Microsoft Sentinel data federation (Preview)

April 2026

Microsoft Sentinel data federation (Preview)
Powered by Microsoft Fabric, Microsoft Sentinel data federation lets you analyze security data where it already lives, without copying or duplicating it. You can federate data from Microsoft Fabric, Azure Data Lake Storage, and Azure Databricks into Microsoft Sentinel data lake, then use familiar Microsoft Sentinel experiences like KQL, notebooks, and custom graphs across both federated and native data.

Transform data with filter and split features (Preview)
Native filtering and splitting in the Microsoft Defender portal helps you reduce noise before ingestion, control costs, and intelligently route data between analytics and data lake tiers so you can optimize what gets analyzed versus retained. For more information, see Transform data using filter and split in Microsoft Sentinel.

Accelerate Microsoft Sentinel connector development with Visual Studio Code connector builder agent (Preview)
An AI-powered, low-code agent in Visual Studio Code helps you build Microsoft Sentinel connectors in minutes, bringing in new data sources faster and unlocking security outcomes sooner. For more information, see Get started with custom connectors using AI agent in Microsoft Sentinel.

Build custom graphs (Preview)
Build tailored security graphs across the Sentinel data lake and third-party data to uncover attack paths, blast radius, and hidden relationships. These graphs also serve as a foundation for advanced investigations and AI agents. For more information, see Custom Graph overview.

Graphs experience in the Microsoft Defender portal (Preview)
After creating your custom graphs, you can access them in the graphs section of the Defender portal under Microsoft Sentinel. From there, you can run Graph Query Language (GQL) queries, view the graph schema, visualize the graph, view graph results in tabular format, and interactively traverse the graph to the next hop with a simple click.

Entity analyzer is now generally available
Entity analyzer in the Microsoft Sentinel Model Context Protocol (MCP) data exploration tool collection lets you get out-of-the-box, explainable entity risk assessments for URLs and identities using threat intelligence, prevalence, and organizational context.

Important

Starting April 1, 2026, you're charged for the Security Compute Units (SCUs) required when using the entity analyzer. For more information, see: Understand Microsoft Sentinel MCP server pricing, limits, and availability.

AI-powered SIEM migration tool is now generally available
Accelerate migrations to Microsoft Sentinel from Splunk and QRadar using an AI-assisted SIEM migration experience designed to reduce manual effort and speed time-to-value. For more information, see Migrate to Microsoft Sentinel with the SIEM migration experience.

Cost estimation tool for customers and partners (Preview)
A guided, meter-level Microsoft Sentinel cost estimator with three-year projections helps organizations model data growth, predict spend, and plan Microsoft Sentinel adoption with confidence. For more information, see Microsoft Sentinel pricing.

Configure row-level access using Microsoft Sentinel scoping (Preview)
Microsoft Sentinel now supports scoping (row-level RBAC) to control access to specific subsets of Sentinel data without requiring workspace separation. Administrators can define logical scopes, tag data at ingestion time, and assign users or groups to scopes using Unified RBAC, enabling multiple teams to work securely within a shared Sentinel environment. Scoping is configured in the Microsoft Defender portal. For more information see Configure Microsoft Sentinel scoping (row-level RBAC).