Blog | 3-minute Read
Is Microsoft Sentinel data lake the future of affordable threat visibility?
Anna Webb
Head of Global Security Operations
Published: 31 July 2025
Now in public preview, Microsoft Sentinel’s new data lake changes the rules on log retention, cost control, and threat visibility. Here’s what security teams need to know, and why it could shift how mid-sized organisations balance cost, coverage, and compliance.
Security teams have been forced into tough choices for years. Store all your logs and risk blowing the budget. Keep only the essentials and lose critical context when an incident hits.
For mid-sized organisations already stretched on resources, it’s a frustrating and familiar balancing act.
Now, with the public preview of Microsoft Sentinel data lake, that balance might finally shift.
The trade-off that held everyone back
If you’ve ever tried to investigate an incident only to realise the logs have aged out, you’ll know the pain.
- A suspicious sign-in was flagged but the related DNS logs are gone.
- A threat report drops new IOCs but you can only search what’s still in your analytics tier.
- You need to verify user activity from three months ago but retention cuts off at 30 days.
To solve this, some teams built custom lakes. Others archived logs they never looked at. Many more just lived with the risk.
Sentinel data lake promises to change that. It introduces a cloud-native, long-term storage tier, purpose-built for security. High-volume logs go to the lake, not the analytics tier.
Keeping costs down while maintaining full visibility when you need it.
Free Video
Take more control over your Microsoft Sentinel costs
Watch the Microsoft Sentinel Cost Management Masterclass and discover how to slash waste, boost detection, and take full control of your SIEM spend.
Includes: Real-world cost-saving strategies, tooling insights, and log optimisation techniques from Microsoft and Kocho experts.
How Sentinel data lake supports deeper investigations
Imagine this: An endpoint alert triggers, tied to a service account. You want to look back at sign-in patterns, but 30-day retention doesn’t cut it. You’re stuck.
With the data lake, you’re not.
Logs that used to be dropped can now be kept cost-effectively and queried on demand. No need to rebuild infrastructure or export from backups. Just longer timelines and better answers.
This will become even more powerful from October 2025, when Microsoft Defender Threat Intelligence (MDTI) will be built directly into Sentinel and Defender XDR.
With over 84 trillion daily signals at your fingertips, SOC analysts will be able to scan new indicators against old logs instantly.
Using Defender Threat Intelligence for advanced threat hunting
We know from experience that attackers bide their time, playing the long game before striking. Lurking in dormant accounts. Quietly escalating privilege. One-off outbound connections. These are easy to miss in short windows.
With long-term data in the lake, that changes:
- Scan a year of Entra ID logs for dormant account use
- Match new threat intel against historical DNS traffic
- Test new detection rules on six months of real data
MDTI adds serious horsepower here, giving you enterprise-grade intel, without the enterprise-grade complexity.
What impact will Sentinel data lake make to compliance management?
The new data lake also looks like it’ll offer some interesting benefits around compliance management too.
Changing compliance criteria is seeing more and more audits asking for longer data retention, clearer evidence trails, and access to historical activity.
And when a regulator, auditor or insurer asks for evidence, speed matters.
The introduction of a native data lake could make that process more straightforward. With longer-term logs accessible directly inside the Microsoft environment, and auxiliary data sources beginning to surface in the Defender portal, there’s potential for a more unified view.
It’s not going to replace governance or eliminate all effort. But it does signal a move towards something security teams have been pushing for: compliance reporting that doesn’t rely on luck, last-minute backups, or spreadsheet archaeology.
Sentinel data lake could change the relationship between cost control and coverage
This release addresses a long-standing limitation in how security teams manage cost, coverage and context.
By making long-term retention affordable and accessible, Microsoft is removing a major blocker to full-scope investigations, historical threat hunting and compliance readiness. And with Defender Threat Intelligence now built in, retrospective analysis becomes faster, deeper and more accurate.
For Microsoft-first organisations, this marks a shift from selective visibility to sustained situational awareness. The ability to see more, search further back, and act faster, without breaking the budget.
There’s more to come, but this update sets a clear new standard for what SME security teams should expect from their SOC platform.
Watch this space or better still, get in touch with us to find out more.
Want to hear more about how to make significant savings on your Sentinel ingestion costs? Watch our Microsoft Sentinel Cost Management Masterclass here.
Q&A: Sentinel data lake at a glance
-
Sentinel data lake is now available in public preview with general availability anticipated to be later this year.
-
Microsoft Sentinel data lake is a new, long-term, low-cost log storage tier built into the Microsoft Sentinel SIEM platform. Unlike the analytics tier, which charges based on ingestion, the data lake allows high-volume logs to be stored cheaply and queried on demand without upfront ingestion costs.
-
It decouples log storage from expensive ingestion pricing. This means security teams can retain far more data without the budget strain, enabling deeper investigations and longer threat hunting windows without sacrificing visibility.
-
Typically, high-volume but lower-priority logs such as DNS, firewall, and authentication logs are ideal candidates. These logs often hold critical context during incident investigations, but are too costly to retain long-term in the analytics tier.
-
Yes. Stored logs in the data lake can be queried using standard KQL (Kusto Query Language). They aren’t analysed in real time but are accessible on demand, making them useful for retrospective analysis and threat hunting.
-
Yes – from October 2025, Microsoft Defender Threat Intelligence (MDTI) will be natively integrated with Sentinel and Defender XDR.
This allows analysts to match new threat indicators against historical log data held in the data lake.
-
For many Microsoft-first organisations, yes. The native Sentinel data lake is a more seamless, cost-effective option that removes the overhead of building and maintaining separate infrastructure for log archiving.
-
The data lake makes it easier to meet longer retention requirements and respond faster to audit and regulatory requests. Logs can be accessed natively, reducing manual effort and reliance on backups or exported files.
-
No. The data lake is for long-term storage and retrospective queries. Real-time detection still relies on data ingested into the analytics tier. But the lake expands your lookback window when you need to dig deeper.
-
In most cases, yes. By shifting high-volume logs out of the analytics tier, organisations can significantly reduce ingestion and retention costs while still maintaining access to critical forensic data.
Free Video
Take more control over your Microsoft Sentinel costs
Watch the Microsoft Sentinel Cost Management Masterclass and discover how to slash waste, boost detection, and take full control of your SIEM spend.
Includes: Real-world cost-saving strategies, tooling insights, and log optimisation techniques from Microsoft and Kocho experts.
Great emails start here
Sign up for free resources and exclusive invites
Subscribe to the Kocho mailing list if you want:
- Demos of the latest Microsoft tech
- Invites to exclusive events and webinars
- Resources that make your job easier
