microsoft Sentinel SIEM and its security operations workflows. 
 
-### Storage Tiers
+### Storage tiers
 
 Microsoft Sentinel is designed with two distinct storage tiers to optimize cost and performance:
 
diff --git a/articles/sentinel/manage-data-overview.md b/articles/sentinel/manage-data-overview.md
@@ -1,11 +1,11 @@
 ---
 title: Manage data tiers and retention in Microsoft Sentinel (preview)
-description: Manage log data in Microsoft Sentinel (SIEM) and Microsoft Defender XDR through the Microsoft Defender Portal to optimize security operations and cost efficiency.
+description: Manage log data in Microsoft Sentinel and with Microsoft Defender XDR services in the Microsoft Defender portal to optimize security operations and cost efficiency.
 ms.reviewer: dzatakovi
 ms.author: guywild
 author: guywi-ms
 ms.topic: conceptual
-ms.date: 05/06/2025
+ms.date: 07/16/2025
 # Customer intent: As an Microsoft Defender Portal administrator or subscription owner, I want to configure log table tiers and data retention settings to optimize security operations needs and cost efficiency.
 ---
 
@@ -26,7 +26,7 @@ This section describes the table types you can manage in the Defender portal.
 
 | Table type                      | Description                                                                                                    | Examples                                             | Is in Microsoft Sentinel workspace?         |
 |----------------------------------|----------------------------------------------------------------------------------------------------------------|------------------------------------------------------|----------------------------------|
-| **Sentinel**    | Built-in tables, including:<br>- Azure tables, such as AzureDiagnostics and SigninLogs.<br>- Microsoft Sentinel tables.<br>- [Supported Defender XDR advanced hunting tables](#preview-limitations), which are created in your Microsoft Sentinel workspace when you increase the retention period beyond 30 days. See the **XDR** table type for Defender XDR tables that are currently unsupported.             | - Azure tables: `AzureDiagnostics`, `SigninLogs`<br>- Microsoft Sentinel tables: `AWSCloudTrail`, `SecurityAlert`<br>- XDR tables: `DeviceEvents`,<br>`AlertInfo`                 | Yes                              |
+| **Microsoft Sentinel**    | Built-in tables, including:<br>- Azure tables, such as AzureDiagnostics and SigninLogs.<br>- Microsoft Sentinel tables.<br>- [Supported Defender XDR advanced hunting tables](#preview-limitations), which are created in your Microsoft Sentinel workspace when you increase the retention period beyond 30 days. See the **XDR** table type for Defender XDR tables that are currently unsupported.             | - Azure tables: `AzureDiagnostics`, `SigninLogs`<br>- Microsoft Sentinel tables: `AWSCloudTrail`, `SecurityAlert`<br>- XDR tables: `DeviceEvents`,<br>`AlertInfo`                 | Yes                              |
 | **Custom**                | Tables you create manually or through jobs in your Microsoft Sentinel workspace, including summary rule and search job results tables, and custom data source tables. | Tables with `_CL` or `_SRCH` suffixes.                                                      | Yes                              |
 | **XDR**| Tables in the XDR default tier, which have 30 days of analytics retention by default. You can view these tables, but you can't manage them from the Defender portal.                                                                       | `IdentityInfo` | No |
 
diff --git a/articles/sentinel/microsoft-sentinel-defender-portal.md b/articles/sentinel/microsoft-sentinel-defender-portal.md
@@ -38,7 +38,7 @@ The following table describes the new or improved capabilities available in the
 | **Enhanced visibility and reduced risk exposure** | Analyze attack paths to see how a cyber attacker could exploit vulnerabilities. Use guided SOC optimization recommendations to reduce costs and exposure, and prioritize actions based on potential impact. | - [Optimize your security operations](soc-optimization/soc-optimization-access.md)<br><br>- [Use SOC optimizations programmatically](soc-optimization/soc-optimization-api.md)<br><br>- [SOC optimization reference of recommendations](soc-optimization/soc-optimization-reference.md) |
 | **Tailored post-incident recommendations** | Prevent similar or repeat cyberattacks with tailored recommendations tied to Microsoft Security Exposure Management initiatives. | [Microsoft Security Exposure Management for enhanced security posture](/unified-secops-platform/overview-msem-strategy) |
 | **Cost and data optimization** | Customers can access both Microsoft Sentinel and Defender XDR data in a unified and consistent schema in the Defender portal. <br><br>Advanced hunting raw logs are available for 30 days for hunting free of charge without needing to ingest them into Microsoft Sentinel. | [What to expect to for Defender XDR tables streamed to Microsoft Sentinel](/defender-xdr/advanced-hunting-microsoft-defender#what-to-expect-for-defender-xdr-tables-streamed-to-microsoft-sentinel) |
-| **Unified cost-effective data lake** | Improve costs and scale with simplified data onboarding, dynamic recommendations, robust out of the box solutions, and a centralized, cost-effective data lake, enabling enterprise-wide visibility. | [What is Microsoft Sentinel data lake (Preview)](graph/sentinel-lake-overview.md) |
+| **Unified, cost-effective data lake** | Improve costs and scale with simplified data onboarding, dynamic recommendations, robust out of the box solutions, and a centralized, cost-effective data lake, enabling enterprise-wide visibility. | [What is Microsoft Sentinel data lake (Preview)](graph/sentinel-lake-overview.md) |
 ## Limited or unavailable capabilities with Microsoft Sentinel only in the Defender portal
 
 When you onboard Microsoft Sentinel to the Defender portal without Defender XDR or other services enabled, the following capabilities are limited or unavailable:
diff --git a/articles/sentinel/whats-new.md b/articles/sentinel/whats-new.md
@@ -20,7 +20,11 @@ The listed features were released in the last six months. For information about
 
 ## July 2025
 
-### Microsoft Sentinel data lake
+- [Microsoft Sentinel data lake (preview) ](#microsoft-sentinel-data-lake-preview)
+- [No limit on the number of workspaces you can onboard to the Defender portal](#no-limit-on-the-number-of-workspaces-you-can-onboard-to-the-defender-portal)
+- [Microsoft Sentinel in the Azure portal to be retired July 2026](#microsoft-sentinel-in-the-azure-portal-to-be-retired-july-2026)
+
+### Microsoft Sentinel data lake (preview) 
 
 Microsoft Sentinel is now enhanced with a modern data lake, purpose-built to streamline data management, reduce costs, and accelerate AI adoption for security operations teams. The new Microsoft Sentinel data lake offers cost-effective, long-term storage, eliminating the need to choose between affordability and robust security. Security teams gain deeper visibility and faster incident resolution, all within the familiar Sentinel experience, enriched through seamless integration with advanced data analytics tools.  
 
@@ -34,10 +38,6 @@ Explore the data lake using KQL queries, or use the new Microsoft Sentinel data
 
 Learn more at [Data lake tech blog](https://aka.ms/datalaketechblog).
 
-
-- [No limit on the number of workspaces you can onboard to the Defender portal](#no-limit-on-the-number-of-workspaces-you-can-onboard-to-the-defender-portal)
-- [Microsoft Sentinel in the Azure portal to be retired July 2026](#microsoft-sentinel-in-the-azure-portal-to-be-retired-july-2026)
-
 ### No limit on the number of workspaces you can onboard to the Defender portal
 
 There is no longer any limit to the number of workspaces you can onboard to the Defender portal.
