Data Lake on Nicola Suterhttps://nicolasuter.ch/tags/data-lake/Recent content in Data Lake on Nicola SuterHugo -- gohugo.ioen-US© 2026 Nicola SuterTue, 24 Feb 2026 22:00:03 +0000Defender XDR Unified Detections Meet Sentinel Data Lakehttps://nicolasuter.ch/defender-xdr-unified-detections-sentinel-data-lake/Tue, 24 Feb 2026 22:00:03 +0000https://nicolasuter.ch/defender-xdr-unified-detections-sentinel-data-lake/<p>With the Unified Security Operations Platform (USOP), Microsoft introduces Unified Detections - a single detection framework spanning both Sentinel and Defender XDR data. Pair this with native Sentinel Data Lake ingestion for XDR tables, and you have a compelling cost-optimization story. But is it ready for prime time? Let&rsquo;s dive into the capabilities, current limitations, and what it means for your detection strategy.</p> <h2 class="relative group">Architecture Overview <div id="architecture-overview" class="anchor"></div> <span class="absolute top-0 w-6 transition-opacity opacity-0 -start-6 not-prose group-hover:opacity-100 select-none"> <a class="text-primary-300 dark:text-neutral-700 !no-underline" href="#architecture-overview" aria-label="Anchor">#</a> </span> </h2> <h3 class="relative group">Previous Detection Architecture <div id="previous-detection-architecture" class="anchor"></div> <span class="absolute top-0 w-6 transition-opacity opacity-0 -start-6 not-prose group-hover:opacity-100 select-none"> <a class="text-primary-300 dark:text-neutral-700 !no-underline" href="#previous-detection-architecture" aria-label="Anchor">#</a> </span> </h3> <p>In the &lsquo;previous&rsquo; architecture, detections were created and managed separately for Microsoft Sentinel and Microsoft Defender XDR. This often led to overhead in terms of &lsquo;where to create the detection&rsquo;. Let&rsquo;s take the use-case of IoC (Indicators of Compromise) based detections. Previously, if a security team wanted to create a detection based on IoCs imported via TAXII into Sentinel and the <code>DeviceNetworkEvents</code> table, they would need to ingest the <code>DeviceNetworkEvents</code> data into Sentinel as well and create the detection rule there. Furthermore, many MSSPs leveraged this pattern to create custom detections for their customers across Defender Advanced Hunting Data.</p> <figure><img class="my-0 rounded-md" loading="lazy" decoding="async" fetchpriority="low" alt="Existing Detection Architecture" src="https://nicolasuter.ch/content/images/2026/unifieddetections/arch_prev.png" ></figure> <p>As part of the USOP onboarding, the following effects come into play, marked with an asterisk above:</p>