Microsoft has introduced a new data lake feature in its Sentinel platform, now in public preview. This development aims to help security operations teams manage large and growing volumes of security data more affordably. Traditional SIEM tools can become expensive and difficult to scale. Microsoft’s new approach addresses these issues by combining data from different sources into one central system, reducing the need for separate tools and improving visibility across environments.
Sentinel data lake brings together logs from Microsoft and third-party services using over 350 built-in connectors. It supports extended data storage at a much lower cost than typical analytics logs and allows long-term analysis. The goal is to enable teams to detect threats across extended timeframes and improve incident investigation and response.
The system integrates closely with Microsoft Defender, and from October 2025, threat intelligence from Defender Threat Intelligence (MDTI) will be merged into Sentinel and Defender XDR. This allows security teams to access indicators of compromise and other threat data without needing a separate license.
Built into the Microsoft Defender portal, the data lake allows security analysts to run queries across historical and real-time data using tools like KQL and Apache Spark. This flexibility helps teams detect subtle cyberattacks, manage compliance, and support both manual and AI-driven threat detection.
Leave a comment