Microsoft Now Offers a Security Data Lake. Time To Jump Into the Water?

Analyst(s): Krista Case, Fernando Montenegro
Publication Date: July 24, 2025

Microsoft has launched Sentinel Data Lake, an update to its security platform designed to make long-term security log storage more cost-effective and centralized. Integrating advanced analytics, AI, and now Defender Threat Intelligence, it aims to enhance a security team’s ability to detect and respond to complex threats more efficiently.

What is Covered in this Article:

  • Microsoft’s release of Sentinel Data Lake and changes to its Threat Intel offering
  • The appeal of a more integrated approach for security operations
  • The potential benefits of a growing number of AI-centric security workloads

The News: Microsoft has launched Sentinel Data Lake in public preview, a cloud-native extension of Microsoft Sentinel that centralizes security logs from over 350 Microsoft and third-party connectors into a purpose-built, cost-effective data lake tier supporting long-term retention, priced at under 15 % of traditional analytics log storage. The platform enables advanced analytics via Kusto Query Language (KQL), Python/Spark jobs, and Jupyter notebooks, and it integrates directly with Security Copilot and Defender XDR. The company also announced the unification of Microsoft Defender Threat Intelligence within Sentinel and XDR at no extra cost.

Microsoft Now Offers a Security Data Lake. Time To Jump Into the Water?

Analyst Take: The Futurum Group has been tracking four major trends this year related to the evolution of the cybersecurity market: the dominance of AI as a topic, be it in security for AI, AI for security, or protection against AI-enabled threats; how organizations are tackling the expansion of the attack surface, both in terms of numbers and in complexity; the preference for platform-centric offerings over point products; and the evolution of data protection into cyber resilience.

This announcement from Microsoft touches on all of those, in some way, shape, or form.

SIEM deployments have long been growing overly costly and complex, especially as the volume of data they are attempting to ingest for exploration, spanning real-time detection and response as well as longer-term compliance and threat hunting use cases, continues to grow. Customers will still have to be strategic with the data that they retain, but the introduction of Microsoft’s lower-cost, retention-oriented Microsoft Sentinel Data Lake is a notable step towards addressing the cost-retention tradeoffs that are a critical risk, as today’s sprawling attack surfaces and sophisticated, fast-changing threat vectors require blind spots to be eliminated.

At the same time, it portends the possibility of a centralized data lake for AI-enriched threat context and response. When married with the flexibility of being built on open formats (e.g., Kusto tables, Apache Spark, Python notebooks), this will likely improve security teams’ ability to use AI agents for security, in turn bolstering their ability to protect against fast-moving, difficult-to-detect AI-driven attacks. Examples include improving the ability to correlate cross-log patterns and initiate a response in near real time. Naturally, visibility, context, and response will be further improved by integrating Defender Threat Intelligence directly into Sentinel and Defender XDR.

The bottom line? The announcement positions Sentinel from a more rigid and expensive silo into a more flexible and comprehensive platform that is more cost-efficient and better able to detect and respond to emerging threats. It will be especially appealing for large enterprises, MDR service providers, and organizations in compliance-heavy environments looking to scale their SOC capabilities and increase the nimbleness of their security teams while addressing the need for cost optimizations.

What to Watch:

  • Have we as an industry arrived at a repeatable pattern with data lakes and integrated threat intel? It’s a common technology evolutionary pattern that as things become more stable, they become foundational for higher-value capabilities. This announcement ties into a raft of other offerings, signalling a possible consensus on what modern security operations will look like.
  • Will customer uptake patterns of new functionality match Microsoft’s expectations? While Microsoft is making the case for unification on its data lake, customers need to account for numerous constraints to this integration, above and beyond cost.
  • How will this set of capabilities affect the deployment of more agentic AI-type workloads? While this is a key proposed benefit of the new offering, many customers are at different stages of maturity in adopting agentic AI workflows. They may have other needs related to the underlying data.
  • What will the competitive response look like? Microsoft competes on multiple fronts and many of its competitors also propose similar approaches, from AWS and Google, through Cisco, Elastic, DataDog, to security platform vendors including Palo Alto Networks, CrowdStrike, SentinelOne, and others.

See the complete press release on Microsoft’s website.

Disclosure: Futurum is a research and advisory firm that engages or has engaged in research, analysis, and advisory services with many technology companies, including those mentioned in this article. The author does not hold any equity positions with any company mentioned in this article.

Analysis and opinions expressed herein are specific to the analyst individually and data and other information that might have been provided for validation, not those of Futurum as a whole.

Other insights from Futurum:

Azure Kubernetes Services (AKS) Powers AI Workloads And Addresses Complexity

Microsoft Q3 FY 2025 Earnings Beat on Strong Cloud and AI Services Growth

Microsoft Embraces the Development Community on the Path to Agentic AI

Author Information

Krista Case brings over 15 years of experience providing research and advisory services and creating thought leadership content. Her vantage point spans technology and vendor portfolio developments; customer buying behavior trends; and vendor ecosystems, go-to-market positioning, and business models. Her work has appeared in major publications including eWeek, TechTarget and The Register.

