Microsoft has introduced a new data lake architecture to its Sentinel SIEM platform. The Microsoft Sentinel Data Lake is intended to help security teams store and manage large volumes of data more affordably, with long-term retention and integration across Microsoft and third-party sources.

The update is intended to reduce cost constraints that have traditionally limited how long organizations can retain security telemetry, while also improving visibility and readiness for AI-based tools.

At the same time, Microsoft is beginning to phase Microsoft Defender Threat Intelligence (MDTI) into both Sentinel and Defender XDR. MDTI will now be embedded directly within Microsoft’s security platforms, starting in October 2025.

These updates represent a shift toward consolidating threat detection, response, and intelligence within a unified workflow, reducing reliance on separate tools or additional licensing.

Why It Matters: The volume of data needed to detect modern cyber threats continues to grow, but so does the cost of storage and analysis. Microsoft’s latest update to Sentinel could become the standard for software used by security professionals. By adopting programs with more affordable long-term storage and streamlined security data operations, organizations could also enhance their ability to apply AI effectively in threat detection and investigation.

• Lower-Cost Storage for Long-Term Security Data: The Sentinel Data Lake allows security teams to retain data at roughly 15% of the cost of traditional analytics storage. This can help organizations keep security logs and telemetry data for longer periods, supporting more thorough investigations and retrospective threat analysis. The move could be relevant for cases where attackers remain undetected for months and historical data is essential to understand how incidents transpired.

• Integrated Threat Intelligence Without Added Licensing: Microsoft is making its Defender Threat Intelligence capabilities broadly available within Sentinel and Defender XDR. This includes access to threat profiles and indicators of compromise (IoCs) generated from Microsoft’s daily signal analysis. For security teams, this type of integration simplifies workflows and reduces cost, making threat intelligence more accessible across an organization.

• Centralized Data to Support AI-Driven Detection: By storing relevant security data in a single repository, AI models are supported by quality context. In the case of Microsoft, this assists tools like Microsoft Security Copilot operate more effectively, surfacing patterns and anomalies that might otherwise be missed. For teams exploring or using AI-based detection and response, having a centralized dataset can streamline and improve those efforts.

• Flexible Tools for Real-Time and Historical Analysis: The architecture allows analysts to run complex queries using tools like Kusto Query Language (KQL) and Apache Spark across recent and historical datasets. The ability to work across data tiers without duplication means teams can move more easily between immediate response and deeper investigation. This flexibility can help organizations respond to threats faster and smarter.

• Open Architecture Supports Custom Use Cases: Sentinel Data Lake is designed with open formats that allow integration with existing analytics tools and custom workflows. This approach gives organizations more control over how they use their data. While this may mean developing solutions like in-house machine learning models or scaling their SOC across environments, this architecture provides a consistent and adaptable foundation for a range of security operations.

Go Deeper -> Microsoft Sentinel Data Lake: Unify signals, cut costs, and power agentic AI – Microsoft

Microsoft Integrates Data Lake With Sentinel SIEM – Dark Reading