Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Onboarding your tenant to the Microsoft Sentinel data lake occurs once and starts from the Microsoft Defender portal. The onboarding process creates a new Microsoft Sentinel data lake for your tenant in the subscription specified during the onboarding process. Graph enablement is included as part of onboarding. If you had onboarded to the data lake during public preview, you're automatically upgraded to the generally available data lake and the graph public preview.
Note
You'll always have one data lake that you can use with multiple Microsoft Security products. During onboarding, we check for and automatically use your existing data lake. When you ingest and store security data in your data lake, this data can be used with multiple Microsoft Security products.
Use the following steps to onboard to the Microsoft Sentinel data lake from the Defender portal:
Sign in to your Defender portal at https://security.microsoft.com.
A banner appears at the top of the page, indicating that you can onboard to the Microsoft Sentinel data lake. Select Get started.
Note
If you accidentally close the banner, you can initiate onboarding by navigating to the data lake settings page under System > Settings > Microsoft Sentinel > Data lake.
If you don't have the correct roles to set up the data lake, a side panel appears indicating that you don't have the required permissions. Request that your administrator completes the onboarding process.
If you have the required permissions, a setup side panel appears. Select the Subscription and Resource group to enable billing for the Microsoft Sentinel data lake. Select Set up data lake.
Note
After the data lake is provisioned for a specific Azure subscription and resource group, it can't be migrated to a different subscription or resource group.
The setup process begins and the following side panel is displayed. The onboarding process can take up to 60 minutes to complete. You can close the setup panel while the process is running.
While the setup process is running, the following banner is displayed on the Defender portal home page. You can select View setup details to reopen the panel to check progress.
Once the onboarding process is complete, a new banner is shown containing information cards on how to start using the new data lake experiences. For example, select Hunt for latent threats with graphs to open a threat hunting experience that employs interactive graphs to proactively find threats and sources of risk. Select Query data lake to open the data lake exploration KQL queries editor. KQL queries are a new feature in the Defender portal that allows you to explore and analyze data in the Microsoft Sentinel data lake using KQL. For more information, see Data lake exploration, KQL queries.
Troubleshooting
If you encounter any issues during the setup process, see the following troubleshooting tips:
- Ensure that you have the required role to onboard to the Microsoft Sentinel data lake.
- Verify that your selected subscription and resource group are valid and accessible.
- Verify your Azure policies allow for creating new resources to enable your Microsoft Sentinel data lake.
- Data for newly enabled tables, or tables that have moved between tiers, are available 90 to 120 minutes after the onboarding process is complete.
The following are errors that you might encounter during the onboarding process.
DL102
- Error: Can’t complete setup.
- Description: There’s a lack of Azure resources in the region at the time of provisioning.
- Resolution: Select the retry button to start the setup again.
DL103
- Error: Can’t complete setup.
- Description: There are policies enabled that prevent the creation of the Azure managed resources needed to enable the data lake.
- Resolution: Check your Azure policies to allow for creation of Azure managed resources.