In-Depth

The Evolution of a SIEM

• By Paul Schnackenburg
• 03/02/2026

Popular software products have interesting lifecycles, particularly in today's cloudy world, where customer driven change requests can bring new features quickly.

The difference between on-premises software's update cadence measured in years and cloud service changes measured in months or weeks means that just like scientists using fruit flies and their short lifespans for testing changes over generations, we can see the evolutionary changes in services as they mature.

In this article I'll look at Microsoft Sentinel, originally released as Azure Sentinel back in 2019, follow up article here in 2021. We'll cover the evolution, briefly look at the competition from other SIEMs, and what's new, such as a Graph data interface, a built-in MCP server, data lake, unification with Defender XDR, migration tools from other SIEMS, Copilot for Security and AI agents, the Security Store and more.

Introduction
Microsoft Sentinel is a cloud-based Security Information and Event Management (SIEM), now six years in market, used by over 25,000 organizations. Forrester sees it as a leader in "Security Analytics Platforms," and Gartner sees it as a leader in the Magic QuadrantTM , both in 2025 (and earlier years).

There are four insights to take away from these two (albeit enterprise focused views) of the SIEM market. Firstly, Sentinel has risen quickly to become a serious contender for the top spot, currently held by Splunk.

Secondly, IBM's QRadar, a long-time stalwart in the SIEM market has disappeared after Palo Alto Networks bought them and then End of Life'd the SaaS versions (April 14, 2026) that matched their Cortex SIEM and the rest of the SaaS products on August 31, 2026. Finally, Chronicle's Google Security Operations cloud SIEM was released at almost the same time as Sentinel but is only a leader in one analyst's view. Fourthly, the traditional, on-premises SIEMs (except for Splunk) are struggling to convert to managed SaaS offerings effectively.

For many years, big companies that could afford it deployed SIEMs on premises, investing in large storage infrastructure, plus paying additional license costs to the vendor when they chose to store additional log types. This isn't a sustainable model in today's world with cheap cloud storage and ubiquitous, high speed network connectivity. Relying on cloud technology for SIEM infrastructure brings many benefits.

Splunk Inc. (founded 2003) was bought by Cisco for $28 billion in 2024 and now operates as a subsidiary. There are several reasons they're still a leader, one is because Splunk is a really good SIEM, both at its core, and through many of the acquisitions they made over the years. Secondly, they started offering Splunk Storm back in 2011, which morphed into Splunk Cloud in 2013, as a SaaS / cloud based SIEM, which was early for a product that was born on premises. Other traditional SIEMs got onto the cloud bandwagon much later, leading to loss of market share.

Sentinel -- a "Kit Bash" of Azure Building Blocks
Sentinel is built on Log Analytics, a service that's been around for many years in Azure, originally built to store IT systems log data, shard it across many servers for scale, and run analysis over it using the query optimized Kusto Query Language (KQL). The Security Orchestration, Automation and Response (SOAR) part of Sentinel where you can build automations (if this user is flagged as signing in from a country they don't normally sign in from -- contact their manager to check if that's expected for example) uses Azure Logic Apps, a low / no code environment to build workflows. The engine that allows you to build interactive dashboards is another Azure service, and Jupyter notebook support comes from Azure Notebooks, connected to Azure Machine Learning etc.

And this use of battle tested technologies in Azure continues with the recent release of the Sentinel Data Lake. Microsoft has had several cracks over the years at the challenge of separating the three types of data a SIEM contains:

• Detective data
• Contextual data
• Compliance data

The first type is for the core function of a SIEM; log data from identity platforms, Threat Intelligence (TI), cloud activity logs, etc. streams in, close to real time, and you run alert rules over it to catch something bad happening as quickly as possible. Contextual data on the other hand are things like DNS-, Firewall-, Proxy and VPN-, NetFlow-logs, useful to have if you have a major incident and you want to understand exactly how the bad guys got in for example, or you're threat hunting through historical data. Compliance data are logs that you have to keep for audits and compliance purposes but rarely access.

The challenge for Sentinel has been that the first type of data is well served by the Analytics tier in Log Analytics itself, but retention of that data beyond say 90 to 180 days becomes expensive. In most cases the log data that's flowing in is the most important source for alerting on badness happening right now, and maybe you need to look back weeks / months to see if something you now know is malicious was missed earlier, but you don't need to keep that data on the fast / expensive storage. Sentinel has offered / offers Basic logs and Archive logs, supported by search jobs over the years, but with the release of data lake, a much better and comprehensive solution is here.

Data that's stored in the Analytics tier is mirrored to the data lake (so it's got "all" the logs) for free, it automatically compresses the data (about 6:1), you can also choose to ingest particular log sources directly into the data lake only when you're not going to build alerts on it. It stores logs in the open Parquet data file format and lets you choose retention on a per table basis for up to 12 years. Here you can see the UI in Sentinel with the tables, and the option to change the data lake retention period for DNS Events as an example.

