Why Sentinel Data Federation shifts security spend from storage to investigation

Security operations teams have long had to balance visibility against cost.

Achieving complete coverage meant ingesting everything into your Security Information and Event Management (SIEM) system and paying for volume, whether the data was ever used or not. Controlling spend meant narrowing scope and accepting gaps that could surface during investigations.

Microsoft Sentinel data lake eased this tension by making long‑term retention more affordable. Sentinel Data Federation changes the model entirely.

With federation now in public preview, Sentinel can analyse data where it already lives across platforms such as Microsoft Fabric, Azure Data Lake Storage (ADLS), and Azure Databricks. Data no longer needs to be ingested, duplicated, or reshaped in advance. Instead, cost increasingly aligns to when data is queried rather than simply stored.

Ingestion was the bottleneck. Federation removes it

Every SIEM has struggled with the same tension.

The more data you ingest, the richer your detections become. But the more you ingest, the faster the cost climbs.

Data Federation breaks this link. Sentinel will now be able to query external sources in place and treat them as part of the investigation surface.

This lets teams:

• Access months or years of historical data
• Correlate large datasets that were previously too expensive to ingest
• Run wide investigations using standard Sentinel tools like KQL, notebooks, and custom graphs
• Prioritise ingestion only for high value or real-time detection scenarios

Many organisations already centralise operational or analytical data in platforms like Fabric or ADLS.

Until now, security teams had to duplicate that data into Sentinel if they wanted it available for investigations. That created friction between data engineering and security, especially when the datasets were large.

Federation will allow the data to stay where it is. Sentinel will reach out to it when needed.

For organisations that have already invested in Fabric, this is a natural extension of their existing data strategy. Security can finally work with the same data shapes and structures that the wider business uses.

For those who have not yet adopted Fabric, the barrier to entry has fallen. There’s now no need to redesign pipelines just to make data usable for security operations.

A bigger window for investigations and threat analysis

The 2025 Sentinel data lakes release made long-term storage affordable and accessible. It allowed security teams to keep high-volume logs for far longer without tying everything to analytics-tier ingestion.

With federation entering preview, the visibility expands further.

Analysts will be able to query large, heterogeneous datasets that were never sent to Sentinel in the first place. This includes network telemetry, application logs, cloud resource metadata, governance data, and any other source already present in the organisation’s data estate.

The practical result is clearer and more confident root cause analysis across a wider timeframe and a broader range of signals.

AI-driven SOC operations benefit even more

AI-enabled investigations are only as good as the context they can access. Agentic SOC workflows and entity reasoning require rich, interconnected data.

By removing the need to ingest everything into Sentinel before it becomes useful, federation provides AI agents with a far wider pool of signals.

The data lake continues to offer deep historical context. The analytics tier still handles real-time detection.

Together, these layers create an architecture designed for AI rather than adapted for it.

Better cost control without reducing coverage

Sentinel Data Federation essentially builds on what data lake already offers.

Organisations can now choose the right location for each data type:

• Real-time detections in the analytics tier
• Historical high-volume logs in the Sentinel data lake
• Operational or analytical datasets queried via federation

This gives security teams flexibility to keep costs predictable while maintaining comprehensive visibility.

More importantly, federation shifts spending toward active investigation rather than passive ingestion. Instead of paying to move and store data in anticipation of possible use, organisations incur cost primarily when analysts query the data. This aligns SIEM spend more closely with real security work, focusing investment on moments of investigation and response rather than continuous duplication of data.

A more collaborative approach to security data

Federation has a secondary benefit. It brings security and data teams closer together.

• Security no longer needs bespoke ingestion pipelines
• Data teams no longer need to justify why data is already stored elsewhere

Both teams can work from the same source of truth.

This reduces friction and shortens the path from investigation to insight.

What organisations should do next

Three practical steps will help security leaders prepare for the federation preview.

The bottom line

In 2025, the Sentinel data lake shifted the balance between retention and affordability.

In 2026, the Sentinel Data Federation preview shifts the balance between ingestion and visibility.

Together, they redefine what a cloud SIEM should be:

• A platform that can analyse data wherever it lives
• A system that supports AI-native operations
• A model that scales without forcing organisations into cost versus visibility compromises

It also changes how organisations pay for security insight, shifting spend from always‑on ingestion to on‑demand investigation.

For organisations invested in Microsoft, this is a significant moment.

For those weighing migration to Sentinel, the economics just became more compelling.

If you would like support in evaluating how these changes affect your SIEM strategy, or how federation could reshape your Sentinel architecture, get in touch with our team today.

If you liked this, please share on your social channels.