April has been yet another busy month for Microsoft Sentinel. A lot of the updates are centred around the data lake, which is clearly where Microsoft is investing heavily right now. Here is a quick rundown of what landed this month.
Custom Graphs — Public Preview
Microsoft released custom graphs in Sentinel on April 1st. This is worth paying attention to.
The idea is that security data is inherently relational, a sign-in leads to a token, a token touches a workload, a workload accesses data. Tables are not great at representing that. Graphs are.
Custom graphs let you model relationships specific to your environment, then run analytics across them to surface things like:
- Blast radius of a phishing campaign
- Privilege escalation paths
- Multi-step lateral movement chains
What makes this interesting is that one of Microsoft’s preview customers ingested Databricks management-plane telemetry, built a security graph, and surfaced overprivileged access without writing a single detection rule. The graph found the risk by analysing relationships, not alerts.
Custom graph usage is billed against the Sentinel graph meter starting April 1st, so factor that in before enabling it broadly.
Data Federation — Public Preview
Data federation entered public preview on April 14th. This one solves a practical problem: not all security-relevant data ends up in Sentinel, and duplicating it just to run queries is expensive.
With data federation, you can bring in data from:
- Microsoft Fabric
- Azure Data Lake Storage Gen 2
- Azure Databricks
Without copying it. The data stays at the source, and you query it from Sentinel using KQL alongside your native Sentinel tables. Governance and data ownership stay with the source.
The use case is running threat hunts that span Sentinel-native telemetry and business or application data that you would never want to fully ingest. You can also use this to evaluate whether a dataset is worth ingesting before committing to the cost.
KQL Cost Controls on the Data Lake
A blog published April 15th covers enforcing cost limits on KQL queries and notebooks in the Sentinel data lake. If you have analysts running ad-hoc hunts across large datasets, this gives you a governance lever to prevent unexpected spend. Worth reviewing if you have already onboarded teams to the data lake.
KQL via API on the Data Lake
On the same day, Microsoft published guidance on running KQL queries against the Sentinel data lake using the API. This is useful if you are building automation or custom tooling on top of lake data rather than using the portal.
Unified RBAC for Sentinel — Available in April
Announced in preview in March, Unified RBAC (URBAC) for Sentinel became available this month. This extends the Defender Unified RBAC model to Sentinel, which means:
- Sentinel permissions can now be managed directly in the Defender portal
- Row-level scoping lets multiple teams share a workspace without seeing each other’s data
- Assignments automatically include future data sources and workspaces as they are added
For MSSPs or large SOC teams running shared workspaces, this is a meaningful operational change. Previously you were mixing Azure RBAC with Entra ID roles and it was easy to end up with more access than intended.
Worth noting: if you ingest Defender data into Sentinel, row-level scoping from Sentinel does not propagate to that data. Keep that in mind when designing your access model.
Sentinel Training Lab
Microsoft released an open-source Sentinel Training Lab on April 22nd. One click deploys a fully functional workspace with:
- Pre-recorded data from six security products
- Detection rules that fire real incidents
- Workbooks, watchlists, and playbooks
If you are onboarding new analysts or running internal training, this removes the effort of setting up a lab environment from scratch. It is available under the Azure/Azure-Sentinel repository on GitHub.
Data Wrangler for Data Lake Notebooks
On April 29th, Microsoft published a post on using the Data Wrangler extension in VS Code with Sentinel data lake notebooks. The data lake uses Apache Spark under the hood, and notebooks run in VS Code. Data Wrangler lets you visualise your dataset, apply transformations interactively, and generate the equivalent code , useful if you find yourself doing a lot of exploratory work before writing a hunt or analytics notebook.
Summary
Most of April’s updates are data lake focused. Custom graphs and data federation are the two worth looking at in more detail if you are not already using the data lake. The URBAC change is the one with the most immediate operational impact if you are running a shared workspace.
The pattern is consistent with where Sentinel has been heading since late 2025,less “logs in a SIEM” and more “analytics platform that happens to include a SIEM.”