Fernando Montenegro serves as the Vice President & Practice Lead for Cybersecurity & Resilience at The Futurum Group. In this role, he leads the development and execution of the Cybersecurity research agenda, working closely with the team to drive the practice's growth. His research focuses on addressing critical topics in modern cybersecurity. These include the multifaceted role of AI in cybersecurity, strategies for managing an ever-expanding attack surface, and the evolution of cybersecurity architectures toward more platform-oriented solutions.

Before joining The Futurum Group, Fernando held senior industry analyst roles at Omdia, S&P Global, and 451 Research. His career also includes diverse roles in customer support, security, IT operations, professional services, and sales engineering. He has worked with pioneering Internet Service Providers, established security vendors, and startups across North and South America.

Fernando holds a Bachelor’s degree in Computer Science from Universidade Federal do Rio Grande do Sul in Brazil and various industry certifications. Although he is originally from Brazil, he has been based in Toronto, Canada, for many years.

Related Insights
ServiceNow and Accenture Bet on Migration to Win Enterprise Risk
July 7, 2026

ServiceNow and Accenture Bet on Migration to Win Enterprise Risk

Fernando Montenegro, VP at The Futurum Group, examines the ServiceNow and Accenture cybersecurity offering, and why its AI-powered migration and the Armis acquisition point to a bid to become the...
Compliance as Code Is No Longer Optional: Why Manual Reviews Can’t Keep Up
July 4, 2026

Compliance as Code Is No Longer Optional: Why Manual Reviews Can’t Keep Up

Qodo's 'Compliance as Code' framework automates enterprise AI compliance through PR checks, solving the data privacy and security gaps that plague manual reviews at scale....
Brave's Browser Containers Raise the Bar for Privacy and Workflow Flexibility
July 3, 2026

Brave’s Browser Containers Raise the Bar for Privacy and Workflow Flexibility

As AI platform adoption accelerates to $181.3B projected market size, Brave's v1.92 release introduces native browser containers addressing data privacy concerns for 52.6% of enterprise decision makers managing multi-cloud AI...
The Hard(er) Challenge in Agent Governance Is Authorization
June 25, 2026

The Hard(er) Challenge in Agent Governance Is Authorization

Fernando Montenegro, VP at Futurum Group, argues that the launch of the Agent Control Standard does not close the agent governance gap, and that "shrinkage," not universal coverage, is the...
Can Cisco Widen Splunk’s Agentic SOC Capabilities With WideField
June 25, 2026

Can Cisco Widen Splunk’s Agentic SOC Capabilities With WideField?

Fernando Montenegro, VP at Futurum, examines Cisco's planned acquisition of WideField Security and how deeper identity and session intelligence could strengthen Agentic SOC capabilities as enterprises deploy more AI agents...
HPE Discover 2026: A Coherent AI Story That Now Has to Convert
June 24, 2026

HPE Discover 2026: A Coherent AI Story That Now Has to Convert

Fernando Montenegro and Tom Hollingsworth analyze HPE Discover 2026, where HPE built a networking-centered, full-stack AI story and now must convert that breadth into spending momentum and a security story...

Book a Demo

Welcome

The vision behind everything in Futurum’s Custom Research practice is this: research should show you what is happening, what comes next, and what to do about it. It should be personal to each audience, easy for people to grasp, and structured so LLMs can reason over it accurately. And it should be fast and turnkey; you want answers now, not another project to carry for quarters.

Whether you are defining business, channel, or go-to-market strategy; evaluating vendors or justifying ROI; or commissioning research to fill an emerging market need, we have your back, with a program that answers your questions with the objectivity and credibility to drive real decisions.

To do it, we bring unmatched data to bear: Futurum research, surveys, and market projections; validated market feeds; ETR’s 15 years of insight from 10,000 technology decision-makers; G2’s buyer and user data; and what our analysts hear every day. Add leading primary collection, from AI-moderated voice interviews to surveys and analyst-led interviews, all turnkey, and every project comes out credible, nuanced, and actionable.

And we don’t just drop the results in your lap. For internal work, we provide analyst-led sessions, interactive dashboards, and a range of formats. For market-facing work, Futurum delivers turnkey activation and amplification that actually gets seen, by people and by LLMs, through our media and share of voice. This is research that moves decisions and markets.

We will meet you wherever you are, from a fast-turn brief to a multi-year program, and shape the work to your goals, timeline, and budget. The right program for your moment.

If any of this is useful, I would love to talk.

Benjamin Brown, VP Custom Research, Futurum Research

Benjamin Brown

VP, Custom Research · The Futurum Group

Newsletter Sign-up Form

Get important insights straight to your inbox, receive first looks at eBooks, exclusive event invitations, custom content, and more. We promise not to spam you or sell your name to anyone. You can always unsubscribe at any time.

All fields are required






Thank you, we received your request, a member of our team will be in contact with you.