You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/sentinel/datalake/sentinel-lake-onboarding.md
+4-3Lines changed: 4 additions & 3 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -4,7 +4,7 @@ titleSuffix: Microsoft Security
4
4
description: This article describes how to onboard to the Microsoft Sentinel data lake
5
5
author: EdB-MSFT
6
6
ms.topic: how-to
7
-
ms.date: 07/13/2025
7
+
ms.date: 07/20/2025
8
8
ms.author: edbaynash
9
9
ms.service: microsoft-sentinel
10
10
ms.subservice: sentinel-graph
@@ -25,7 +25,7 @@ Onboarding makes the following changes once complete:
25
25
26
26
+ Your data lake is provisioned for your selected subscription and resource group.
27
27
28
-
+ Your primary and other workspaces connected to Microsoft Defender that are located in the same region as your Entra tenant home region are attached to your Microsoft Sentinel data lake. Unconnected workspaces will not be attached to the data lake.
28
+
+ Your primary and other workspaces connected to Microsoft Defender that are located in the same region as your Microsoft Entra tenant home region are attached to your Microsoft Sentinel data lake. Unconnected workspaces won't be attached to the data lake.
29
29
30
30
+ Once Microsoft Sentinel data lake is enabled, data in the Microsoft Sentinel analytics tier is also available in the Microsoft Sentinel data lake tier from that point forward without extra charge. You can use existing Microsoft Sentinel workspace connectors to ingest new data to both the analytics and the data lake tiers, or just the data lake tier.
31
31
@@ -38,6 +38,7 @@ Onboarding makes the following changes once complete:
38
38
39
39
+ If your organization currently uses Microsoft Sentinel SIEM (Security Information and Event Management), the billing and pricing for features like search jobs and queries, auxiliary logs, and long-term retention also known as "archive", switch to Microsoft Sentinel data lake-based billing, potentially increasing your costs.
40
40
+ Auxiliary log tables are integrated into the Microsoft Sentinel data lake. Auxiliary tables in Microsoft Defender connected workspaces that are onboarded to the Microsoft Sentinel data lake become an integral part of the data lake, making them available for use in data lake queries and jobs.
41
+
+ A managed identity is created with the prefix `msg-resources-` followed by a guid. This managed identity is required for data lake functionality. Don't delete or remove required permissions from this managed identity. The identity has the Azure Reader role over subscriptions onboarded into the data lake. To enable custom table creation in the analytics tier, assign **Log Analytics Contributor** role to this identity for the relevant Log Analytics workspaces. For more information, see [Create KQL jobs in the Microsoft Sentinel data lake (preview)](./kql-jobs.md#permissions).
41
42
42
43
> [!NOTE]
43
44
> Auxiliary log tables for Microsoft Defender connected workspaces are no longer accessible from Microsoft Defender Advanced hunting once the data lake is enabled.
@@ -74,7 +75,7 @@ The following roles that are required to set up billing and authorize ingestion
74
75
75
76
## Existing Microsoft Sentinel workspaces
76
77
77
-
The Microsoft Sentinel data lake mirrors data from Microsoft Sentinel workspaces that are connected to the Defender portal. You must connect your Sentinel workspaces to the Defender portal to include them in the data lake. If you have connected Sentinel to the Defender portal, to onboard to the data lake, the primary workspace must be in the tenant's home geographic region. If you haven't connected Microsoft Sentinel to the Defender portal, you can connect your Microsoft Sentinel workspaces to the Defender portal after onboarding, and the data will be mirrored to the data lake. For more information, see [Connect Microsoft Sentinel to the Microsoft Defender portal](/unified-secops-platform/microsoft-sentinel-onboard).
78
+
The Microsoft Sentinel data lake mirrors data from Microsoft Sentinel workspaces that are connected to the Defender portal. You must connect your Microsoft Sentinel workspaces to the Defender portal to include them in the data lake. If you have connected Sentinel to the Defender portal, to onboard to the data lake, the primary workspace must be in the tenant's home geographic region. If you haven't connected Microsoft Sentinel to the Defender portal, you can connect your Microsoft Sentinel workspaces to the Defender portal after onboarding, and the data will be mirrored to the data lake. For more information, see [Connect Microsoft Sentinel to the Microsoft Defender portal](/unified-secops-platform/microsoft-sentinel-onboard).
0 commit comments