Microsoft Ignite 2025: Power the next era of cybersecurity with Microsoft Sentinel

vkokkengada

Microsoft

Nov 18, 2025

Join us at Ignite 2025 to explore the latest innovations in Microsoft Sentinel SIEM and data lake—empowering you to strengthen defenses and accelerate business impact.

At Microsoft Ignite 2025, we’re showcasing how Microsoft Sentinel —trusted by over 40,000 customers worldwide— combines industry-leading SIEM capabilities with a purpose-built security data lake to transform security operations. This powerful combination delivers deep visibility, advanced analytics, and cost-efficiency—empowering security teams to detect, investigate, and respond faster in an AI-driven era.

IT environments and threats have exploded in size and complexity in recent years. Microsoft Sentinel’s AI-powered platform with data lake, graph, and AI tools gives security teams the capabilities they need to keep up. The Sentinel data lake is a game-changer. It enabled Simbian's AI SOC and Threat Hunt Agents to efficiently analyze months of correlated security data across the enterprise.

Ambuj Kumar | Co-founder and CEO | Simbian

Join us November 18–21 at the Moscone Center in San Francisco or online to explore latest innovations in Sentinel SIEM and data lake, and dive into immersive sessions designed to strengthen defenses and accelerate impact.

Proactive Response: Automatic attack disruption on AWS, Proofpoint & Okta

Automatic attack disruption is now extending beyond XDR, incorporating data from AWS, Proofpoint and Okta when brought in through Sentinel. By leveraging millions of signals from Microsoft Threat Intelligence, this feature uses AI to detect sophisticated threats like phishing, business email compromise, and identity compromise across federated accounts and cloud boundaries. Once an attack is identified, compromised assets are contained in near real time, reducing dwell time and minimizing business impact. Integrating telemetry from AWS, Proofpoint, and Okta, security teams can transition from reactive detection to proactive, cross-platform protection, ensuring cohesive defense and lowering operational complexity.

AI-Assisted SOC: introducing agentic tools in Defender

We are excited announce Security Copilot-powered agents that can transform how SOC teams detect, investigate, and respond to threats by bringing AI into day-to-day workflows for SIEM and XDR users within Defender.

The Threat Hunting Agent transforms threat hunting by allowing analysts to conduct end-to-end investigations using natural language. It provides direct answers, guides users through investigative steps, and surfaces actionable insights. This agent-driven experience helps analysts of all skill levels hunt faster, more accurately, and with rich security context.

The Threat Intelligence Briefing Agent is now seamlessly integrated into the Microsoft Defender portal. In just a few minutes, the agent generates tailored threat briefings that synthesize the latest insights from Microsoft Threat Intelligence and hundreds of global sources, directly contextualized to an organization’s unique environment. Analysts can use these briefings to understand evolving risks and emerging campaigns, critical CVEs, and at-risk assets to understand what to focus on first. They can then use the agent’s clear recommendations and deep linking to affected assets to proactively address exposures. With real-time, dynamic intelligence and an intuitive review path, the Threat Intelligence Briefing agent transforms complex threat data into actionable guidance, empowering organizations to make faster, smarter security decisions every day.

The Dynamic Threat Detection Agent proactively hunts for false negatives and blind spots that traditional alerting might miss. When a critical incident happens, Copilot automatically hunts to uncover undetected threats—like unusual residual activity around a sensitive identity. This agent turns ‘probably fine’ into proven secure—finding and fixing false negatives to keep organizations safer.

Accelerated Onboarding: AI powered SIEM migration tool

We’re excited to announce the new enhanced SIEM migration experience for Microsoft Sentinel—designed to simplify and accelerate migrations from Splunk and QRadar. SIEM migrations are complex and resource-intensive, often taking months. While many solutions simply convert queries into proprietary syntax, Microsoft takes a different approach—driving true SOC transformation with advanced correlation and insights that go beyond syntax conversion. This ensures a fully integrated, future-ready SOC aligned with modern security needs—not just translated legacy queries.

