You can make a Security Data Lake with Microsoft Sentinel and Azure Data Explorer. This helps you store and study a lot of security data. You can keep more data for a longer time. It helps you find threats better and do deeper investigations. Azure Data Explorer lets you pay for what you use. It can grow to handle more data, so storing logs costs less. Tools like Spl1tR and Elastic Logstash change and move logs from many places. This makes your work easier. IT and security workers get better views of data, faster actions, and stronger control over data.

Key Takeaways

• Microsoft Sentinel and Azure Data Explorer help you make a Security Data Lake. This lets you store and look at lots of security data fast.

• Set up your environment with care. Give the right permissions. Make workspaces. Connect data sources. This helps you collect logs from many places.

• Use Azure Data Explorer and Kusto Query Language (KQL) to search your security data. You can look into and study the data quickly and deeply.

• Manage your data with clear rules for keeping it. Use tiering options to save money. You can still get important logs fast to find threats.

• Use Microsoft Sentinel’s rules and playbooks to handle alerts and responses automatically. This helps your security team work better and not get too many alerts.

Prerequisites

You need to get ready before making your Security Data Lake with Microsoft Sentinel and Azure Data Explorer. You must have the right permissions. You also need an Azure subscription that works. Your setup should be planned well.

Permissions

You need special roles to use and manage your Security Data Lake. The table below lists what permissions you need for each job:

Tip: Give roles to people based on what they do. Use Azure RBAC to control who can do what.

Subscriptions

You need an Azure subscription and a resource group. These help you pay and manage your data lake. You must be the owner of the subscription to set up billing and start the data lake. You can use a current Microsoft Sentinel SIEM subscription or make a new one. It is important who owns the subscription and if it already exists. Any Azure subscription type is fine, like Pay-As-You-Go or Enterprise Agreement.

• Put your Sentinel workspaces in the same region as your main tenant region.

• You need read rights to link workspaces to the data lake.

Environment Setup

Do these steps to get your environment ready:

1. Make a Log Analytics workspace in the Azure Portal.

2. Turn on Azure Security Center and connect it to your workspace.

3. Add Microsoft Cloud App Security and Defender ATP.

4. Link Microsoft Sentinel to your Log Analytics workspace.

5. Turn on data connectors to collect logs.

6. Enable Fusion to help stop alert overload.

7. Set up dashboards, notebooks, and queries to watch your data.

Note: Plan your workspace and roles before you start. Check and adjust security rules and alerts for your needs.

Security Data Lake Setup

Enable Data Lake

You can turn on your Security Data Lake in Microsoft Sentinel by following some easy steps. This setup lets you keep all your security data in one place. It helps you manage your data better.

1. Put your Microsoft Sentinel workspaces in your main region. Only workspaces in this area can join the Security Data Lake.

2. Make sure you can read all workspaces you want to add.

3. Go to the Defender XDR portal. Click on System > Settings > Microsoft Sentinel > Data lake.

4. Start by clicking “Set up Microsoft Sentinel data lake.”

5. If you do not have what you need, the portal will tell you. Make sure Sentinel is linked to Defender with SIEM workspaces.

6. When you are ready, click “Start setup” to open the wizard.

7. In the wizard, pick your Azure subscription and resource group. Set up billing and cost controls for the Security Data Lake.

8. Look at your workspace features. If you use search jobs or keep data for a long time, billing will change to data lake meters.

9. Finish the wizard and click “Set up data lake.” It may take up to one hour to finish.

10. When it is done, you will see a message on the Defender XDR homepage.

11. The system makes a managed identity with Azure Reader rights for your subscriptions.

12. A workspace called "default" will show up. You can use it to look at and store your first logs.

Tip: Use one platform to make things simple and save money. This way, you get one place to search and your Security Data Lake is easier to take care of.

Connect Data Sources

Connecting data sources to your Security Data Lake lets you gather logs from many places. You can use built-in connectors, agent connectors, or make your own.