Unification of XDR and Sentinel
The mythical "single pane of glass" for defenders to stop them having to jump between numerous tools and portals as they're investigating an attack is closer than ever, at least if you buy into the full security suite from Microsoft. For your Microsoft 365 environment, Defender XDR provides a full suite of Defenders -- Endpoint for Windows, Mac, Linux, iOS and Android, Cloud Apps for your SaaS services, Identity for Active Directory, Office 365 for email and Teams. For new Sentinel deployments, they're automatically deployed in the XDR portal, alongside all these other Defenders. For existing Sentinel customers, the migration option from the Azure portal to the Defender portal has been available for some time. Originally the deadline was mid-2026, but that's been extended to March 2027.

Graph Databases -- the Future of Cybersecurity Defense
"Defenders think in lists. Attackers think in graphs. As long as this is true, attackers win." This is a quote by John Lambert from Microsoft. Over the last decade we've seen defender's tech adopt graph databases, a type of database that stores nodes, as well as the relationships with other nodes along edges. The canonical example is Bloodhound, originally developed for penetration testers to map out an Active Directory environment after an initial breach, to show the shortest path(s) to compromise domain admin credentials.

In Defender XDR we see this in Exposure Management, a service that tracks the assets in all the different Defenders, and their relationships. This gives you attack paths, choke points, and a set of inbuilt initiatives to improve security against one particular type of attack for example.

This has now been expanded to Sentinel, with the Microsoft Sentinel graph which tracks assets, identities, activities, TI and more, plus their relationships, helping you answer questions like "what would happen if this user account was compromised." Note that a prerequisite of the graph is that the data lake must be enabled.

Copilot for Security & AI agents
It's no secret that AI tools are redefining how defenders protect their organizations. Microsoft's AI foundation in Defender XDR, Purview, Entra ID and Sentinel is Security Copilot. Priced way outside what SMBs can afford, this is now starting to change, with a monthly allotment, instead of having to pay for every hour, 24x7. If you have Microsoft 365 E5 licensing, you get Secure Compute Units (SCUs) equal to the number of licenses you have, divided by 2.5 -- so 100 licenses give you 40 SCUs per month.

You can use these SCUs working directly with Security Copilot when investigating incidents for example, but they also power AI agents, the ones relevant to Sentinel include the Threat Intelligence Briefing Agent that helps you prepare briefs for different audiences, a Threat Hunting Agent that lets you search through your data using "vibe hunting," translating your plain English sentences into KQL and the Vulnerability Remediation Agent which helps you prioritize patching of endpoints.

The new Security Store offers 59 third party agents, plus 23 from Microsoft, it also provides NIST Cybersecurity Framework standards, and third party add-on services.

Sentinel ❤️MCP
In a welcome move, Sentinel now has support for Model Context Protocol (MCP). It's hosted by Microsoft, and uses Entra ID for authentication, and today you can connect from Security Copilot, Copilot Studio, Microsoft Foundry, Visual Studio Code and ChatGPT. Built in graph MCP tools include Blast Radius, Path Discovery and Exposure Perimeter.

It helps you interact with and reason over security data in the data lake / Defender XDR using natural language and also helps you build your own agents. In my testing, I think that entity enrichment is going to be the first killer app here where you don't have to write complex custom queries to gather relevant data and automatically display everything that an analyst needs, rather than them having to dig manually through various data sources to find it.

Migrate to Sentinel from Splunk or QRadar
A strong sign that a product is a serious contender is when it starts offering migration tools from competing services, and Sentinel now offers documentation migration support for ArcSight, Splunk and QRadar. There's also an AI powered SIEM migration experience for Splunk and QRadar. For all three SIEMs, there's documentation for migrating detection rules and SOAR automations, and you can also export historical data.

There is no magic button here though, migrating from one SIEM to another is a big undertaking, particularly if you've got staff who are experts on the current one and might not like the change. There are a lot of configurations, custom alert rules, log sources that may have been built up over many years and converting it all into a new system is a challenge.

In all but the very smallest environments, you'll likely be running both SIEMs in parallel for some time, documentation here.

The SIEM Migration tool requires Security Copilot to be enabled but it doesn't use any of your SCUs. It's accessed in the SOC Optimization tab in the Defender XDR portal, you'll connect to your current SIEM and then it starts the analysis.

The tool looks at the data connectors in use, and matches those with the equivalents in Sentinel, and also investigates your detection rules, and their counterparts in in-built analytics rules. There's a full report in CSV format that you can download of the output of the tool, and there's also a workbook visualization to track the migration progress.

Conclusion
Sentinel is one of those products that I jumped on when it was first in public preview, and I've rolled it out for all my clients. I'm also a member of Threat Protection Advisors so I've been able to participate in many private previews of new features, focus groups and surveys which have influenced its evolution.

Sentinel, combined with the full Defender XDR suite, gives me visibility and insight into what's going on in my clients' environments, and any potential compromises. It's good to see that Microsoft is serious about listening to their customers and implementing genuinely useful features.