Microsoft Sentinel Goes Agentic AI: Data Lake, Graph, and MCP Server

Microsoft’s latest expansion of Microsoft Sentinel pivots the product from a cloud-native SIEM into what the company calls an agentic security platform, combining a unified security data lake, graph-driven context, and a Model Context Protocol (MCP) server to power AI agents and no-code Security Copilot workflows — a move designed to centralize telemetry, speed investigations, and let agents act across both Microsoft and third‑party tools.

Background​

Microsoft announced general availability of the Sentinel data lake on September 30, 2025, together with the public preview of a Sentinel graph and a Sentinel Model Context Protocol (MCP) Server. These components are explicitly positioned to enable agentic AI: models and agents that reason over long-lived telemetry, traverse contextual relationships (via a graph), and call out to actions through a standardized MCP layer.
The announcement expands a trajectory that began when Microsoft introduced Security Copilot and earlier Sentinel enhancements. The company frames this as an answer to two structural problems confronting modern SOCs: exploding telemetry volumes and fractured toolchains that force analysts to stitch context together across many consoles. Microsoft argues that by consolidating signals and adding agent orchestration, teams can discover patterns faster and automate repetitive tasks — at machine speed.

---

What changed — a high-level overview​

• Sentinel data lake (GA): a centralized repository for structured and semi‑structured security telemetry, designed to retain large volumes of raw logs affordably while allowing multiple analytics engines to operate on a single copy of the data.
• Sentinel graph (public preview): a graph layer that maps relationships between identities, devices, files, alerts, and other entities to make attack-path reasoning explicit and indexable for agents.
• Sentinel MCP Server (public preview): a tenant-side server exposing contextualized data and tool APIs using a Model Context Protocol, enabling cross-platform agent orchestration and standardized access to Sentinel data.
• Security Copilot agent builder & Security Store: no-code and developer-centric agent creation paths, plus a new Microsoft Security Store to publish, discover, and acquire Security Copilot agents — including partner-built agents from vendors like Accenture, OneTrust, Zscaler, BlueVoyant, and others.

Those elements together are meant to position Sentinel as a single point to ingest signals, unify context, and orchestrate agentic actions across a heterogeneous security stack. The approach emphasizes openness to third‑party tools rather than a Microsoft‑only silo.

---

The Sentinel data lake: architecture, purpose, and implications​

Why a lake matters for modern SecOps​

Traditional SIEMs force tradeoffs: keep costly analytics indexes for a short window or store raw telemetry at scale and pay to re‑ingest for deep hunts. The Sentinel data lake explicitly separates storage from indexing: it stores raw and processed telemetry in an open format (Delta Parquet) and lets multiple analytics engines — Kusto, Spark, ML tooling — run on that single store. This lowers the cost of long‑term retention and enables retrospective investigations that span months or years without re‑ingestion.
Key benefits Microsoft highlights:

• Longer forensic retention without duplicative storage.
• Multi‑engine analytics on a single copy of data to support both low‑latency detection and heavy historical analysis.
• Vectorized + semantic access to make telemetry consumable by LLMs and agents.

Practical tradeoffs and operational needs​

A data lake reduces duplication but also concentrates risk and responsibility. Storing extended telemetry introduces compliance and privacy considerations (data residency, PII handling, retention policies), and raises the bar for operational SLAs, access control, and cost forecasting.
Enterprises should plan for:

• Clear retention and pseudonymization rules mapped to regulatory requirements.
• Least‑privilege, time‑bound access for agents and service principals.
• Cost models and query governance to avoid runaway analytics queries.

These are not theoretical concerns; the migration from analytics tables to a lake changes where and how security controls must be applied.

---

Sentinel graph and MCP Server: giving agents context and standards​

Graph-first security context​

A graph model makes relationships explicit: user → device → process → file → network connection → alert. That visibility is crucial for tracing lateral movement and scoring impact across assets. Microsoft’s graph is designed to enrich existing alerts rather than replace per‑tool workflows, providing an at‑a‑glance way for agents and analysts to follow attack paths.
Advantages for SOC workflows:

• Rapid attack-path analysis without ad‑hoc joins across consoles.
• Better prioritization: graph signals help rank incidents by potential blast radius.
• Reusable entity relationships for automated playbooks and agent reasoning.