• Microsoft Sentinel can connect to Microsoft cloud services like Microsoft 365 Defender, Azure Activity, Azure Active Directory, Office 365, and Microsoft Defender for Cloud.

• You can also link outside security tools, network devices, and app logs.

• Use agent connectors like Syslog or CEF for devices at your site.

• Service-to-service connectors work for Microsoft and AWS services.

• If you need more options, make custom connectors with APIs, Azure functions, or Logstash.

To connect a new data source, follow these steps:

1. Make sure you can read and write in your Sentinel workspace.

2. Add the needed solution with the data connector from the Content Hub in Sentinel.

3. In the Defender or Azure portal, go to Microsoft Sentinel > Configurations > Data connectors.

4. Search for your connector. If you do not see it, check if the solution is added.

5. Open the connector page and look at what you need first.

6. Finish the setup steps for the connector to let it bring in data.

7. Pick where to keep your data. Choose the analytics tier, data lake tier, or both.

8. Use the Table management page in Defender to set how long to keep data in each tier.

9. Save your changes.

10. Wait about 90 to 120 minutes for your data to show up in the Security Data Lake.

11. You can search your data using Advanced hunting in Defender, Logs in Azure, or Data lake explorer with KQL.

Note: Start with Microsoft cloud logs for a wide view and to save money. Pick and sort connectors to help with costs and speed.

Integrate Data Explorer

Azure Data Explorer (ADX) gives you strong tools to look at data in your Security Data Lake. You can run fast searches, look at old logs, and use smart analytics.

• Use Kusto Query Language (KQL) in ADX to search and study your security data.

• Connect ADX to your Security Data Lake with this link: https://api.securityplatform.microsoft.com/lake/kql.

• Get to data lake tables with the external_table() function. For example:

external_table("microsoft.entra.id.AADRiskyUsers") | take 100

• The query editor in ADX helps you write queries with hints and auto-complete.

• You can make jobs to move data from the data lake tier to the analytics tier for faster work.

• ADX lets you keep data for up to 12 years. You can check old incidents.

• Storage and compute are separate, so you can add more power when you need it.

• Use Jupyter notebooks in ADX for machine learning and deep analytics on your security data.

• Auditing tools show who looks at data and runs searches. This helps you follow rules.

Tip: Use KQL best practices to make your searches faster and better. Connect ADX with Microsoft Sentinel workflows for smooth security work.

Data Management

Retention

You need strong rules for keeping data in your Security Data Lake. First, set clear times for how long to keep each log. Make sure these times match your business needs and laws like HIPAA, GDPR, or CCPA. Use automatic tools to delete old data so you make fewer mistakes. Protect important logs with special access controls and encryption. Turn on audit trails to see who looks at or changes data. Check your rules often to follow new laws and business needs. This helps you avoid legal trouble and keeps your data lake easy to manage.

Tip: Use metadata and data classification to help with retention rules. This makes it easier to find and handle important logs.

With Microsoft Sentinel Data Lake, you can keep security data for up to 12 years. You pay less than with old log storage. This helps you meet audit needs and control costs.

Tiering

You can sort your logs into different groups to save money and get faster results. Put important logs, like sign-in failures or malware alerts, in the hot group for quick access and alerts. Store lots of logs, like DNS queries or firewall logs, in the cold group to save money. Use scheduled KQL jobs to move key findings from cold to hot group. Filter searches by indexed fields and short time ranges to make them faster. Spark notebooks help you study big sets of data. Make summary tables for reports to speed up searches. Watch your usage and costs often. Change your groups as your needs change.

Note: Change tiering and retention settings in the Defender portal. Decide which data needs fast checks and which can be saved for later.

Transformation Tools

You can use different tools to change logs before storing them in Microsoft Sentinel. Data Collection Rules (DCRs) let you filter, enrich, and fix logs when they come in. You can share DCRs with many connectors and sources. The Logs ingestion API lets you control custom log formats and tables. Workspace Transformation DCRs change supported tables when logs come in. These tools use Kusto Query Language (KQL) for changes. You can hide sensitive data, save money by removing extra logs, and add details for better study.

