updates for federation

EdB-MSFT · EdB-MSFT · commit 9ae27169840c · 2026-03-26T20:06:57.000+02:00
diff --git a/articles/sentinel/datalake/graph-visualization.md b/articles/sentinel/datalake/graph-visualization.md
@@ -3,7 +3,7 @@ title: Visualize custom graphs in Microsoft Sentinel graph (preview)
 description: Learn how to use Microsoft Sentinel graph to query, visualize, and interact with custom security graphs to gain new security insights.
 author: EdB-MSFT
 ms.author: edbaynash
-ms.date: 03/23/2026
+ms.date: 03/26/2026
 ms.topic: how-to
 ms.service: microsoft-sentinel
 ms.subservice: sentinel-graph
diff --git a/articles/sentinel/datalake/kql-jobs.md b/articles/sentinel/datalake/kql-jobs.md
@@ -7,7 +7,7 @@ ms.author: edbaynash
 ms.service: microsoft-sentinel
 ms.subservice: sentinel-platform  
 ms.topic: how-to
-ms.date: 11/19/2025
+ms.date: 03/26/2026
 ms.collection: ms-security  
 
 # Customer intent: As a security engineer or administrator, I want to create jobs in the Microsoft Sentinel data lake so that I can run KQL queries against the data in the lake tier and promote the results to the analytics tier.
@@ -17,7 +17,7 @@ ms.collection: ms-security
 
 #  Create KQL jobs in the Microsoft Sentinel data lake
 
-KQL jobs are one-time or scheduled KQL queries on data in the Microsoft Sentinel data lake. Use jobs for investigative and analytical scenarios, such as: 
+KQL jobs are one-time or scheduled KQL queries on data in the Microsoft Sentinel data lake and federated tables. Use jobs for investigative and analytical scenarios, such as: 
 + Long-running one-time queries for incident investigations and incident response (IR)
 + Data aggregation tasks that support enrichment workflows using low-fidelity logs
 + Historical threat intelligence (TI) matching scans for retrospective analysis
@@ -27,7 +27,7 @@ KQL jobs are especially effective when queries use joins or unions across differ
 
 Use jobs to promote data from the data lake tier to the analytics tier. Once in the analytics tier, use the advanced hunting KQL editor to query the data. Promoting data to the analytics tier has the following benefits:
 
-+ Combine current and historical data in the analytics tier to run advanced analytics and machine learning models on your data.
++ Combine current and historical data in the analytics tier or from federated tables to run advanced analytics and machine learning models on your data.
 + Reduce query costs by running queries in the analytics tier.
 + Combine data from multiple workspaces to a single workspace in the analytics tier. 
 + Combine Microsoft Entra ID, Microsoft 365, and Microsoft Resource Graph data in the analytics tier to run advanced analytics across data sources.
@@ -68,7 +68,7 @@ For more information on assigning roles to managed identities, see [Assign Azure
 
 ## Create a job
 
-You can create jobs to run on a schedule or one-time. When you create a job, you specify the destination workspace and table for the results. You can write the results to a new table or append them to an existing table in the analytics or data lake tier. You can create a new KQL job or create a job from a template containing the query and job settings. For more information, see [Create a KQL job from a template](#create-a-job-from-a-template).
+You can create jobs to run on a schedule or one-time. When you create a job, you specify the destination workspace and table for the results. You can write the results to a new table or append them to an existing table in the analytics or data lake tier. You can't write the results to federated tables. You can create a new KQL job or create a job from a template containing the query and job settings. For more information, see [Create a KQL job from a template](#create-a-job-from-a-template).
 
