Listen to this Post

Introduction
Managing security data across Microsoft Defender XDR and Microsoft Sentinel is critical for effective threat hunting, compliance, and incident response. Recent enhancements in retention and tiering controls now offer unprecedented flexibility, allowing security teams to balance cost, performance, and long‑term data storage. This guide explores how to leverage these new capabilities to retain threat intelligence for up to 12 years, optimize costs, and ensure seamless data flow between Defender XDR and Sentinel.
Learning Objectives
- Understand the default retention and tiering models in Defender XDR and Sentinel.
- Learn how to extend data retention beyond 30 days and enable the Sentinel XDR connector.
- Configure cost‑effective data lake‑only ingestion and manage table settings through the Defender portal.
- Gain hands‑on experience with KQL queries, PowerShell, and Azure CLI to verify and control data ingestion.
You Should Know
1. Understanding Defender XDR Data Retention and Tiers
By default, Microsoft Defender XDR retains threat hunting data for 30 days in the XDR default tier. This data is not automatically sent to the Sentinel analytics tier or the data lake. The latest updates introduce two primary storage tiers:
– Analytics tier: Used for interactive queries and alerts in Sentinel.
– Data lake tier: A low‑cost storage option for long‑term retention, suitable for compliance and occasional investigations.
When you extend retention for supported XDR tables beyond 30 days, they are automatically created in the Sentinel workspace’s analytics tier and mirrored to the data lake.
Step‑by‑step: Verify Current Retention Settings
- Open the Microsoft Defender portal (https://security.microsoft.com).
- Navigate to Settings > Microsoft Defender XDR > Retention.
- Review the list of tables and their current retention periods.
- To check retention in Sentinel using KQL, run the following query in the Sentinel Log Analytics workspace:
Usage | where TimeGenerated > ago(7d) | where IsBillable == true | summarize TotalVolumeGB = sum(Quantity) by DataType | sort by TotalVolumeGB desc
This helps identify which tables are ingesting data and their volume.
2. Enabling the Microsoft Sentinel XDR Connector
The Sentinel XDR connector allows direct ingestion of selected Defender XDR tables into the analytics tier, with automatic mirroring to the data lake. This enables advanced hunting, analytics rules, and long‑term retention (up to 12 years).
Step‑by‑step: Enable and Configure the Connector
- In the Azure portal, go to Microsoft Sentinel > your workspace > Data connectors.
2. Search for and select Microsoft Defender XDR.
3. Click Open connector page.
- Under Configuration, select the tables you wish to ingest (e.g., DeviceEvents, IdentityLogonEvents).
5. Click Apply Changes.
- Verify ingestion by running a KQL query in Sentinel:
DeviceEvents | take 10
If data appears, the connector is working.
PowerShell alternative – List all installed data connectors:
Connect-AzAccount
Select-AzSubscription -SubscriptionId "your-subscription-id"
Get-AzOperationalInsightsDataSource -ResourceGroupName "your-rg" -WorkspaceName "your-workspace" | Where-Object {$_.Kind -eq "MicrosoftDefenderXDR"}
3. Extending Data Retention Beyond 30 Days
If a table was not initially selected during connector setup, you can still extend its retention to more than 30 days directly from the Defender portal. Once extended, the table will automatically start ingesting into Sentinel.
Step‑by‑step: Extend Retention for a Table
- In the Microsoft Defender portal, go to Settings > Microsoft Defender XDR > Retention.
- Find the table you want to extend (e.g., DeviceFileEvents).
- Under Analytics retention, set a value greater than 30 days (e.g., 180 days).
- Save the changes. The table will now appear in your Sentinel workspace and begin ingesting historical data.
5. Confirm by querying the table in Sentinel:
DeviceFileEvents | where TimeGenerated > ago(60d) | summarize count() by bin(TimeGenerated, 1d)
Note: The total retention (analytics + data lake) can be configured up to 12 years. The data lake tier retains data at a lower cost, while the analytics tier supports fast queries.
4. Configuring Data Lake‑Only Ingestion
For organizations that need long‑term data storage but want to avoid analytics tier costs, data lake‑only ingestion is now supported. This sends data directly to the data lake tier without populating the analytics tier.
Step‑by‑step: Set Up Data Lake‑Only Ingestion
- In the Microsoft Defender portal, navigate to Settings > Microsoft Defender XDR > Retention.
- For the desired table, choose the Data lake only option under Ingestion mode.
- Set the total retention period (e.g., 365 days).
- Save the configuration. Data will now flow only to the data lake.
Verify using Azure CLI – Check diagnostic settings to ensure data is routed correctly:
az monitor diagnostic-settings show --name "defenderXDRToDataLake" --resource /subscriptions/{subId}/resourceGroups/{rg}/providers/Microsoft.OperationalInsights/workspaces/{workspace}
Use case: Ideal for compliance archives where interactive querying is not required. You can still query data lake data using Azure Data Explorer or by temporarily restoring it to the analytics tier.