Tip: Use transformation tools to save money and make your analytics better. Remove extra logs and add helpful columns for deeper insights.

Analytics and Cost

Query Data

You can use Kusto Query Language (KQL) in Azure Data Explorer to look at your security data. KQL helps you find patterns and threats in big sets of data. It only lets you read data, not change it. Start by using the where clause to pick logs you want. Operators like in, notin, has, and contains help you make your search smaller. Use the project operator to choose just the columns you need. The summarize operator lets you group and count results fast. You can link these steps with pipes (|) to make strong queries. The let statement helps you split big queries into small parts. This makes them easier to read and use again.

Common ways to use KQL are:

1. Look into incidents with old logs to see what happened.

2. Find strange actions by making baselines from past data.

3. Add more details to investigations with lots of logs in the data lake.

4. Search old data and change your rules to fight new threats.

5. Check asset and identity data to connect clues in your investigations.

Tip: KQL has easy syntax so you can learn and run queries fast. This helps you find threats and study logs right away.

Alerting

You can make analytics rules in Microsoft Sentinel to spot threats and send alerts. Start by writing KQL queries that fit your data sources. Pick how alerts group into incidents—by matching all entities, by rule, or by chosen details. Change the grouping time to decide how long alerts stay together. Use suppression to pause rules after an alert happens. This helps cut down on extra alerts. Test your rules with current data to make sure they work before you turn them on.

Automation rules help you handle alerts and incidents. You can give out tasks, tag, sort, or close incidents by themselves. Playbooks let you make complex responses, like sending messages or updating tickets. Automation saves time and helps your security team work better.

Cost Optimization

You can save money by picking the best storage tier for each log type. Keep important logs, like sign-ins and alerts, in the Analytics tier for quick access. Put lots of logs, like network or infrastructure logs, in the Data Lake tier to save money. Move old data from Analytics to Data Lake to lower costs for keeping data. Use data collection rules to block logs you do not need before they come in. Buy commit units ahead of time for savings if you use a steady amount.

Note: If you send lots of low-urgency logs to the Data Lake tier, you can cut storage costs by up to 85%. This lets you keep more data for longer and still react fast to threats.

You can make a Security Data Lake by following easy steps. First, connect your data sources. Next, set up ways to manage your data. Use Kusto Query Language to study your data. Notebooks help you look at data in smart ways. Always use good rules to keep data safe. Protect your data with encryption. Give people access based on their jobs. Try open-source platforms like HDInsight or Apache Spark to learn more. To grow, use tools that find threats automatically. Use AI to get smart ideas and keep your security strong.

FAQ

How do you choose which logs to store in the Security Data Lake?

First, make a list of your log sources. Put important logs, like sign-in attempts and alerts, in the Analytics tier. Move big logs, like firewall or DNS logs, to the Data Lake tier. Check your needs often to make sure you store the right logs.

Can you use open-source tools with Microsoft Sentinel Data Lake?

Yes, you can use tools like Spl1tR and Elastic Logstash. These tools help you change and send logs from many places. They work with Microsoft Sentinel and Azure Data Explorer.

What is the best way to control costs in your Security Data Lake?

Set clear rules for how long to keep logs. Use Data Collection Rules to block logs you do not need. Keep only important logs in the Analytics tier. Put lots of logs in the Data Lake tier. Watch your usage and change settings when needed.

How do you search for old security incidents in Azure Data Explorer?

Use Kusto Query Language (KQL) in Azure Data Explorer. Write queries to pick logs by date, event type, or user. The external_table() function helps you get old logs from the Data Lake.

Is it possible to automate responses to security alerts?

Yes. Make automation rules and playbooks in Microsoft Sentinel. These tools let you give out, tag, or close incidents by themselves. You can also set actions like sending emails or updating tickets.