Forbes contributors publish independent expert analyses and insights.
Microsoft is attempting to build a unified platform for cloud-based security with its Sentinel product.
At its core, Sentinel is a security information and event management (SIEM) system that collects information from as many sources as customers are willing to provide. Logs, metrics, and other signals can be forwarded into Sentinel for analysis, looking for signs of malicious activity somewhere in the increasingly complex array of enterprise technologies.
Microsoft has added a data lake capability to provide more flexible access to the ever-increasing quantities of data consumed by Sentinel. Rather than locking the data away for Sentinel's exclusive use, the data lake presents a multi-modal interface so that customers and vendors alike can build atop the platform and extend its native capabilities to suit their own diverse needs. Microsoft would very much like Sentinel to become the heart of every enterprise's security regime.
However, Sentinel remains a relatively new product, and Microsoft's security portfolio remains somewhat confusing, despite the new rhetoric about unification. Microsoft Defender, the extended detection and response (XDR) tool, is what Microsoft believes most security operations staff will use day-to-day. Which is fine since security operations staff believe this also. Microsoft sees Defender as a window into Sentinel, one of many, each providing a tailored view into the platform based on the particular needs of different personas.
Exactly what these personas need, and what these views might look like, remain largely undefined. They exist in potentia as part of Microsoft's aspiration for what Sentinel might become rather than what it is today. Examples exist, such as using graph-based queries of the Sentinel data lake to do attack chain analysis or to evaluate the blast radius of a successful intrusion. The potential is real, and there is genuine value here, at least in theory.
Alas, Microsoft appears distracted by the industry's broader obsession with generative AI, and particularly with agentic AI, which is the new, more fashionable name for what some of us remember as autonomous agents. Sentinel's data lake exists partly to provide the kind of large-scale dataset that modern large language model techniques require, accessed via a Model Context Protocol (MCP) server.
If agents become popular and embedded into enterprises, and they need access to data that Sentinel alone controls access to, Microsoft would be in a commanding position to charge fees for facilitating that access. Microsoft seems to be hoping that if it provides the raw materials, others will help it entrench Sentinel within the core of customers' security strategy.
Sentinel has potential. If it can provide a compelling way to collect and analyse data, identify risks, and assist security teams to figure out the best way to address them, then that has clear value. If it can be priced such that customers believe it provides sufficient value for money, so much the better. Yet these are unresolved questions for a repositioned product that seeks to become far more than just another SIEM. Sentinel costs real money today, but the value provided as a unified platform for all security data remains somewhat nebulous.
As a strategic purchase, for that is what the current price tag demands, Sentinel seems too changeable to commit to as a platform just yet. Platforms must remain stable if what is built atop them can be relied on to remain upright. Ideas are commendable things, but solving the myriad problems of today is what consumes the attention of security teams. Microsoft would do well to focus on a few key use-cases that showcase its potential as a platform while remaining firmly connected to where the ground is today.
One day we may live in the poetic world Microsoft dreams of for us. Enterprise systems awash with data, swarms of agentic AI busily flitting from place to place, security teams free of their labors, all watched over by machines of loving grace. Alas, that day is not this day. Sentinel is not yet all things to all agents.
For now we must carefully explore what Sentinel does for specific use-cases, and with specific requirements. For customers that have already embraced Azure for most if not all of their enterprise IT, the case may be easily made to place Sentinel at the core. For others, a careful weighing up of options will be required, for there are many alternatives available from vendors such as Splunk, Datadog, LogRhythm, Elastic, Crogl and more besides.