5. Managing Table Settings via Defender Portal
The built‑in table management experience in the Defender portal centralizes retention and ingestion controls, making it easy to adjust settings without leaving the security interface.
Step‑by‑step: Manage Table Settings
- In the Microsoft Defender portal, go to Settings > Microsoft Defender XDR > Table management.
- View all supported tables, their current retention, ingestion mode, and cost estimates.
3. Click on a table to modify:
- Analytics retention: Set the number of days for fast‑query storage.
- Total retention: Define the overall retention period (analytics + data lake).
- Ingestion mode: Switch between analytics + data lake or data lake only.
- After changes, monitor cost impact in Cost Management under the same section.
KQL to estimate costs per table:
Usage | where TimeGenerated >= startofday(ago(30d)) | summarize BillableDataGB = sum(Quantity) by DataType | render piechart
6. Stopping Ingestion and Resetting Retention
To stop ingestion of a specific table or disable the entire connector, simply reset the analytics and total retention back to 30 days. This effectively disables the connector and stops data flow.
Step‑by‑step: Stop Ingestion
- In the Microsoft Defender portal, go to Settings > Microsoft Defender XDR > Retention.
- For each table you want to stop, set both Analytics retention and Total retention to 30 days.
- Save changes. The connector will be disabled, and no new data will be ingested.
- Verify by checking the Sentinel connector page – the tables should no longer appear as connected.
PowerShell to disable the entire connector:
Remove-AzOperationalInsightsDataSource -ResourceGroupName "your-rg" -WorkspaceName "your-workspace" -Name "MicrosoftDefenderXDR" -Force
Caution: This action is irreversible and will delete all data older than 30 days from the workspace. Ensure you have exported any required data beforehand.
7. Direct Ingestion of MDO and MDA Data
The latest updates also support direct ingestion of Microsoft Defender for Office (MDO) and Microsoft Defender for Identity (MDA) data into Sentinel, either through the analytics tier or data lake.
Step‑by‑step: Ingest MDO Data
- In the Microsoft Defender portal, go to Settings > Microsoft Defender XDR > Retention.
- Locate tables such as
EmailEvents,EmailUrlInfo, orIdentityLogonEvents. - Configure retention and ingestion mode as described in previous sections.
- For MDO specifically, ensure that Audit Logs are enabled in Office 365 (via Compliance Center).
- In Sentinel, use the following KQL to query MDO data:
EmailEvents | where Timestamp > ago(7d) | summarize Threats = count() by ThreatTypes
MDA Data – Similarly, `IdentityLogonEvents` and `IdentityQueryEvents` provide identity‑based threat intelligence. Enable these tables to enrich your Sentinel detections.
What Undercode Say
- Flexibility is key: The new retention and tiering options empower security teams to tailor data storage to their specific needs—whether for rapid threat hunting, compliance, or cost savings.
- Cost optimization without compromise: By using data lake‑only ingestion, organizations can retain years of security data for compliance while keeping analytics costs predictable.
- Centralized management: The Defender portal’s table management interface simplifies what used to be a complex, multi‑tool process, reducing administrative overhead.
- Integration depth: Direct ingestion of MDO and MDA data closes gaps in visibility, ensuring that email and identity threats are as huntable as endpoint and network data.
- Future‑proofing: With up to 12 years of retention, these capabilities align with long‑term regulatory requirements and advanced threat research needs.
Analysis
Microsoft’s move to unify data management across Defender XDR and Sentinel reflects a broader trend toward integrated security platforms. By decoupling analytics from long‑term storage, they address the perennial challenge of balancing security needs with budget constraints. Security teams can now adopt a tiered approach—using fast analytics for active threats and cheap storage for historical investigation—without sacrificing visibility. This also opens the door for machine learning models to train on years of telemetry, improving detection accuracy. However, administrators must carefully plan retention policies to avoid unexpected costs and ensure that critical tables are not inadvertently excluded. The new capabilities also hint at future integrations where third‑party data sources could be ingested into the same data lake, creating a unified security data fabric.
Prediction
As cloud‑native SIEM solutions mature, we will see a convergence of XDR and SIEM into a single, unified platform. Microsoft is already leading this charge by embedding Sentinel capabilities directly into Defender. In the next 12–24 months, expect deeper automation—such as AI‑driven retention recommendations and automated tiering based on threat intelligence. Additionally, data lake technologies will become the default for all security data, with on‑demand querying that rivals current analytics tiers. This will democratize long‑term threat hunting for organizations of all sizes, making advanced persistent threat detection more accessible. Finally, regulatory pressures will likely mandate longer retention periods, making these flexible, cost‑effective storage options not just convenient but essential for compliance.
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Uros Babic – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


