What is the default workspace in Sentinel data lake?

If you’ve recently onboarded to the Sentinel data lake and are using the KQL queries feature in the Data lake exploration blade, you’ve probably run into the Default workspace.

When you first open this section, you’ll see a set of tables on the left side of the page. And if you’re anything like me, you’re thinking “What on earth are those tables and where are all the tables I want to query?”

To get to the “traditional” Sentinel tables like SigninLogs or CommonSecurityLog, navigate to the upper right (see the box in red above) and select your Sentinel workspace. You should now see all the tables that you’re used to querying. One warning though — every query you run in the Data exploration blade has a cost. A very small cost but still a cost. If you’re querying data that is within your retention period, you might want to do it the old-fashioned way — either in the Logs section of the Sentinel portal or in Advanced Hunting in the Defender Portal.

But what about the tables in the Default workspace? What are they? These tables are collected from two sources — the Azure Resource Graph (ARG) and the Microsoft Entra asset data connector.

The ARG offers a way to explore, query, and manage Azure resources across large, complex environments. You can access detailed properties about your Azure resources without making individual API calls to each resource provider. This capability is crucial for data lake users who need to correlate resource metadata with ingested logs and telemetry for deeper insights. Imagine the benefits of threat hunting when you can combine ARG metadata with your security logs and threat intelligence feeds.

The Entra asset tables store identity related data like users, group memberships, service principals and organizational information. Analysts can correlate Entra identity data with activity logs to trace suspicious behavior across users and groups.

Many have asked if there is any cost for these tables. The answer is a resounding YES. If you don’t want to be charged for the data ingress, you’ll need to disable the connectors.

To remove the ARG connector, install the Azure Resource Graph connector package from the Content hub (Microsoft Sentinel > Content management > Content hub), search for “Azure Resource Graph” and install the package. Then go to the Data connector page (Microsoft Sentinel > Configuration > Data connectors), search for “Azure Resource Graph”. Select the Azure Resource Graph connector and click on Open connector page. In the connector details page, click on the Disconnect button.

To disable Entra asset collection, you’ll have to call support.

You may have noticed that the Manage Table button disabled in the Table Management for the tables in the Default workspace. That’s because the retention and storage meter are temporarily turned off. For now, you can’t change the retention to more than 30 days.