Microsoft has officially announced a major expansion of its Sentinel Security Information and Event Management (SIEM) solution, transforming it into a unified agentic security platform. At the core of this update is the general availability of the Sentinel data lake, designed to provide enterprises with advanced capabilities for managing and analyzing security data.
In addition to this release, Microsoft is also rolling out a public preview of Sentinel Graph and the Sentinel Model Context Protocol (MCP) server.
Vasu Jakkal, Corporate Vice President at Microsoft Security, explained the update in a statement shared with SCtoCS:
“With graph-based context, semantic access, and agentic orchestration, Sentinel provides defenders with a single platform to ingest security signals, correlate data across domains, and empower AI-driven agents built in Security Copilot, VS Code with GitHub Copilot, or other development environments.”
Sentinel Data Lake: A Foundation for Agentic Defense
The Sentinel data lake was first released in public preview in July, built as a cloud-native platform specifically for ingesting, managing, and analyzing large-scale security data. According to Microsoft, this capability enhances visibility and enables more advanced analytics for detecting sophisticated threats.
By consolidating data from diverse sources, the platform equips AI models like Security Copilot with the full contextual awareness needed to uncover subtle attack patterns, connect signals, and generate high-confidence alerts.
Microsoft highlighted that this evolution will help security teams:
- Identify attacker behaviors more effectively.
- Conduct retroactive threat hunting on historical data.
- Trigger automatic detections aligned with the latest adversary tradecraft.
Graph-Powered Context and Integration
Jakkal emphasized that Sentinel processes both structured and semi-structured signals, building a contextual security map using vectorized data and graph-based relationships.
By integrating Sentinel insights with Microsoft Defender and Purview, organizations gain graph-powered intelligence within familiar tools. This integration allows defenders to:
- Trace potential attack paths.
- Evaluate the impact of threats.
- Prioritize responses in a seamless workflow.
This approach shifts cybersecurity from being reactive to predictive, helping organizations get ahead of attackers rather than simply responding after the fact.
Empowering AI Agents and Securing Platforms
Microsoft also revealed that enterprises will be able to create Security Copilot agents within Sentinel’s MCP-enabled development platforms such as VS Code with GitHub Copilot. These agents can be customized to fit unique organizational workflows, extending security automation and intelligence.
At the same time, the company acknowledged the growing risks around AI systems, particularly cross-prompt injection attacks. To counter this, Microsoft announced upcoming Azure AI Foundry enhancements, which will strengthen guardrails for AI agents and provide improved protection against advanced exploitation techniques.
