Cloud-native upgrade integrates SIEM, XDR and threat intelligence into a unified security platform
Microsoft has launched a new cloud-native security architecture, Sentinel Data Lake, designed to lower the cost of data retention and improve threat detection through artificial intelligence. Now in public preview, the enhanced system forms part of Microsoft Sentinel, the company’s flagship security information and event management (SIEM) platform.
The update combines SIEM with extended detection and response (XDR) and Microsoft Defender Threat Intelligence (MDTI), offering enterprises a unified approach to handling security data. According to Microsoft, the new data lake supports more than 350 connectors across Microsoft and third-party sources, allowing organisations to consolidate logs and telemetry into a single repository at around 15 per cent of the typical cost associated with traditional analytics storage.
Scott Woodgate, senior director of Microsoft Sentinel, described the data lake as a “forensic vault”, enabling businesses to retain months—or even years—of raw security data without being hindered by storage costs. This approach, he said, allows for deeper forensic investigations and more comprehensive threat hunting.
In a significant change, Microsoft will now offer MDTI at no additional cost within both Defender XDR and Sentinel, starting October 2025. Previously, organisations were required to purchase separate licences for the threat intelligence service.
The platform’s open format and compatibility with widely used analytical tools—such as Kusto Query Language (KQL), Apache Spark and Jupyter notebooks—are intended to simplify operations and encourage the use of AI in security workflows. Microsoft has also introduced a Visual Studio Code extension, giving security teams direct access to these tools.
Industry analysts have welcomed the move, noting that long-term retention of log data at a fraction of existing costs could help organisations improve regulatory compliance, enable detailed historical analysis and accelerate incident response. Sentinel Data Lake is designed to operate as a scalable, AI-ready system capable of adapting to growing security data demands.
The launch marks a broader push by Microsoft to consolidate its security offerings under one ecosystem, where data collection, analysis and response are tightly integrated. With cloud-native infrastructure and built-in threat intelligence, the company is positioning Sentinel as a central platform for modern security operations centres.
