Forum Discussion

veesamprabhukiran's avatar
veesamprabhukiran
MCT
Dec 29, 2025

Ingesting Windows Security Events into Custom Datalake Tables Without Using Microsoft‑Prefixed Table

 

Hi everyone,

 

I’m looking to see whether there is a supported method to ingest Windows Security Events into custom Microsoft Sentinel Data Lake–tiered tables (for example, SecurityEvents_CL) without writing to or modifying the Microsoft‑prefixed analytical tables.

Essentially, I want to route these events directly into custom tables only, bypassing the default Microsoft‑managed tables entirely.

Has anyone implemented this, or is there a recommended approach?

Thanks in advance for any guidance.

 

Best Regards, 

Prabhu Kiran

microsoft detection and response team (dart)
microsoft sentinel
security
threat protection

1 Reply

  • Lucaraheller's avatar
    Lucaraheller
    MCT
    Feb 06, 2026

    Today, there isn’t a supported way to take the built-in Windows Security Events connector path and “write only to a custom _CL table” while completely bypassing the Microsoft-managed SecurityEvent/SecurityEvents tables.

    Why

    • Windows Security Events ingestion (via AMA/DCR through Sentinel’s connector) is designed to land in the Microsoft schema tables (SecurityEvent / SecurityEvents). That’s how Microsoft’s detections, parsers, workbooks, and solutions expect to find the data. (Microsoft Learn)
    • Sentinel’s data lake / tiering is about where the data is stored and how long (analytics vs data lake tiers), not about renaming or replacing Microsoft tables with custom ones. (Microsoft Learn)
    • In practice, the “route only to a custom table” requirement conflicts with the connector model. This exact question has come up in the Sentinel community as well. (TECHCOMMUNITY.MICROSOFT.COM)

    What you can do instead

    1. Keep using the Microsoft table, but change tier/retention
      If your goal is cost/retention and not table naming, use Sentinel table tiering (analytics vs data lake where supported) on the Microsoft table(s) rather than creating a parallel custom table. (Microsoft Learn)
    2. Duplicate into a custom table (but you won’t bypass the Microsoft table)
      If you absolutely need a custom _CL table for downstream lake use-cases, the realistic pattern is:
    • Ingest via the supported connector into the Microsoft table
    • Then copy/transform into a custom table for your own purposes
      This gives you the custom table, but it does not bypass the Microsoft table.
    1. Build a fully custom ingestion pipeline (bypasses Microsoft tables, but you lose native content)
      If “custom table only” is a hard requirement, you’d be looking at a custom collection route (e.g., ship events elsewhere, then ingest as custom logs). That can work technically, but:
    • You must design/maintain schema and parsing
    • You’ll lose out-of-the-box Sentinel detections/content that expect SecurityEvent/SecurityEvents

    Bottom line

    • Supported: Ingest Windows Security Events into Microsoft tables; manage cost/retention with tiers/retention controls. (Microsoft Learn)
    • Not supported as a standard feature: “Only custom _CL table, no Microsoft-prefixed table at all” using the Windows Security Events connector path. (TECHCOMMUNITY.MICROSOFT.COM)

Resources