2025 has been a big year in the Microsoft Sentinel world. Microsoft has pushed Sentinel beyond its roots as a cloud-native SIEM into a central, AI-driven security operations platform tightly integrated with Defender XDR and Copilot.
Let’s have a quick look at the some of the advancements made this year in this space.
Agentic AI Led Defense
The single biggest announcement in 2025 is that Sentinel is now explicitly positioned as both a SIEM and a platform for agentic, AI-led defense.
Microsoft’s September update describes Sentinel as the place to unify security data, context, and AI agents so organizations can move away from fragmented tools and purely rule‑based detection.
Key themes in this shift:
- Sentinel is being positioned as the data + orchestration layer that connects across Microsoft’s wider security stack, not just “Azure logs in a SIEM.”
- The direction is clearly towards agentic AI, meaning systems that can reason over telemetry and entity relationships, then drive investigations and response using consistent actions and workflows.
Sentinel Data Lake: cheaper, smarter security storage
One of the headline capabilities this year is the Microsoft Sentinel Data Lake, which reached general availability in late 2025.
The goal is straightforward: give customers a scalable, cost‑effective security data lake that can power both real‑time detections and deep historical investigations without duplicating storage across products.
At a high level, the data lake brings:
- Centralized, cloud‑scale storage for security telemetry from Microsoft and third‑party sources, with a focus on long retention and lower cost.
- A single copy of data that different analytics engines (Sentinel, Defender XDR, AI models) can query for detection, hunting, and forensics.
For SOC and platform teams, this starts to reduce the pain of fragmented log stores and duplicated ingestion into multiple tools, which has historically driven both complexity and cost.
Sentinel Graph and MCP: context for AI agents
To make AI truly useful in security operations, Microsoft introduced two important building blocks alongside the data lake: Sentinel Graph and a Model Context Protocol (MCP) server, both in public preview.
- Sentinel Graph models relationships between entities (users, devices, identities, processes, network connections, alerts) to expose attack paths and blast radius.
- MCP Server gives AI agents (including Security Copilot) a standardized way to access data, context, and actions across Sentinel and integrated tools.
Practically, this enables scenarios like:
- AI agents automatically traversing an incident graph to understand lateral movement and affected assets in seconds rather than hours.
- No‑code Security Copilot “agents” that analysts can configure to investigate patterns, pull context from Sentinel, and trigger remediation through playbooks.
From a 10,000‑foot view, Sentinel is becoming the substrate where AI and automation understand your environment, not just the place where logs land.
Unified Security Operations Platform with Defender XDR
Another big 2025 theme is convergence: Sentinel is moving out of the Azure portal and into a unified security operations platform alongside Microsoft Defender XDR and Security Copilot.
Key aspects of this unified experience:
- Sentinel workspaces and incidents are surfacing directly inside the Microsoft Defender portal, with full migration from the Azure portal expected in the next couple of years.
- Incidents from Defender XDR and Sentinel are correlated and managed in a shared view, with unified hunting, threat intelligence, and automation.
A few highlights from the 2025 “What’s new” feed:
- Improved threat intelligence management with ingestion rules, updated UI, and support for more STIX objects, plus GA of Defender Threat Intelligence data connectors.
- Matching analytics rules GA, new threat intelligence hunting tables, and enhanced UEBA to better catch anomalies in user and entity behavior.
- Ongoing SOC optimization and content hub enhancements, including more granular solution content and better coverage management views in the unified platform.