Still Refreshing My Portal...
Microsoft announced the Sentinel Data Lake preview yesterday. Like any eager security engineer, I immediately logged into our Defender portal to check it out.
Nothing. No Data Lake option. Just me hitting refresh like it's Black Friday.
While I wait for access, let's talk about what this means for those of us managing multiple client environments—especially since auxiliary logs might be going away.
What Microsoft Announced
According to their various announcements:
The Promising Stuff:
- One place for all security data (finally!)
- 10-year retention without breaking the bank
- Ask Copilot questions in plain English
- Up to 40% cost savings (we'll see...)
The Worrying Stuff:
- No mention of what happens to auxiliary logs
- Vague migration timelines
- Zero details on multi-tenant scenarios
Let's Talk About Auxiliary Logs
If you're managing Sentinel for multiple clients, you know auxiliary logs are a lifesaver:
- Dirt cheap for compliance storage
- 2-year retention that doesn't hurt
- Still queryable when auditors come knocking
But here's what keeps me up at night: the Data Lake seems designed to replace our current tiering system. No auxiliary tier mentioned anywhere.
My Real Concerns
The Cost Question
Here's a quick KQL to check your exposure:
// How much are you saving with auxiliary logs?
Usage
| where IsBillable == true
| where DataType contains "Basic" or DataType contains "Archive"
| summarize TotalGB = sum(Quantity) / 1024 by DataType
| extend CurrentMonthlyCost = TotalGB * 0.025
| extend IfAnalyticsCost = TotalGB * 0.30 // OuchThe Multi-Client Mess
I manage environments for multiple clients. Each has different:
- Retention requirements
- Compliance needs
- Budget constraints
How do I explain potential cost increases when Microsoft pulls auxiliary logs?
The Migration Mystery
- When will they force the switch?
- What happens to my 2 years of auxiliary data?
- Can I keep some clients on the old system?
What I'm Doing Now
1. Running the Numbers
- Documenting every GB in auxiliary/basic tiers
- Calculating worst-case scenarios
- Preparing client communications
2. Testing Alternatives
- Exploring data export options
- Considering hybrid architectures
- Building cost models
3. Waiting (Im)patiently
- Checking the portal daily
- Following the onboarding guide
- Asking everyone if they have access yet
My Two Cents
Look, the Data Lake could be amazing. Unified data, AI queries, long-term retention—sign me up. But Microsoft needs to understand that some of us built our entire pricing models around auxiliary logs.
What we need:
- Clear timeline on auxiliary log deprecation
- Equivalent pricing tier in Data Lake
- Migration tools that actually work
- Multi-tenant support from day one
Until then, I'm stuck explaining to clients why their costs might go up for the same data they're storing today.
The Bottom Line
The Sentinel Data Lake preview looks promising, but the devil's in the details—details we don't have yet. If you're running Sentinel for multiple clients, start preparing now. Audit your auxiliary usage, model the costs, and pray Microsoft listens to our feedback.
At least we'll all be refreshing our portals together.
Found the Data Lake option in your portal? Worried about auxiliary logs too? Let's compare notes at hello@cy-brush.com