A built-in, per-table insights view that finally tells you which data connectors went quiet and which ones are doing exactly what you onboarded them to do.
What it is
Table insights is a new panel on the Sentinel Tables page that gives you 30-day ingestion volume per tier, day-over-week fluctuations, the top 5 tables by volume, last-data-received per table, an estimated daily cost, and a volume anomaly indicator.
Who benefits: SOC engineers chasing silent data connectors, platform owners chasing cost spikes, FinOps teams chasing chargeback clarity — all from the same screen.
Why these matter
Every Sentinel customer I talk to has the same two recurring incidents.
"A third-party data connector stopped sending data three days ago and nobody noticed until a hunt came up empty."
Both incidents share a root cause: until now, table-level health lived in a workbook you had to remember to open, a Usage KQL you had to remember to write, or a SentinelHealth alert someone had to remember to configure. In a workspace with 500+ tables and a mix of Microsoft 1st-party data connectors, third-party data connectors, custom logs, and data-lake tables, that's a lot of remembering.
Table insights flips the model. It puts the answer on the same page where you already manage tiers and retention, so the next time you open the Tables page to right-size a Lake-tier table, the data connector that went silent at 3 a.m. is already staring at you.
Try it today
Open the Defender portal → Microsoft Sentinel → Configuration → Tables and expand the Table insights panel.
Figure 1: Table insights panelWhat's new on the Tables page
- Ingestion volume per tier - Analytics vs. Lake split for the last 30 days. The first time you see Lake tier exceeding Analytics, you'll know the data-lake migration is working.
- Table ingestion fluctuations - tables whose last-24h volume differs from the same day last week beyond a threshold (default 10% and 1 MB).
- Top 5 tables by daily ingestion volume - 30-day trend. The line that looks like a heart-rate monitor is the one your FinOps lead wants to talk about.
- Last data received column – time of recency per table.
- Volume anomaly column - signed percentage change versus baseline, right next to the table name.
- Data sources – Click on table details to open side panels for data sources.
Who wins, and how
|
Persona |
Pain today |
Win with Table insights |
|
SOC engineer |
Detections silently degrade when a third-party data connector stops sending- you only notice when an incident is missed. |
Spot the drop in "Last data received" or a -100% fluctuation before the next shift report. |
|
Data Connector onboarding lead |
"Did the new data connector light up?" takes a KQL query and a workbook hunt. |
One glance at the Tables page confirms the destination table, tier, and last-received timestamp. |
How I'd actually use it
- Baseline- Open the Tables page, filter by Tier = Analytics, sort by Avg. daily ingestion descending.
- Triage silent data connectors- Sort by Last data received ascending.
- Tier review- For every table above a few GB/day with low SOC query usage, evaluate moving it to Auxiliary or Lake tier. The Est. daily ingestion cost column makes the business case for you.
- Wire up alerts- Convert the fluctuations card into a scheduled analytics rule on SentinelHealth, so the next "-100%" row pages someone instead of waiting for the morning standup.
- Share the screenshot- Drop the ingestion volume per tier card into your monthly business review.
Honest caveats
- Fluctuations only compare the last 24h to the same day last week.
- Cost numbers are estimates They're great for relative comparisons, not invoice forecasting.
- Volume anomaly is most accurate on Analytics-tier tables today. Lake/Auxiliary anomalies will be catchup in features soon.
- The grid shows the table; for third-party data connectors you'll still cross-reference the Tables-to-connectors mapping page to find the upstream data connector.
- Table insights is a visualization. If you want to be paged, build the SentinelHealth analytics rule.