Skip to main content Link Menu Expand (external link) Document Search Copy Copied
TechWorkshop Understanding Sentinel datalake and graph

Task 03: Review data retention and Lake integration status

Introduction

After updating table retention policies, you’ll verify that your configuration is applied and confirm that long-term data remains queryable from the Data Lake.

Success criteria

  • Updated retention values visible in the Sentinel portal.
  • Historical data queryable from the Data Lake.

Key steps:

  1. Return to the Defender portal, and go to Microsoft Sentinel > Configuration > Tables.

  2. Review the following columns for accuracy:

    • Analytics Retention (days)

    • Total Retention (days)

    • Tier (Analytics / Data lake / XDR)

  3. Confirm that updated values appear for the tables you modified.

  4. Validate Lake data access for the SecurityAlert table.

    • Example configuration:
      • Analytics retention = 90 days
      • Total retention = 180 days

    This setup means:

    • Sentinel keeps 90 days of data in Analytics Tier (Log Analytics hot storage).
    • After 90 days, data moves automatically to Lake Tier (cold storage in OneLake/ADLS Gen2).
    • You can still query older data directly from the Data Lake.

  5. In the Defender portal, go to Microsoft Sentinel > Data Lake Exploration > KQL Queries.

  6. Run the following KQL query to verify that historical data is still accessible:

     SecurityAlert 
 | where TimeGenerated > ago(30d) 
 | summarize Count = count() by bin(TimeGenerated, 1d) 
 | sort by TimeGenerated desc