You can’t protect what you can’t see. Security operations teams have long been faced with the challenge of managing massive, fast-growing datasets, and the cost of scaling traditional data management tools to handle these data volumes has become unsustainable. We’re evolving our industry-leading Security Incidents and Event Management solution (SIEM), Microsoft Sentinel, to include a modern, cost-effective data lake. By unifying all your security data, Microsoft Sentinel data lake, now in public preview, accelerates agentic AI adoption and drives unparalleled visibility, empowering teams to detect and respond faster. With Sentinel data lake, you’re no longer forced to choose between retaining critical data and staying within budget.
Microsoft Sentinel started on this journey five years ago with the introduction of the first cloud-native SIEM to simplify data onboarding and bring the power of AI to threat detection.¹ Since then, we’ve integrated Sentinel with Microsoft Defender and enriched it with real-time threat intelligence, guided recommendations, and automated response capabilities. Microsoft Sentinel data lake is the next step in that journey—built to help security leaders break through the limitations of traditional SIEMs by putting security data at the center of the security operations center (SOC), at scale, and without compromise. Now, you can continue your own journey and onboard Microsoft Sentinel data lake.
Breaking down data silos for better security
With security log volumes growing fast, teams are forced into making painful tradeoffs: reduce logging by risking blind spots, shorten retention by compromising forensic depth, or absorb unsustainable costs when aiming to manage all their security data within a SIEM. This is the paradox of modern security: the more data you have, the harder it becomes to use it effectively. And without unified, long-term visibility, even the most advanced AI models can’t deliver to their full potential. Siloed data means missed cyberthreats, delayed investigations, and underutilized tools.
Microsoft Sentinel data lake was purpose-built to solve this challenge and provides the foundation for agentic defense. It brings together all your security data, from Microsoft and third-party sources, into a single, cost-effective data lake, with more than 350 native connectors. With data retention priced at less than 15% of traditional analytics logs, it enables seamless enrichment with threat intelligence and AI-powered detection across your entire environment. This isn’t just a new product, it’s a new architecture for security operations—one that empowers security teams to hunt cyberthreats across months or years, reconstruct incidents with precision, and unlock the full value of AI.
Microsoft’s vision for Sentinel data lake reflects what matters most in cybersecurity: clarity, scale, and real-world impact. With more than 1,200 Sentinel deployments worldwide, BlueVoyant has seen the need firsthand. Large scale data challenges are now the norm. Sentinel data lake marks a natural evolution of the SIEM and SOAR model, one that critically supports modern analytics, data science, and flexible ingestion strategy. It is a critical step forward for customers looking to modernize their security operations.
—Milan Patel, Chief Revenue Officer at BlueVoyant
To further help defenders get the most out of their data, we’re democratizing threat intelligence by converging Microsoft Defender Threat Intelligence (MDTI) capabilities into Defender XDR and Sentinel at no additional cost; this means that security teams will no longer need to buy a separate SKU to access these powerful features. MDTI value will be merged in Sentinel and Defender XDR over time, starting in October 2025 when all Microsoft first-party threat reports, including intel profiles and indicators of compromise (IoCs), will be available in Defender XDR. Additionally, IoCs will be incorporated into Sentinel case management so customers can collaborate and share threat intelligence across teams within their organization. The remaining features will become available over time.
With this change, security teams can easily tap into a powerful repository of frontline threat intelligence, sourced from 84 trillion daily signals and backed by the expertise of more than 10,000 Microsoft security specialists. Read more about how this added value in Sentinel and Defender will greatly enhance capabilities with real-time, high-quality threat data.
Empowering security teams to do more
The promise of AI in cybersecurity has always been bold: faster detection, smarter response, and the ability to outpace even the most sophisticated cyberattackers. But most security teams are held back by fragmented data and incomplete context. Centralizing your data in a threat intel-enriched data lake eliminates silos and ensures AI models like Security Copilot have the full context they need to detect subtle cyberattack patterns, correlate signals across time and space, and surface high-fidelity alerts. This creates the foundation for the future of agentic defense where AI doesn’t just assist, it acts. This shift now empowers security teams to:
- Uncover cyberattacker behavior going back years without worrying as much about storage limits
- Address pre-breach and post-breach use cases by correlating asset, activity, and TI data
- Utilize real-time threat intel to triage faster and retroactively hunt over historical data
- Trigger detections automatically based on the latest IoCs and tactics, techniques, and procedures (TTPs)
- Use Kusto Query Language (KQL) and Apache Spark to query across extended time horizons and detect subtle cyberattack patterns
- Support regulatory and compliance needs with scalable, cost-efficient data retention
These are the jobs that matter most in modern security operations and now they’re easier, faster, and more cost-effective to execute.
For cyber teams, the massive proliferation of data can misdirect focus or delay responses to genuine [cyber]threats. Microsoft Sentinel data lake can be a valuable tool for data centralization and visibility and for historical analysis across large volumes of datasets. Together with Microsoft, Accenture can help our clients leverage the data lake to extend the power of Microsoft Sentinel to supercharge attack detection and proactive remediation.
—Rex Thexton, Chief Technology Officer, Accenture Security
Simplifying operations while being AI-ready
Microsoft Sentinel data lake simplifies data management with a flexible, centralized experience in the Microsoft Defender portal—bringing your security data together alongside the tools your defenders use to prevent, detect, and respond to cyberthreats every day. Analysts can move seamlessly between the analytics and data lake tiers, enabling real-time response and deep investigation from a single interface. While doing that all your data stored in the analytics tier is automatically available in the data lake tier, and because it’s built on open formats, organizations can tailor analytics workflows, build custom machine learning (ML) models, and leverage familiar tools, over a single copy of their security data, to extend the value of the data lake to meet their unique needs. Whether you’re consolidating tools, scaling your SOC, or preparing for AI-powered defense, Sentinel data lake adapts to your security strategy and journey.
Sentinel data lake enables SOC teams into the next era of security operations. Being able to ensure coverage of your security estate—across all security data sources and vast time horizons—enables security teams to proactively detect latent cyberattacks, detect emerging cyberthreats with AI-powered models, reconstruct cyberattack timelines in forensic detail, and retroactively uncover indicators of compromise that might otherwise go unnoticed.
The [cyber]attack surface is expanding with every application and AI application deployed across hybrid cloud environments, and AI-powered attacks are evolving just as fast. What many organizations still lack isn’t just better tools—it’s real-time visibility of their IT estate, their configurations and business context. To understand their full exposure, organizations need the right asset intelligence and a shared industry effort. The new Microsoft Sentinel data lake represents a valuable step in that direction; IBM is committed to working across the ecosystem to help solve that challenge.
—Srini Tummalapenta, IBM Distinguished Engineer, Chief Technology Officer for IBM Consulting Cybersecurity Services
This launch marks more than a product evolution enabling security operations teams to respond faster and with maximum visibility. Microsoft Sentinel is continuing to push the boundaries with a scalable architecture that combines SIEM, extended detection and response (XDR), and threat intelligence into a single, integrated experience. Sentinel data lake is the foundation of this evolution, enabling security teams to reason over more data, more intelligently, and more affordably than ever before.
Get started today
Microsoft Sentinel data lake is now in preview. Join us as we redefine what’s possible in security operations:
To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.
¹Announcing new cloud-based technology to empower cyber defenders, Official Microsoft Blog. Ann Johnson. Feb 28, 2019.