 
 1. Start the job creation process from KQL query editor, or from the jobs management page.
@@ -211,7 +211,7 @@ KQL jobs can write data to either the Analytics tier or the Data lake tier, depe
 
 ## Data lake ingestion latency
 
-The data lake tier stores data in cold storage. Unlike hot or near real-time analytics tiers, cold storage is optimized for long-term retention and cost efficiency and doesn't provide immediate access to newly ingested data. When new rows are added to existing tables in the data lake, there's a typical latency of up to 15 minutes before the data is available for querying. Account for the ingestion latency when you run queries and schedule KQL jobs by ensuring that lookback windows and job schedules are configured to avoid data that isn't available yet.
+The data lake tier stores data in cold storage. Unlike hot or near real-time analytics tiers, cold storage is optimized for long-term retention and cost efficiency and doesn't provide immediate access to newly ingested data. When new rows are added to existing tables in the data lake or in federated tables, there's a typical latency of up to 15 minutes before the data is available for querying. Account for the ingestion latency when you run queries and schedule KQL jobs by ensuring that lookback windows and job schedules are configured to avoid data that isn't available yet.
 
 To avoid querying data that might not yet be available, include a delay parameter in your KQL queries or jobs. For example, when you schedule automated jobs, set the query's end time to `now() - delay`, where `delay` matches the typical data readiness latency of 15 minutes. This approach ensures that queries only target data that's fully ingested and ready for analysis.
 
diff --git a/articles/sentinel/datalake/kql-queries.md b/articles/sentinel/datalake/kql-queries.md
@@ -6,7 +6,7 @@ author: EdB-MSFT
 ms.service: microsoft-sentinel
 ms.subservice: sentinel-platform  
 ms.topic: how-to
-ms.date: 03/04/2026
+ms.date: 03/26/2026
 ms.author: edbaynash  
 ms.collection: ms-security  
 ---  
@@ -15,7 +15,7 @@ ms.collection: ms-security
  
 Data lake exploration in the Microsoft Defender portal provides a unified interface to analyze your data lake. It lets you run KQL (Kusto Query Language) queries, create jobs, and manage them.
 
-The **KQL queries** page under **Data lake exploration** lets you edit and run KQL queries on data lake resources. Create jobs to promote data from the data lake to the analytics tier, or create aggregate tables in the data lake tier. Run jobs on demand or schedule them. The **Jobs** page lets you manage jobs; enable, disable, edit, or delete. For more information, see [Create jobs in the Microsoft Sentinel data lake](kql-jobs.md).
+The **KQL queries** page under **Data lake exploration** lets you edit and run KQL queries on data lake resources and federated tables. Create jobs to promote data from the data lake to the analytics tier, or create aggregate tables in the data lake tier. Run jobs on demand or schedule them. The **Jobs** page lets you manage jobs; enable, disable, edit, or delete. For more information, see [Create jobs in the Microsoft Sentinel data lake](kql-jobs.md).
 
 ## Prerequisites
 
@@ -29,7 +29,7 @@ You can run KQL queries in the Microsoft Defender portal after completing the on
 
 Microsoft Entra ID roles let you access all workspaces in the data lake. Alternatively, you can grant access to individual workspaces using Azure RBAC roles. Users with Azure RBAC permissions for Microsoft Sentinel workspaces can run KQL queries against those workspaces in the data lake tier. For more information on roles and permissions, see [Microsoft Sentinel data lake roles and permissions](../roles.md#roles-and-permissions-for-the-microsoft-sentinel-data-lake).
 
-Optionally, Microsoft Sentinel scoping or row-level RBAC can be configured to further restrict data access within a workspace. When enabled, row-level scoping limits the data returned by queries based on the user’s assigned scope. If row-level scoping isn’t configured, the existing workspace-level permission model applies unchanged. For more information, see [Microsoft Sentinel scoping](../scoping.md).
+Optionally, Microsoft Sentinel scoping or row-level RBAC can be configured to further restrict data access within a workspace. When enabled, row-level scoping limits the data returned by queries based on the user’s assigned scope. If row-level scoping isn’t configured, the existing workspace-level permission model applies unchanged. [Configure Microsoft Sentinel scoping (row-level RBAC) (preview)](../scoping.md).
 
