Microsoft Sentinel Evolution Executive Session

Microsoft Sentinel is evolving from a market-leading Security Information and Event Management (SIEM) tool to a full-fledged, AI-driven security platform for Microsoft Security and its partners. The core of this evolution is to unify security operations within the Microsoft Defender portal, which will remain the primary interface for SOC analysts. Sentinel is being re-architected to serve as the underlying data and analytics engine for all Microsoft security products, including Defender, Entra, and Purview. This shift addresses the need to ingest and analyze massive volumes of security data from diverse sources affordably and efficiently, setting the stage for advanced AI capabilities and automated security agents. The goal is to eliminate the trade-off between comprehensive security coverage and budget constraints by creating a centralized, scalable foundation.

This new platform is built on several key innovations. The Sentinel Data Lake, now generally available, provides a low-cost tier for long-term data storage (up to 12 years), separating storage costs from compute costs. This makes it feasible for organizations to retain voluminous logs from network devices and other third-party sources that were previously cost-prohibitive. On top of this data lake, Microsoft is introducing new ways to interact with data, most notably the Sentinel Graph. This feature allows analysts to visualize relationships between assets, identities, and activities, helping them to understand complex attack paths and blast radiuses in a more intuitive way, because “attackers think in graphs.” The platform also includes a new MCP (Microsoft Copilot Protocol) server, which enables natural language queries and provides a framework for AI agents to discover and use security tools automatically.

Microsoft emphasizes that this is an open platform designed to support a thriving ecosystem and heterogeneous customer environments. With nearly 400 connectors, the platform is built to ingest and correlate data from third-party tools like CrowdStrike and Zscaler with the same fidelity as Microsoft’s native stack. The vision extends to AI-driven actions, like Attack Disruption, which will be expanded to take actions on third-party systems. This entire stack, from the data platform to the AI capabilities, is brought together in the new Microsoft Security Store. This marketplace allows customers to discover, purchase, and deploy curated security solutions and AI agents from both Microsoft and its partners, completing the transition to a unified, AI-ready security architecture.