Microsoft Sentinel

Question

Microsoft Sentinel

Andreas Tsouras 20

Hello there, My first question is if content hu moved to Defender from Sentinel. Then trying to find sentinel optimization workbook and I dont see it and most important the SignInLogs table doesn not appear in Defender. I enabled Entra ID diagnostic logs--->Sign-in logs and Audit logs, I sent it to correct Log Analytic workspace, i received the Entra ID P2 licence(free trial) and I palyed there changing from Entra ID my job, doing sign in and out multiple times but no table appears and status in Sentinel is disconnected. Could you please advise?

Shubham Sharma 16,550 Reputation points Microsoft External Staff Moderator

2026-05-08T07:42:21.11+00:00
Hello Andreas Tsouras

Thank you for reaching out to Microsoft Q&A.

It sounds like you’re migrating your Sentinel monitoring and Entra ID logs into the new Defender portal and running into a couple hiccups. Here’s a checklist to get you pointing in the right direction:

Sentinel “Optimization” workbook has moved into the Defender portal • In the Microsoft 365 Defender portal (https://security.microsoft.com), open Workbooks and search for “Sentinel Optimization” or “Sentinel Monitoring.” The same workbooks you saw in the Azure portal now live under Defender→Workbooks. • If you still don’t see it, you can grab the ARM template from the Azure Sentinel GitHub repo (under Workbooks) and import it manually.

SigninLogs table isn’t showing up because the Azure AD connector isn’t fully feeding data yet a. Enable the Azure AD data connector in your Sentinel workspace: – In Defender or the Azure portal, go to Microsoft Sentinel → Data connectors → Azure Active Directory → click Open connector page → turn on both “SignInLogs” and “AuditLogs” → Apply. b. Verify your Entra ID Diagnostic Settings: – In the Azure AD blade, under Diagnostic settings, ensure you’re sending Sign-in logs and Audit logs to the exact Log Analytics workspace that Sentinel is attached to. c. Wait for ingestion (10–30 minutes): – Once logs flow in, the connector status will flip from Disconnected to Connected. – Use a simple Kusto query to confirm:
SigninLogs | top 10 by TimeGenerated desc
(Note that the table name is “SigninLogs” – lowercase “i” – not “SignInLogs.”)

If after 30 minutes you still see “Disconnected” or no table: – Double-check you’ve picked the correct workspace in both the connector and diagnostic settings. – Make sure your account is a Global Admin or Security Admin to configure connectors. – Confirm your Entra ID P2 trial is active and hasn’t expired.

Reference list

Microsoft Sentinel SIEM & Defender integration: https://learn.microsoft.com/azure/sentinel/sentinel-overview?wt.mc_id=knowledgesearch_inproduct_azure-cxp-community-insider#microsoft-sentinel-siem

Data connectors in Microsoft Sentinel: https://learn.microsoft.com/azure/sentinel/connect-data-sources?WT.mc_id=azure-cxp-community-insider

If the answer is helpful, kindly upvote it. If you have extra questions about this answer, please click "Comment".
Andreas Tsouras 20 Reputation points

2026-05-08T08:55:31.5533333+00:00

Unfortunately this didn't help me at all. Any other suggestion please
Shubham Sharma 16,550 Reputation points Microsoft External Staff Moderator

2026-05-12T02:13:21.9466667+00:00

Andreas Tsouras

Following up to check if the resolution provided was helpful. Let us know if you need any further assistance.

1 answer

Your answer

Andreas Tsouras 20 Reputation points

2026-05-08T08:55:31.5533333+00:00

Unfortunately this didn't help me at all. Any other suggestion please
Shubham Sharma 16,550 Reputation points Microsoft External Staff Moderator

2026-05-12T02:13:21.9466667+00:00

Andreas Tsouras

Following up to check if the resolution provided was helpful. Let us know if you need any further assistance.

Answer 1

Andreas Tsouras

Thank you for your reply.

Below is a RCA and resolution: -

Sentinel is NOT migrated fully into Defender

Data (SigninLogs) still comes ONLY from Log Analytics workspace

Defender portal does NOT replace ingestion pipeline

As per Microsoft:

Sentinel still runs on Log Analytics workspace

Workbooks, connectors, and tables remain workspace-dependent

2. Why your SigninLogs is NOT appearing ( Root Causes)

Cause 1 — You enabled Diagnostic settings but NOT the Sentinel connector properly

Requirement:

You must enable the Microsoft Entra ID data connector in Sentinel

Logs DO NOT appear just by enabling diagnostic settings alone [learn.microsoft.com]

What to check:

Go to:

Sentinel → Data connectors → Microsoft Entra ID

Ensure:

Connector is Connected

Shows data types (SigninLogs / AuditLogs)

For you reference: https://learn.microsoft.com/en-us/azure/sentinel/connect-azure-active-directory

Cause 2 — Workspace mismatch (Most Common)

Logs go to the Log Analytics workspace linked to Sentinel .

If:

Diagnostic settings → Workspace A

Sentinel attached → Workspace B

You will see:

No SigninLogs table

Connector = Disconnected

Resolution:

Go to:

Entra ID → Diagnostic settings

Verify:

Same workspace as Sentinel

Remove old config (optional)

Re-create diagnostic setting

https://learn.microsoft.com/en-us/azure/sentinel/connect-azure-active-directory'

Cause 3 — You are checking in Defender instead of Log Analytics

Critical point (very often missed):

SigninLogs table DOES NOT show in Defender UI like Sentinel logs

It is a Log Analytics table

Microsoft confirms:

Logs are stored in Log Analytics workspace [learn.microsoft.com]

Correct validation method:

Go to:

Azure Portal → Log Analytics Workspace → Logs

Run: SigninLogs

| take 10

Cause 4 — Data ingestion delay (longer than expected)

Logs may take 15–30 minutes to appear

In real scenarios, can take up to 1–2 hours (observed cases)

https://docs.azure.cn/en-us/entra/identity/monitoring-health/tutorial-configure-log-analytics-workspace

https://stackoverflow.com/questions/77954089/azure-signin-logs-not-sent-to-log-analytics-even-after-configuring-diagnostics-s

Cause 5 — Missing required roles / permissions

Required:

Sentinel Contributor on workspace

Security Admin in Entra ID

Why Connector shows “Disconnected”

“Disconnected” means:

Sentinel is NOT detecting data flow yet

NOT necessarily misconfiguration.

It flips to Connected only AFTER logs arrive.

Below is the resolution: -

Step 1 — Validate Workspace

Check:

Sentinel workspace name

Diagnostic settings workspace name

Must match EXACTLY

Step 2 — Reconfigure Entra diagnostic settings

Entra ID → Monitoring → Diagnostic settings

Select:

SigninLogs

AuditLogs

Destination:

SAME Log Analytics workspace

Step 3 — Re-enable connector

Sentinel → Data connectors → Entra ID

Open connector page

Click:

Disconnect (if stuck)

Reconnect

Step 4 — Generate activity

Perform:

Portal login

MFA login

Failed login attempt

Step 5 — Validate in Log Analytics (NOT Defender)

Run:SigninLogs

| sort by TimeGenerated desc

About “Sentinel Optimization Workbook” missing

This is expected behavior:

Workbooks are:

Stored as Azure resources in workspace

https://learn.microsoft.com/en-us/azure/sentinel/monitor-your-data?tabs=defender-portal

After moving to Defender:

They appear under:

Sentinel → Threat management → Workbooks

https://learn.microsoft.com/en-us/azure/sentinel/whats-new?tabs=defender-portal

If missing:

Install from Content Hub

Or import manually

Share via

Microsoft Sentinel

1 answer

Your answer