5 Big New Microsoft Updates For Sentinel, Agentic Security

‘We’re going through this transformation where [Sentinel is] and will always be a SIEM, but now it's a broader security platform,’ a Microsoft executive tells CRN.

Microsoft is unveiling an array of updates for its Sentinel and Security Copilot platforms aimed at enabling greater interconnectivity between security tools while accelerating the use of AI agents for cyber defense, Microsoft executives told CRN.

The announcements for Sentinel represent a major expansion of usefulness beyond its roots as a cloud-native SIEM (security information and event management) offering, according to Scott Woodgate, general manager for threat protection at Microsoft.

“We’re going through this transformation where [Sentinel is] and will always be a SIEM, but now it's a broader security platform,” Woodgate said in an interview.

On Tuesday, Microsoft announced updates including general availability for its Sentinel data lake and forthcoming features such as a new Sentinel graph capability and Sentinel Model Context Protocol (MCP) server.

Meanwhile, Microsoft also disclosed functionality in Security Copilot that provides users with a no-code approach to building security agents.

Ultimately, “we believe that in this agentic AI [transition], we have to secure agentic AI end-to-end. And that's where we are marching [toward],” said Vasu Jakkal, corporate vice president for security, compliance, identity, management and privacy at Microsoft, in an interview with CRN.

What follows are the key details on five new updates for Microsoft Sentinel and agentic security.

Sentinel Data Lake

Microsoft had unveiled its new Sentinel data lake offering in August, which is now generally available as of Tuesday, the company said.

Sentinel data lake provides “high-scale, low-cost storage — so now you can store all the security data you always wanted to store but couldn't afford,” Woodgate told CRN.

“That capability was also a foundational building block to moving into a platform — so you can store much more data that you wouldn't have stored in the past at a platform level,” he said.

The introduction of Sentinel data lake also underpins many of the other updates that Microsoft is now launching on the Sentinel platform as well as across the tech giant’s security portfolio, according to Woodgate.

Sentinel Graph

Microsoft announced Tuesday that it’s debuting its new Sentinel graph capability as a public preview, with the aim of delivering a more predictive approach to security, Woodgate said.

Sentinel graph “gives organizations visibility to all of the connections between people and systems [which] is essential to protecting the overall organization,” he said.

Crucially, the new Sentinel graph capability will connect to other Microsoft tools including Defender and Purview, making Sentinel “the backbone of everything we do” for security going forward, Jakkal said.

“For us to stay ahead [of attackers], defenders need to think and operate in graphs — and Sentinel just enables that,” she said.

Sentinel MCP Server

Microsoft is also rolling out its Sentinel MCP server as a public preview, integrating MCP as a part of the Sentinel backend infrastructure, the company said. MCP servers provide a way for agents to easily discover and use other tools and resources.

Thus, the addition of an MCP server to Sentinel makes the platform “agent-aware, so that agents can easily interact with all of the data in Sentinel,” Woodgate said.

As an example, if a security analyst wanted to gain greater understanding of a password spray attack that occurred, the MCP server could allow for pulling that data from Sentinel even in a separate tool, he said.

“You're now displaying data from Sentinel. But you're not in a SIEM here at all,” Woodgate said. You're using it in a standalone tool. And you can extend this to any use case on the data that's now stored in Sentinel.”

No-Code Agent Builder

Beyond Sentinel, Microsoft is also rolling out a new method for expanding the usage of agentic-powered security using its Security Copilot platform, with the launch of a no-code agent builder on Security Copilot.

The no-code agent builder can enable partners and customers to create their own custom security agents using natural language, Woodgate said.

Key functionality includes the ability to automatically recognize the technical details the agent will need on the back end, including through pulling information from systems such as Sentinel and Purview, he said.

Meanwhile, Microsoft is also debuting its Security Store to allow for partners to offer security agents that they’ve built, according to the company.

‘Next Evolution’ Of Security Strategy

Overall, the expansion in capabilities for Sentinel and Security Copilot represents the “next evolution of our SIEM strategy” at Microsoft, Woodgate said.

As a broader security platform now than it has been in the past, Sentinel now offers greater interconnectivity with Microsoft tools including Entra, Purview and Defender, he noted. The data lake offering, meanwhile, can allow partners to build an application on Sentinel that is not related to a SIEM use case, according to Woodgate.

The bottom line with the shift to agentic is that “agents need a security platform,” he said. “And we think it's just much easier for customers to move forward with what they already have, and add to that, than to start with something different.”