As AI makes the expanding range of cybersecurity threats more sophisticated, Microsoft is extending its Sentinel Security Information and Event Management (SIEM) platform with tools aimed at unifying analytics for greater contextual insight and orchestrating agents across its own and third-party security platforms.
The company this week detailed three additions that position Sentinel as a single point to ingest and analyze signals and to build and orchestrate security agents from various platforms. They include:
- a data lake providing natural-language access to security data
- a graph for unified security context
- Sentinel Model Context Protocol (MCP) Server for cross-platform data access and agentic orchestration
Like the cybersecurity industry broadly, Microsoft is deploying AI to fight an expanding, AI-powered “global cybercrime supply chain” such as newly formed ransomware groups, officials said, noting their systems process 84 trillion security signals daily.
“AI is becoming the operating system of modern defense, enabling teams to detect early signals, understand impact, and defend at machine speed,” said Vasu Jakkal, Corporate Vice President, Microsoft Security Business. Microsoft aims to overcome fragmented tools and signals that plague organizations so security leaders can uncover patterns and respond in more precise, scalable fashion. It’s putting Sentinel at the center of that effort.
Single Data Source
The Sentinel data lake brings together all security data from Microsoft and third-party sources in a single location. Sentinel ingests structured and semi-structured security signals and builds a contextual understanding of an enterprise’s data estate through graph-based relationships.
Support for non-Microsoft tools is a core element of providing comprehensive security with Sentinel, Microsoft executives emphasized. “Microsoft Sentinel is now both our SIEM as it’s been for a long time, and now our security platform,” said Scott Woodgate, General Manager, Threat Protection Product Marketing at Microsoft. Through unified analytics and orchestration, the platform delivers “open integration, multi-cloud coverage, and natural language workflows.”
One customer, ABN Amro, indicated Sentinel is helping to eliminate silos and build a more proactive security posture.
Sentinel graph brings context to the tools that security teams already use to help them trace attack paths, understand impact, and prioritize responses — all within the same workflows they use on a day-to-day basis. Specifically, Microsoft is integrating these insights with Defender threat detection and Purview data governance platforms.
Sentinel MCP Server connects to predefined and custom agents for AI-powered reasoning over data that is unified; it ensures straightforward access to data sources, and lets users manipulate data from the Sentinel data lake, by leveraging the widely supported MCP standard.
AI Agent & Copilot Summit is an AI-first event to define opportunities, impact, and outcomes with Microsoft Copilot and agents. Building on its 2025 success, the 2026 event takes place March 17-19 in San Diego. Get more details.
Agent Building Options
The Microsoft Sentinel updates also give companies new tools to build and launch agents with Security Copilot. The Security Copilot portal features a no-code agent builder that lets an individual describe what’s needed with natural language, then create, optimize, and publish agents tailored to existing workflows.
Developers can also build agents in a coding platform enabled for Sentinel MCP Server, such as VS Code using GitHub Copilot. Once built, agents can be refined and deployed to a Security Copilot workspace.
The data foundation that’s been laid with Sentinel data lake and graph leverages the power of agentic AI to reduce time spent investigating incidents and eliminate repetitive tasks, said Dorothy Li, Corporate Vice President, Security Copilot at Microsoft, during the Microsoft Secure event.
Still, “No one understands your environments and your unique needs like you do. That’s why we’re giving you the ability to easily create your own Security Copilot agents,” she said, with the goal that agents fit readily into existing tools and workflows.
Microsoft and partner-created Security Copilot agents are available in a newly launched Microsoft Security Store. The company said it’s working with partners including Accenture, Aviatrix, BlueVoyant, OneTrust, ServiceNow, and Zscaler, among others. “Collectively we are helping make the world safer, at a time when alliance is more important than ever,” Li said in a LinkedIn post about the store.
Ask Cloud Wars AI Agent about this analysis
