graph layer

The graph layer is a new capability within Microsoft Sentinel that enriches threat detection by modeling relationships between entities, users, and activities. As discussed in a recent thread, this feature entered public preview alongside the Sentinel data lake and a Model Context Protocol server. The graph layer enables Security Copilot–compatible agents to perform longer-range, context-aware investigations, helping SOC teams automate complex workflows. However, the same thread notes that adopting the graph layer introduces new governance, cost, and attack-surface considerations that organizations must evaluate. The tag covers discussions around the graph layer's role in modernizing security operations within the Microsoft ecosystem.