6 days ago
Microsoft launches Sentinel data lake to cut storage costs
Microsoft has unveiled an expansion of its security information and event management solution, Microsoft Sentinel, introducing a new security data lake designed to address both the cost and capability challenges faced by cybersecurity teams.
The newly-launched Sentinel data lake aims to reduce costs associated with security data retention, claiming storage fees at less than 10% of those found with traditional analytics log storage options. According to Microsoft, this move is intended to help security teams retain all relevant data affordably, making incident detection and response faster and more accurate.
Data challenges
Security operations teams have long contended with the challenge of managing increasing volumes of data while controlling costs. Microsoft stated, "You can't protect what you can't see. Security operations teams have long been faced with the challenge of managing massive, fast-growing datasets, and the cost of scaling traditional data management tools to handle these data volumes has become unsustainable. We're evolving our industry-leading Security Incidents and Event Management solution (SIEM), Microsoft Sentinel, to include a modern, cost-effective data lake. By unifying all your security data, Microsoft Sentinel data lake, now in public preview, accelerates agentic AI adoption and drives unparalleled visibility, empowering teams to detect and respond faster. With Sentinel data lake, you're no longer forced to choose between retaining critical data and staying within budget."
The new architecture is said to bring together security data from both Microsoft and third-party sources using over 350 native connectors. It is positioned as a foundation for artificial intelligence-powered detection, allowing security teams to hunt for threats over extended time frames and perform detailed forensic analysis without compromising on data retention due to cost constraints.
Microsoft further said, "Breaking down data silos for better security... Siloed data means missed cyberthreats, delayed investigations, and underutilized tools." The aim is to unify data and enable better threat visibility and collaboration within security teams.
Threat intelligence integration
In addition to the data lake, Microsoft has also announced the integration of Microsoft Defender Threat Intelligence (MDTI) into both Sentinel and Defender XDR at no additional cost. This integration is pitched as an effort to provide security teams with access to a substantial repository of frontline threat intelligence, which processes signals from what Microsoft says are 84 trillion daily data points, and is supported by over 10,000 security specialists.
The company stated, "To further help defenders get the most out of their data, we're democratizing threat intelligence by converging Microsoft Defender Threat Intelligence (MDTI) capabilities into Defender XDR and Sentinel at no additional cost; this means that security teams will no longer need to buy a separate SKU to access these powerful features."
These changes will be rolled out over time, with all Microsoft first-party threat reports, including intelligence profiles and indicators of compromise (IoCs), expected to become available through Defender XDR. The plan is also to incorporate IoCs into Sentinel's case management, allowing customers to share threat intelligence across teams inside their organisations, with further features scheduled to follow.
Industry support "Microsoft's vision for Sentinel data lake reflects what matters most in cybersecurity: clarity, scale, and real-world impact. With more than 1,200 Sentinel deployments worldwide, BlueVoyant has seen the need firsthand. Large scale data challenges are now the norm. Sentinel data lake marks a natural evolution of the SIEM and SOAR model, one that critically supports modern analytics, data science, and flexible ingestion strategy. It is a critical step forward for customers looking to modernize their security operations." - Milan Patel, Chief Revenue Officer at BlueVoyant
Industry partners have responded to Microsoft's expanded offering and its intent to simplify data management while providing a robust foundation for AI-driven security operations. "For cyber teams, the massive proliferation of data can misdirect focus or delay responses to genuine [cyber]threats. Microsoft Sentinel data lake can be a valuable tool for data centralization and visibility and for historical analysis across large volumes of datasets. Together with Microsoft, Accenture can help our clients leverage the data lake to extend the power of Microsoft Sentinel to supercharge attack detection and proactive remediation." - Rex Thexton, Chief Technology Officer, Accenture Security
Microsoft's approach aims to aid organisations in moving between real-time analytics and historical analysis from a single portal. The solution is designed to support custom machine learning workflows, analytics, and integration with tools familiar to security teams, all based on open data formats. "The [cyber]attack surface is expanding with every application and AI application deployed across hybrid cloud environments, and AI-powered attacks are evolving just as fast. What many organizations still lack isn't just better tools - it's real-time visibility of their IT estate, their configurations and business context. To understand their full exposure, organizations need the right asset intelligence and a shared industry effort. The new Microsoft Sentinel data lake represents a valuable step in that direction; IBM is committed to working across the ecosystem to help solve that challenge." - Srini Tummalapenta, IBM Distinguished Engineer, Chief Technology Officer for IBM Consulting Cybersecurity Services
AI readiness measures
Microsoft stated that centralising data enriches its AI models, such as Security Copilot, giving them full context to detect sophisticated patterns of cyberattack, correlate signals over extended time spans, and produce high-fidelity alerts.
The company explained, "Centralizing your data in a threat intel-enriched data lake eliminates silos and ensures AI models like Security Copilot have the full context they need to detect subtle cyberattack patterns, correlate signals across time and space, and surface high-fidelity alerts. This creates the foundation for the future of agentic defense where AI doesn't just assist, it acts."
Microsoft Sentinel data lake is now in public preview and available for customer onboarding as part of the company's continuing development of an integrated security operations platform.
