As a Senior Product Manager | Developer Architect on the App Assure team working to bring Microsoft Sentinel and Security Copilot solutions to market, I interact with many ISVs building agents on Microsoft Sentinel data lake for the first time. I’ve written this article to walk you through one possible approach for agent development – the process I use when building sample agents internally at Microsoft. If you have questions about this, or other methods for building your agent, App Assure offers guidance through our Sentinel Advisory Service.
Throughout this post, I include screenshots and examples from Gigamon’s Security Posture Insight Agent.
This article assumes you have:
- An existing SaaS or security product with accessible telemetry.
- A small ISV team (2–3 engineers + 1 PM).
- Focus on a single high value scenario for the first agent.
The Composite Application Model (What You Are Building)
When I begin designing an agent, I think end-to-end, from data ingestion requirements through agentic logic, following the Composite application model.
The Composite Application Model consists of five layers:
- Data Sources – Your product’s raw security, audit, or operational data.
- Ingestion – Getting that data into Microsoft Sentinel.
- Sentinel data lake & Microsoft Graph – Normalization, storage, and correlation.
- Agent – Reasoning logic that queries data and produces outcomes.
- End User – Security Copilot or SaaS experiences that invoke the agent.
This separation allows for evolving data ingestion and agent logic simultaneously. It also helps avoid downstream surprises that require going back and rearchitecting the entire solution.
Read the full announcement here: Accelerate Agent Development: Hacks for Building with Microsoft Sentinel data lake
Original Publication: Microsoft Sentinel Blog, April 2nd, 2026
Microsoft