Microsoft Expands Sentinel into Agentic Security Platform, Enhancing AI-Driven Cybersecurity

How Microsoft Sentinel is tackling the AI cybersecurity era

Microsoft is capitalizing on the industry's period of transition. The rise of AI is reshaping cybersecurity, presenting both new threats and new tools for mitigating them. Microsoft has been seizing this moment of transformation, aiming to become cybersecurity teams' go-to resource in the burgeoning AI era. Also: Navigating AI-powered cyber threats in 2025: 4 expert security tips for businesses In its latest step toward that goal, the tech giant announced Tuesday that it has upgraded Sentinel -- a Security Management and Events Incidents (SIEM) platform designed to help cybersecurity professionals track and respond to threats. The platform is now more agentic, or capable of taking action autonomously without meticulous human oversight. The first upgrade announced Tuesday has to do with the approach that Sentinel takes in its response to cyberthreats. According to Microsoft, the platform now operates according to what's known in the cybersecurity industry as "graph-based" context. Just as any point on a Cartesian graph can be plotted with precise coordinates along multiple axes, a graph-based cybersecurity response system breaks a computer network down into a unified system of interconnected digital pathways, so that a threat that pops up in any particular node can be assessed according to its relationship and interconnectivity with all the others. Also: How AI-driven automation is the key to unlocking your operational resilience The pathways a threat takes throughout a given system, by extension, can be plotted into the past or the future. These graph-based abilities are specifically designed for Security Copilot agents, which Microsoft debuted in March. "Building on Sentinel's graph-based context, Security Copilot agents can now reason more effectively across your environment -- correlating alerts, enriching context with relationships, prioritizing by impact, and automating common actions," Vasu Jakkal, Corporate Vice President of Microsoft Security, wrote in a company blog post. As is often the case with agentic AI systems, Jakkal positioned the newly upgraded Sentinel as a quick-fix solution for workers looking to automate routine workplace tasks so they can turn their attention to more fulfilling and challenging aspects of their jobs. Also: 96% of IT pros say AI agents are a security risk, but they're deploying them anyway "Work shifts from manual triage to agent-led workflows: agents orchestrate and automate routine tasks, while analysts review and approve outcomes -- focusing their time on strategic decisions and proactive threat hunts," he said. Microsoft also debuted the Sentinel Model Context Protocol (MCP) server, which allows custom agents built on Microsoft's Visual Studio (VS) Code or other code-editing platforms to be integrated into Sentinel. The company added that its Sentinel data lake -- an internal repository for the storage of structured and unstructured data, first launched in preview in July -- is now generally available. Microsoft is framing the newly upgraded Sentinel as more than just another AI product for cybersecurity teams: it's being portrayed effectively as part of a broader paradigm shift for the industry, one that can be characterized by an active and ongoing collaboration between humans and AI. Also: Why AI-powered security tools are your secret weapon against tomorrow's attacks "The advances announced today are the building blocks for a new generation of defense," Jakkal writes of the new upgrades to Sentinel. Other tech developers have been stepping up to help businesses navigate the novel data security and governance challenges posed by agents and other emerging AI tools. Meta, for example, recently teamed up with software company CrowdStrike to develop a set of benchmarks that enterprises can use to test the capabilities of various AI-powered cybersecurity tools.

