Microsoft Sentinel is evolving into a SIEM and platform

September 2025

Microsoft Sentinel is evolving into a SIEM and platform
Security is being reengineered for the AI era, moving beyond static, rule-based controls and post-breach response toward platform-led, machine-speed defense. To address the challenge of fragmented tools, sprawling signals, and legacy architectures that can’t match the velocity and scale of modern attacks, Microsoft Sentinel has evolved into both a SIEM and a platform that unifies data for agentic defense. This update reflects architectural enhancements that support AI-driven security operations at scale. For more information, see What is Microsoft Sentinel?

Key additions include Microsoft Sentinel data lake, Microsoft Sentinel graph, and Microsoft Sentinel Model Context Protocol (MCP) server, as described below.

Microsoft Sentinel data lake is now generally available (GA)
A scalable, cost-efficient foundation for long-term data retention and multi-modal analytics. Microsoft Sentinel data lake enables organizations to unify security data across sources and run advanced analytics without infrastructure overhead.

For more information, see Microsoft Sentinel data lake.

Microsoft Sentinel graph (Preview)
Unified graph analytics for deeper context and threat reasoning. Microsoft Sentinel graph models relationships across users, devices, and activities to support complex threat investigations and pre- and post-breach analysis.

For more information, see What is Microsoft Sentinel graph? (Preview).

Microsoft Sentinel Model Context Protocol (MCP) server (Preview)
A hosted interface for building intelligent agents using natural language. Microsoft Sentinel MCP server simplifies agent creation and data exploration by allowing engineers to query and reason over security data without needing schema knowledge.
For more information, see Model Context Protocol (MCP) overview.

New data sources for enhanced User and Entity Behavior Analytics (UEBA) (Preview)

Microsoft Sentinel's UEBA empowers SOC teams with AI-powered anomaly detection based on behavioral signals in your tenant. It helps prioritize threats using dynamic baselines, peer comparisons, and enriched entity profiles.

UEBA now supports anomaly detection using six new data sources:
Microsoft authentication sources:
These sources provide deeper visibility into identity behavior across your Microsoft environment.

• Microsoft Defender XDR device logon events: Capture logon activity from endpoints, helping identify lateral movement, unusual access patterns, or compromised devices.
• Microsoft Entra ID managed identity signin logs: Track sign-ins by managed identities used in automation, such as scripts and services. This is crucial for spotting silent misuse of service identities.
• Microsoft Entra ID service principal signin logs: Monitor sign-ins by service principals - often used by apps or scripts - to detect anomalies, such as unexpected access or privilege escalation.

Third-party cloud and identity management platforms:
UEBA now integrates with leading cloud and identity management platforms to enhance detection of identity compromise, privilege misuse, and risky access behaviors across multicloud environments.

• AWS CloudTrail login events: Flag risky login attempts in Amazon Web Services (AWS), such as failed multifactor authentication (MFA) or use of the root account—critical indicators of potential account compromise.
• GCP audit logs - Failed IAM access events: Capture denied access attempts in Google Cloud Platform, helping identify privilege escalation attempts or misconfigured roles.
• Okta MFA and authentication security change events: Surface MFA challenges and changes to authentication policies in Okta—signals that might indicate targeted attacks or identity tampering.

These new sources enhance UEBA’s ability to detect threats across Microsoft and hybrid environments based on enriched user, device, and service identity data, enhanced behavioral context, and new cross-platform anomaly detection capabilities.

To enable the new data sources, you must be onboarded to the Defender portal.