Lake-Only Ingestion for Microsoft Defender Advanced Hunting Tables is Now Generally Available

Security teams continue to generate unprecedented volumes of high‑fidelity telemetry across endpoints, identities, cloud apps, and email. While this data is essential for detection, investigation, and threat hunting, it also creates new challenges around scale, cost, and long‑term retention.

Today, we’re excited to announce the general availability (GA) of lake‑only ingestion for Microsoft XDR Advanced Hunting tables into Microsoft Sentinel data lake.

With this release, users can now ingest Advanced Hunting data from:

• Microsoft Defender for Endpoint (MDE)
• Microsoft Defender for Office 365 (MDO)
• Microsoft Defender for Cloud Apps (MDA)

directly into Sentinel data lake, without requiring ingestion into the Microsoft Sentinel Analytics tier.

Support for Microsoft Defender for Identity (MDI) Advanced Hunting tables will follow in the near future.

Supported Tables

This release enables lake‑only ingestion for Advanced Hunting data from:

• Defender for Endpoint (MDE) –  DeviceInfo, DeviceNetworkInfo, DeviceProcessEvents, DeviceNetworkEvents, DeviceFileEvents, DeviceRegistryEvents, DeviceLogonEvents, DeviceImageLoadEvents, DeviceEvents, DeviceFileCertificateInfo
• Defender for Office 365 (MDO) –  EmailAttachmentInfo, EmailEvents, EmailPostDeliveryEvents, EmailUrlInfo, UrlClickEvents
• Defender for Cloud Apps (MDA) – CloudAppEvents

Each source is ingested natively into Sentinel data lake, aligning with Microsoft’s broader lake‑centric security data strategy.

As mentioned above, Microsoft Defender for Identity will be available in the near future.

What’s New with lake‑Only Ingestion

Until now, Advanced Hunting data was primarily optimized for near‑real‑time security operations and analytics. As users extend their detection strategies to include longer retention, retrospective analysis, AI‑driven investigations, and cross‑domain correlation, the need for a lake‑first architecture becomes critical.

With lake‑only ingestion, Sentinel data lake becomes a must-have destination for XDR insights, enabling users to:

• Store high‑volume Defender Advanced Hunting data efficiently at scale while reducing operation overhead
• Extend security analytics and data beyond traditional analytics lifespans for investigation, compliance, and threat research with up to 12 years of retention
• Query data using KQL‑based experiences across unified datasets with the KQL explorer, KQL Jobs, and Notebook Jobs
• Integrate data with AI-driven tooling via MCP Server for quick and interactive insights into the environment
• Visualize threat landscapes and relational mappings while threat hunting with custom Sentinel graphs
• Decouple storage and retention decisions from real‑time SIEM operations while building a more flexible and futureproof Sentinel architecture

Enabling Sentinel lake-only Ingestion for Advanced Hunting Tables

The ingestion pipeline for sending Defender Advanced Hunting data to Sentinel data lake leverages existing infrastructure and UI experiences. To enable Advanced Hunting tables for Sentinel data lake ingestion:

1. Within the Defender Portal, expand the Microsoft Sentinel section in the left navigation.
2. Go to Configuration > Tables.

 

 

3. Find any of the listed tables from above and select one.
4. Within the side menu that opens, select Data Retention Settings.

 

5. Once the options open, select the button next to ‘Data lake tier’ to set the table to ingest directly into Sentinel data lake.
6. Set the desired total retention for the data.
7. Click save.

 

This configuration will allow Defender data to reside within each Advanced Hunting table for 30 days while remaining accessible via custom detections and queries, while a copy of the logs is sent to Sentinel data lake for usage with custom graphs, MCP server, and benefit from the option of retention up to 12 years.

Why lake‑Only Matters

Built for Scale and Cost Efficiency

Advanced Hunting data is rich—and voluminous. Sentinel data lake enables users to store this data using a lake‑optimized model, designed for high‑volume ingestion and long‑term analytical workloads while making it easy to manage table tiers and usage.

A Foundation for Advanced Analytics

With Defender data co‑located alongside other security and cloud signals, users can unlock:

• Cross‑domain investigations across endpoint, identity, cloud, and email
• Retrospective hunting without re‑ingestion
• AI‑assisted analytics and large‑scale pattern detection

Flexible Architecture for Modern Security Teams

Lake‑only ingestion supports a layered security architecture, where:

• Workspaces remain optimized for real‑time detection and SOC workflows
• The data lake serves as the cost-effective and durable system for security telemetry

Users can choose the right level of ingestion depending on operational needs, without duplicating data paths or cost.

Designed to Work with Existing Sentinel and XDR Experiences

This GA release builds on Microsoft Sentinel’s ongoing investment in unified data configuration and management:

• Native integration with Microsoft Defender XDR Advanced Hunting schemas
• Alignment with existing Sentinel data lake query and exploration experiences
• Consistent management alongside other first‑party and third‑party data sources
• Consistent experiences within the Defender Portal

No changes are required to existing Defender deployments to begin using lake‑only ingestion.

Get started

To learn more about Microsoft Sentinel Data Lake and managing Defender XDR data within Sentinel, visit the Microsoft Sentinel documentation and explore how lake‑based analytics can complement your existing security operations. We look forward to seeing how users use this capability to explore new detection strategies, perform deeper investigations, and build long‑term security habits.