Microsoft Expands Sentinel Into Agentic Security Platform With Unified Data Lake

Microsoft on Tuesday unveiled the expansion of its Sentinel Security Incidents and Event Management solution (SIEM) as a unified agentic platform with the general availability of the Sentinel data lake. In addition, the tech giant said it's also releasing a public preview of Sentinel Graph and Sentinel Model Context Protocol (MCP) server. "With graph-based context, semantic access, and agentic orchestration, Sentinel gives defenders a single platform to ingest signals, correlate across domains, and empower AI agents built in Security Copilot, VS Code using GitHub Copilot, or other developer platforms," Vasu Jakkal, corporate vice president at Microsoft Security, said in a post shared with The Hacker News. Microsoft released Sentinel data lake in public preview earlier this July as a purpose-built, cloud-native tool to ingest, manage, and analyze security data to provide better visibility and advanced analytics. With the data lake, the idea is to lay the foundation for an agentic defense by bringing data from diverse sources and enabling artificial intelligence (AI) models like Security Copilot to have the full context necessary to detect subtle patterns, correlate signals, and surface high-fidelity alerts. The shift, Redmond added, allows security teams to uncover attacker behavior, retroactively hunt over historical data, and trigger detections automatically based on the latest tradecraft. "Sentinel ingests signals, either structured or semi-structured, and builds a rich, contextual understanding of your digital estate through vectorized security data and graph-based relationships," Jakkal said. "By integrating these insights with Defender and Purview, Sentinel brings graph-powered context to the tools security teams already use, helping defenders trace attack paths, understand impact, and prioritize response -- all within familiar workflows." Microsoft further noted that Sentinel organizes and enriches security data so as to detect issues faster and better respond to events at scale, shifting cybersecurity from "reactive to predictive." In addition, the company said users can build Security Copilot agents in a Sentinel MCP server-enabled coding platform, such as VS Code, using GitHub Copilot, that are tailored to their organizational workflows. The Windows maker has also emphasized the need for securing AI platforms and implementing guardrails to detect (cross-)prompt injection attacks, stating it intends to roll out new enhancements to Azure AI Foundry that incorporate more protection for AI agents against such risks.

Microsoft expands Sentinel and Copilot to secure AI-driven enterprises - SiliconANGLE

Microsoft expands Sentinel and Copilot to secure AI-driven enterprises Microsoft Corp. today unveiled a set of security innovations designed to help enterprises defend in an era where artificial intelligence is both a tool and a target. Leading the list of announcements is a major expansion of Microsoft Sentinel, its cloud-native security operations platform, which is evolving from a cloud-native security information and event management system into a full-fledged AI-ready security platform built for speed, scale and continuous learning. The next evolution of Microsoft Sentinel sees the general availability of the Sentinel data lake and the public preview of the Sentinel graph and Sentinel Model Context Protocol server. The additions give defenders a unified system to ingest any signal, structured or unstructured, and correlate them across domains with graph-based context. This shift allows AI agents, including those in Microsoft Security Copilot, GitHub Copilot and other ecosystems, to reason, automate and act at enterprise scale. According to Microsoft, the combination transforms trillions of threat signals into actionable insights, compressing detection and response times that traditionally stretched for days. Microsoft also today introduced a no-code agent builder inside Security Copilot that allows teams to create custom security agents in minutes using natural language. The agents can be deployed in the Copilot portal, in Visual Studio Code, or in other environments via the Sentinel MCP server. Security Copilot agents, which launched earlier this year, have already been applied to scenarios such as phishing triage and conditional access optimization. The agents can be deployed in the Copilot portal, in Visual Studio Code, or in other environments via the Sentinel MCP server. Since March, more than a dozen Copilot agents have been delivered, including ones for user-submitted phish triage, conditional access optimization and access reviews in Entra. With graph-powered context from Sentinel, the agents can now correlate alerts, prioritize by impact and automate common workflows, reducing false positives and mean time to response. The Security Copilot agent experience is designed to integrate seamlessly into daily tools and workflows - whether embedded in the Microsoft Security products, partner-built, or custom-built for specific environments. Microsoft is also collaborating with Accenture plc, ServiceNow Inc. and Zscaler Inc. to expand the ecosystem while integrating Sentinel with Defender and Purview to give security teams end-to-end visibility. The announcements come after Microsoft last week announced new enhancements to Azure AI Foundry Content Safety that provide comprehensive protection for all AI agents across their lifecycle. The enhancements include agent task adherence guardrails which keep AI agents on task via real-time intervention, the ability to detect and block personally identifiable information and the inclusion of Spotlighting in cross-prompt injection attack protection which helps the model better distinguish between trusted and untrusted inputs. The new enhancements further help ensure that agents built in Azure AI Foundry do not introduce unnecessary risk to your organization. In addition to Content Safety, Microsoft is extending its "Security for AI" initiative to cover the entire lifecycle of enterprise AI. Recent updates include Entra Agent ID to help organizations discover and manage their agent estate, new controls to prevent data oversharing in custom-built AI apps and agents and advanced detection for prompt injection attacks targeting AI models and MCP servers. Together, the capabilities aim to ensure that AI systems remain governed and secure from development through deployment.