 ## Write KQL queries
 
@@ -49,20 +49,25 @@ The **Query history** tab shows a list of your previously run queries, query pro
 
 You can run queries against a single workspace or multiple workspaces.  Select workspaces in the upper right corner of the query editor by using the **Selected workspaces** dropdown. The workspaces you select determine the tables available for querying. The selected workspaces apply to all query tabs in the query editor. When you use multiple workspaces, the `union()` operator is applied by default to tables with the same name and schema from different workspaces. Use the `workspace()` operator to query a table from a specific workspace, for example `workspace("MyWorkspace").AuditLogs`. 
 
+To query federated tables, select **System tables** when choosing workspaces. For more information on federated tables, see [Using federated tables in the Microsoft Sentinel data lake](./using-data-federation.md).
+  
 If you select a single, empty workspace or a workspace in the process of onboarding, the schema browser doesn't display any tables.
 
+
 :::image type="content" source="media/kql-queries/select-a-workspace.png" lightbox="media/kql-queries/select-a-workspace.png" alt-text="A screenshot showing the workspaces selection panel.":::
 
 ### Time range selection
 Use the time picker above the query editor to select the time range for your query. By using the **Custom time range** option, you can set a specific start and end time. Time ranges can be up to 12 years in duration.
 
 :::image type="content" source="media/kql-queries/time-range-selector.png" lightbox="media/kql-queries/time-range-selector.png" alt-text="A screenshot showing the time range selector.":::
 
+> [!IMPORTANT]
+> The time range selector doesn't work for federated tables that don't have a `TimeGenerated` column or where the `TimeGenerated` column isn't in the correct format. When querying these tables, specify the time range in your KQL query using the appropriate column for time filtering.
+
 You can also specify a time range in the KQL query syntax, for example:
 + `where TimeGenerated between (datetime(2020-01-01) .. datetime(2020-12-31))`
 + `where TimeGenerated between(ago(180d)..ago(90d))`
 
-
 > [!NOTE]
 > Queries are limited to 500,000 rows or 64 MB of data and timeout after 8 minutes. When selecting a broad time range, your query might exceed these limits. Consider using asynchronous queries for long-running queries. For more information, see [Async queries](#async-queries).
 
@@ -151,6 +156,8 @@ external_table("AADRiskyUsers")
     + `externaldata()`
     + `ingestion_time()`
 
++ There is a 15-minute latency between when data is ingested into the data lake or federated tables, and when it becomes available for querying. This means that newly ingested data may not be immediately queryable.
+  
 
 [!INCLUDE [Service limits for KQL queries against the data lake](../includes/service-limits-kql-queries.md)]
 
diff --git a/articles/sentinel/datalake/notebook-jobs.md b/articles/sentinel/datalake/notebook-jobs.md
@@ -7,14 +7,14 @@ ms.author: edbaynash
 ms.service: microsoft-sentinel
 ms.subservice: sentinel-platform
 ms.topic: how-to  
-ms.date: 07/09/2025
+ms.date: 03/26/2026
 
 # Customer intent: As a security engineer or data scientist, I want to explore and analyze security data in the Microsoft Sentinel data lake using Jupyter notebooks, so that I can gain insights and build advanced analytics solutions.
 ---
 
 # Create and manage Jupyter notebook jobs
  
-You can create scheduled jobs to run at specific times or intervals using the Microsoft Sentinel extension for Visual Studio Code. Jobs allow you to automate data processing tasks to summarize, transform, or analyze data in the Microsoft Sentinel data lake. Jobs are also used to process data and write results to custom tables in the lake tier or analytics tier.
+You can create scheduled jobs to run at specific times or intervals using the Microsoft Sentinel extension for Visual Studio Code. Jobs allow you to automate data processing tasks to summarize, transform, or analyze data in the Microsoft Sentinel data lake and federated tables. Jobs are also used to process data and write results to custom tables in the lake tier or analytics tier.
 