The Model Context Protocol (MCP) Server​

The MCP Server is notable because it attempts to standardize how an agent gains contextual data and interacts with platform APIs. By exposing a consistent protocol, Microsoft aims to make it straightforward for agents — whether built in Security Copilot or authored in VS Code with GitHub Copilot — to query the Sentinel data lake and graph, and to submit actions.
This is important for two reasons:

• Interoperability — MCP encourages a common interface so partner agents can operate in a tenant without bespoke connectors for every vendor.
• Local control — deploying the MCP Server tenant‑side keeps control over contextual data flows and helps satisfy compliance constraints that customers worry about with cloud‑hosted agents.

---

Building agents: Security Copilot, no-code experiences, and developer paths​

No-code and low-code agent creation​

Security Copilot now includes a no-code agent builder that allows analysts to describe tasks in natural language and produce agent workflows that can be optimized and published into Security Copilot workspaces. This democratizes agent creation for teams without dedicated engineering bandwidth.
Key capabilities:

• Natural‑language description to define agent intent.
• Built‑in optimization and test flows.
• Integration hooks to existing workflows and approval channels.

Pro‑developer workflows​

For engineers, Microsoft supports coding agents in development environments like VS Code using GitHub Copilot assistance. Agents built in code can target the MCP Server for runtime context and can be packaged for distribution via the Security Store. This dual track — analyst-friendly no‑code and developer‑centric pro‑code — gives organizations flexibility to scale agent automation.

Market distribution: Microsoft Security Store​

The Security Store acts as an app‑store style marketplace for security agents and SaaS solutions that integrate with Microsoft’s stack. Microsoft, and a broad set of partners (e.g., Accenture, BlueVoyant, OneTrust, Zscaler, and others cited by Microsoft and press coverage), can publish agents and solutions that customers can discover and deploy through guided flows. This simplifies procurement and reduces manual configuration overhead for customers.

---

Cross‑verifying key claims (what is verifiable and what should be flagged)​

• Microsoft’s GA of the Sentinel data lake on September 30, 2025, and public preview of the Sentinel graph and MCP Server are confirmed in Microsoft’s security blog and Tech Community posts.
• The Availability of a no‑code Security Copilot agent builder and the Security Store launch are corroborated by independent press coverage.
• Microsoft’s statements about the scale of telemetry they process use different numbers in different contexts (65 trillion, 78 trillion, 84 trillion signals per day appear across Microsoft messaging and external reporting). These figures are marketing metrics that have changed over time and should be treated as approximate indicators of scale rather than precise, auditable metrics. Presentations by Microsoft executives and Microsoft blogs show the number varying by year and product context; therefore, treat the specific trillion‑scale claims as timebound marketing figures rather than fixed technical guarantees.

Flagged claim: the oft‑repeated “84 trillion signals daily” line appears in press reporting from events and executive talks; Microsoft’s own materials have historically reported similar but different numbers (e.g., 65T, 78T). Use caution when relying on a single absolute number — verify the date and the exact scope (which telemetry sources are included) with Microsoft if precise contractual or compliance thresholds depend on it.

---

Strengths — what Microsoft is getting right​

• Unified telemetry and scale: providing a data lake plus analytics layers addresses a genuine pain point: cost‑efficient long-term retention and cross‑timeframe threat hunting. This is one of the most practical platform moves for SOCs with fragmented logs.
• Contextual graphing: attack-path tracing and entity relationships are core to modern detection — making them first‑class objects for both analysts and agents accelerates triage and prioritization.
• Lower barrier to automation: no‑code agent creation democratizes automation and reduces backlog pressure on lean security teams. The combination of no‑code and pro‑code paths is pragmatic.
• Partner ecosystem and distribution: the Security Store and MCP standard promote a partner ecosystem that can scale agent availability beyond Microsoft’s in‑house offerings. This reduces integration friction for third‑party vendors.