5 Big New Microsoft Updates For Sentinel, Agentic Security

'We're going through this transformation where [Sentinel is] and will always be a SIEM, but now it's a broader security platform,' a Microsoft executive tells CRN. Microsoft is unveiling an array of updates for its Sentinel and Security Copilot platforms aimed at enabling greater interconnectivity between security tools while accelerating the use of AI agents for cyber defense, Microsoft executives told CRN. The announcements for Sentinel represent a major expansion of usefulness beyond its roots as a cloud-native SIEM (security information and event management) offering, according to Scott Woodgate, general manager for threat protection at Microsoft. [Related: Accenture, Microsoft Team Up To Give 'Meaningful' Security Boost Using AI Agents: Executive] "We're going through this transformation where [Sentinel is] and will always be a SIEM, but now it's a broader security platform," Woodgate said in an interview. On Tuesday, Microsoft announced updates including general availability for its Sentinel data lake and forthcoming features such as a new Sentinel graph capability and Sentinel Model Context Protocol (MCP) server. Meanwhile, Microsoft also disclosed functionality in Security Copilot that provides users with a no-code approach to building security agents. Ultimately, "we believe that in this agentic AI [transition], we have to secure agentic AI end-to-end. And that's where we are marching [toward]," said Vasu Jakkal, corporate vice president for security, compliance, identity, management and privacy at Microsoft, in an interview with CRN. What follows are the key details on five new updates for Microsoft Sentinel and agentic security. Sentinel Data Lake Microsoft had unveiled its new Sentinel data lake offering in August, which is now generally available as of Tuesday, the company said. Sentinel data lake provides "high-scale, low-cost storage -- so now you can store all the security data you always wanted to store but couldn't afford," Woodgate told CRN. "That capability was also a foundational building block to moving into a platform -- so you can store much more data that you wouldn't have stored in the past at a platform level," he said. The introduction of Sentinel data lake also underpins many of the other updates that Microsoft is now launching on the Sentinel platform as well as across the tech giant's security portfolio, according to Woodgate. Sentinel Graph Microsoft announced Tuesday that it's debuting its new Sentinel graph capability as a public preview, with the aim of delivering a more predictive approach to security, Woodgate said. Sentinel graph "gives organizations visibility to all of the connections between people and systems [which] is essential to protecting the overall organization," he said. Crucially, the new Sentinel graph capability will connect to other Microsoft tools including Defender and Purview, making Sentinel "the backbone of everything we do" for security going forward, Jakkal said. "For us to stay ahead [of attackers], defenders need to think and operate in graphs -- and Sentinel just enables that," she said. Sentinel MCP Server Microsoft is also rolling out its Sentinel MCP server as a public preview, integrating MCP as a part of the Sentinel backend infrastructure, the company said. MCP servers provide a way for agents to easily discover and use other tools and resources. Thus, the addition of an MCP server to Sentinel makes the platform "agent-aware, so that agents can easily interact with all of the data in Sentinel," Woodgate said. As an example, if a security analyst wanted to gain greater understanding of a password spray attack that occurred, the MCP server could allow for pulling that data from Sentinel even in a separate tool, he said. "You're now displaying data from Sentinel. But you're not in a SIEM here at all," Woodgate said. You're using it in a standalone tool. And you can extend this to any use case on the data that's now stored in Sentinel." No-Code Agent Builder Beyond Sentinel, Microsoft is also rolling out a new method for expanding the usage of agentic-powered security using its Security Copilot platform, with the launch of a no-code agent builder on Security Copilot. The no-code agent builder can enable partners and customers to create their own custom security agents using natural language, Woodgate said. Key functionality includes the ability to automatically recognize the technical details the agent will need on the back end, including through pulling information from systems such as Sentinel and Purview, he said. Meanwhile, Microsoft is also debuting its Security Store to allow for partners to offer security agents that they've built, according to the company. 'Next Evolution' Of Security Strategy Overall, the expansion in capabilities for Sentinel and Security Copilot represents the "next evolution of our SIEM strategy" at Microsoft, Woodgate said. As a broader security platform now than it has been in the past, Sentinel now offers greater interconnectivity with Microsoft tools including Entra, Purview and Defender, he noted. The data lake offering, meanwhile, can allow partners to build an application on Sentinel that is not related to a SIEM use case, according to Woodgate. The bottom line with the shift to agentic is that "agents need a security platform," he said. "And we think it's just much easier for customers to move forward with what they already have, and add to that, than to start with something different."