How do I actually get data into the Sentinel data lake?

The Sentinel data lake has arrived, and people seem very excited. But we’ve already had lots of questions come up. One of the most important being “How do I actually get my data into the data lake?” Well, here is your answer.

Start in the new Tables blade in the Defender Portal. Select a table that includes data you want to send to the lake. Some tables can’t be sent to the lake at all. Some can be sent for long-term retention. And some can send all the data to the lake bypassing Log Analytics completely. We’ll talk about which tables can move where later in the week.

For now, we’re just going to talk about how to move the data. I’ve selected the SigninLogs. Click the Manage table icon and you will see a box pop up.

Analytics retention is literally how long you want to keep the data in a “hot” state. This is what you might be used to calling Log Analytics.

Total retention can either send data to what we called “archive” or if you have enabled the data lake, you can now send the data you want to retain “long term” to the lake.

If you click the little information icon next to Total retention, you will see this message.

As mentioned earlier, some tables can go directly to the Data lake tier. For those tables, you’ll see an additional option when you click the Manage table icon. You can send data to the lake for up to 12 years.

Hope this helps!