---

Risks and caveats — where organizations should be cautious​

• Governance and automation sprawl: enabling easy agent creation increases the risk of conflicting automations, runaway scripts, and uncontrolled remediation actions. Without versioning, change control, and safe “dry run” modes, automation can amplify mistakes. Operational guardrails are essential.
• Expanded attack surface: agentic automation often requires deep permissions across identity, endpoint, and cloud management planes. If service principals or connectors are misconfigured, agents become a high‑impact vector for attackers. Emphasize least‑privilege, just‑in‑time approvals, and audit trails.
• Data residency and privacy: a centralized data lake that ingests HR, endpoint, and cloud telemetry will raise compliance questions in regulated industries. Customers must map what telemetry flows into the lake and apply appropriate pseudonymization and retention policies.
• Overreliance on vendor metrics: vendor claims (reduced false positives, analyst time savings, MTTR improvements) are directional. Every environment is unique; run pilots and measure real outcomes before wide rollout.

---

Practical checklist for adoption (recommended steps)​

• Inventory current telemetry and integrations: identify which connectors will route data to the Sentinel data lake.
• Define pilot scenarios: choose low‑risk, high‑value workflows (alert enrichment, suspicious sign‑in triage) to validate agent behavior in dry‑run mode.
• Establish governance: name conventions, review boards, approval thresholds, and rollback processes for agents.
• Apply least‑privilege and JIT approvals: limit what each agent or connector can do, require multi‑party approval for high‑impact actions.
• Monitor and measure: track MTTR, analyst time saved, false positive rates, and automation incidents.
• Compliance mapping: document what data lands in the lake, retention windows, and cross‑border flows; update privacy impact assessments.

---

Market and competitive implications​

Microsoft’s push aligns product strategy to the emerging category often called agentic security automation — a hybrid of SOAR, small autonomous agents, and AI copilots. By integrating a data lake, graph, MCP Server, agent builder, and store, Microsoft is trying to own the orchestration layer that connects telemetry, context, and action.
For customers already invested in Microsoft’s security stack, this is compelling: integrated procurement, guided deployments, and native connections to Defender, Purview, and Entra reduce friction. For customers with multi‑cloud heterogeneity, Microsoft’s emphasis on openness and partner agents signals an intent to play nicely with non‑Microsoft tools, but integration parity should be validated in pilots.
Competitors will respond by expanding their own agent frameworks, data fabrics, and partner stores. Expect a burst of partner integrations and marketplace offerings focused on agent packages and prebuilt playbooks targeted at common SOC pain points.

---

What security teams should watch next​

• Agent lifecycle controls: how Microsoft and partners implement versioning, rollback, immutable audit logs, and adversarial testing for agents. These capabilities will determine how safely organizations can scale automation.
• Third‑party connector parity: ensure critical SaaS, IAM, and cloud logs are fully supported in the data lake; some connectors and unified support are still maturing.
• Pricing and cost governance: lake storage, vectorization, and query processing introduce new metering — validate cost models before large‑scale ingestion.
• Independent benchmarks and case studies: watch for real‑world POCs and MSSP case studies that quantify MTTR improvements and governance outcomes. These are more reliable than vendor promises.

---

Conclusion​

Microsoft’s agentic infusion into Sentinel is a decisive and pragmatic step: the combination of a Sentinel data lake, graph context, and an MCP Server gives security teams a unified substrate for long‑term telemetry, contextual analysis, and agentic automation. The addition of a no‑code Security Copilot agent builder and a Security Store democratizes automation and accelerates partner-driven innovation. Together, these changes materially reduce the friction of cross‑tool investigations and open the door to higher‑velocity, context‑aware remediation.
At the same time, the shift raises operational and governance requirements: data residency controls, lifecycle management for agents, least‑privilege access patterns, and cost governance cannot be afterthoughts. Numbers quoted about “tens of trillions” of signals illustrate Microsoft’s scale, but those figures have varied over time and should be treated as marketing metrics rather than immutable facts. Enterprise teams that pair careful pilots and strong governance with Microsoft’s new tooling stand to gain meaningful detection and productivity improvements; those that rush to automate without guardrails risk amplifying both mistakes and exposures.
Microsoft has placed Sentinel at the center of its security platform strategy — making it the default place to aggregate signals, describe context, and orchestrate agents across a mixed toolset. The net effect will depend on how well customers and partners operationalize governance and measurement as agentic AI moves from promise to production.

---

Source: Cloud Wars With Agentic AI Infusion, Microsoft Positions Sentinel as Unifying Security Platform