 ## Permissions
 
diff --git a/articles/sentinel/datalake/notebooks.md b/articles/sentinel/datalake/notebooks.md
@@ -7,14 +7,14 @@ ms.author: edbaynash
 ms.topic: how-to  
 ms.service: microsoft-sentinel
 ms.subservice: sentinel-platform
-ms.date: 03/04/2026
+ms.date: 03/26/2026
 
 # Customer intent: As a security engineer or data scientist, I want to explore and analyze security data in the Microsoft Sentinel data lake using Jupyter notebooks, so that I can gain insights and build advanced analytics solutions.
 ---
 
 # Run notebooks on the Microsoft Sentinel data lake
  
-Jupyter notebooks provide an interactive environment for exploring, analyzing, and visualizing data in the Microsoft Sentinel data lake. With notebooks, you can write and execute code, document your workflow, and view results—all in one place. This makes it easy to perform data exploration, build advanced analytics solutions, and share insights with others. By leveraging Python and Apache Spark within Visual Studio Code, notebooks help you transform raw security data into actionable intelligence.
+Jupyter notebooks provide an interactive environment for exploring, analyzing, and visualizing data in the Microsoft Sentinel data lake and federated tables. With notebooks, you can write and execute code, document your workflow, and view results—all in one place. This makes it easy to perform data exploration, build advanced analytics solutions, and share insights with others. By leveraging Python and Apache Spark within Visual Studio Code, notebooks help you transform raw security data into actionable intelligence.
 
 This article shows you how to explore and interact with data lake data using Jupyter notebooks in Visual Studio Code. 
 
@@ -28,6 +28,8 @@ To use notebooks in the Microsoft Sentinel data lake, you must first onboard to
 
 Microsoft Entra ID roles provide broad access across all workspaces in the data lake. Alternatively you can grant access to individual workspaces using Azure RBAC roles. Users with Azure RBAC permissions to Microsoft Sentinel workspaces can run notebooks against those workspaces in the data lake tier. For more information, see [Roles and permissions in Microsoft Sentinel](../roles.md#roles-and-permissions-for-the-microsoft-sentinel-data-lake).
 
+Optionally, Microsoft Sentinel scoping or row-level RBAC can be configured to further restrict data access within a workspace. When enabled, row-level scoping limits the data returned by queries based on the user’s assigned scope. If row-level scoping isn’t configured, the existing workspace-level permission model applies unchanged. For more information, see [Configure Microsoft Sentinel scoping (row-level RBAC) (preview)](../scoping.md).
+
 To create new custom tables in the analytics tier, the data lake managed identity must be assigned the **Log Analytics Contributor** role in the Log Analytics workspace.
 
 To assign the role, follow the steps below:
@@ -86,9 +88,9 @@ After installing the Microsoft Sentinel extension, you can start exploring data
 
 ### View data lake tables and jobs
 
-Once you sign in, the Sentinel extension displays a list of **Lake tables** and **Jobs** in the left pane. The tables are grouped by the database and category. Select a table to see the column definitions.
+Once you sign in, the Sentinel extension displays a list of **Lake tables** and **Jobs** in the left pane. The tables are grouped by the database and category. Federated tables are displayed under the **Assets** category under **System tables**. Select a table to see the column definitions.
 
-For information on Jobs, see [Jobs and Scheduling](#jobs-and-scheduling).
+For information on Jobs, see [Jobs and Scheduling](#jobs-and-scheduling). For more information on federated tables, see [Using federated tables in the Microsoft Sentinel data lake](using-data-federation.md).
 
 :::image type="content" source="./media/notebooks/tables-and-jobs.png" lightbox="./media/notebooks/tables-and-jobs.png" alt-text="A screenshot showing the list of tables, jobs, and the selected table's metadata."::: 
 
diff --git a/articles/sentinel/datalake/sentinel-graph-overview.md b/articles/sentinel/datalake/sentinel-graph-overview.md
@@ -5,7 +5,7 @@ titleSuffix: Microsoft Security
 description: Learn how Microsoft Sentinel graph enables multi-modal security analytics through graph-based representation of security data, providing deep insights into digital environments and attack paths.
 author: mberdugo
 ms.topic: overview
-ms.date: 03/23/2026
+ms.date: 03/26/2026
 ms.author: monaberdugo
 ms.service: microsoft-sentinel
 ms.subservice: sentinel-platform