Support for Splunk will be available in public preview by early December 2025, and QRadar support will follow soon. This tool will enable customers to upload exports from their existing SIEM and receive tailored recommendations for Microsoft Sentinel setup. The tool analyzes uploaded data to identify techniques, data sources, and detection rules, then maps them to production-ready, out-of-the-box Sentinel detections. It also highlights missing connectors and recommends enabling them to ensure full coverage. With one-click activation of recommended rules and connectors, customers can quickly operationalize their security posture without manual configuration. This approach moves beyond simple syntax translation, delivering accurate, intent-based mapping for better detection coverage and ongoing optimization—so your security stays effective and up to date without extra effort.

To help customers accelerate their Sentinel journey, Microsoft offers migration support at no additional cost to customers through the Cloud Accelerate Factory program. Eligible customers receive hands-on assistance from Microsoft experts to quickly deploy Sentinel and migrate from Splunk using the new SIEM migration experience, all while collaborating with your preferred migration partner.. For more details, contact your Microsoft representative or visit https://aka.ms/FactoryCustomerPortal

Expanded Ecosystem: new and enhanced out-of-the-box connectors

Microsoft Sentinel’s growing ecosystem of data connectors is transforming how organizations integrate and secure their environments. With over 350 connectors, easily bring in telemetry from a wide range of sources—cloud platforms, SaaS applications, and on-premises systems—directly into Microsoft Sentinel. We are continuously adding new connectors every month to this ecosystem, and we’re excited to highlight a few of the latest additions here.

The following new connectors across various cloud providers are now generally available in Microsoft Sentinel
- AWS: Network Firewall, Route 53 DNS, Security Hub Findings, Server Access
- GCP: Apigee, CDN, Cloud Monitor, Cloud Run, Compute Engine, DNS, Google Kubernetes Engine, NAT Resource Manager, SQL, VPC Flow, IAM
- Palo Alto: Cortex Xpanse, Prisma Cloud CSPM, Prisma CWPP
- SAP: ETD, Agentless connector
- Others: Alibaba Cloud ActionTrail Logs, Cisco Secure Endpoint, Cyfirma, Extra Hop, Keeper Security, Lookout MTD, OneLoginIAM, Oracle Cloud Infra, PingOne, Qualys Vulnerability Management, Salesforce, Samsung, SAP ETD, Slack Audit, Snowflake

OneTrust (in public preview), and BigID, Cyera and Varonis (coming soon) Connectors enable customers to integrate third-party signal into Microsoft Purview’s Data Security Posture Management (DSPM) solution helping DSPM customers eliminate blind spots and strengthen risk posture across their digital estate. Made possible via integration with the Microsoft Sentinel data lake, DSPM customers can easily turn on and integrate third-party data asset information (such as permissions, location, sensitivity) to achieve a more complete view of risk across their multi-cloud environments.

For the full list of connectors see our documentation here. If you have any new connectors you'd like to see, please reach out to our App Assure team.

Lower cost and enhanced security: Ingest Diverse Security Data Directly into the Data Lake

Microsoft Defender for Endpoint (MDE) data can now be ingested directly into the Sentinel data lake, with table settings managed using the built-in table management experience in the Defender portal. This enables retro-hunting and incident investigations on historical endpoint data, while allowing cost-effective long-term retention without moving data to the analytics tier. Expansion to MDO and MDA is coming in early December. The result: improved visibility, historical analysis, lower total cost of ownership, and powerful capabilities for modern security operations.

Plus, you can also ingest Entra, Syslog, CEF, and CommonSecurityLog data directly into the data lake for even broader and cost-efficient coverage.

Granular Control: Role based access control in the data lake

Microsoft Sentinel data lake has enhanced its permission model to enable users to access workspace data in the lake based on their granular Azure RBAC permissions on each workspace. Customers now gain the flexibility to delegate read access to individual workspaces without relying solely on built-in roles. For additional information on delegating read permissions to workspaces using Azure RBAC, please refer to our documentation.
Coming soon is the application identity support for data lake access (SPN/MI). Customers can give service principals or managed identities access to data in the Sentinel data lake, which drives scalable automation with agents or scripts. Just assign these identities to roles in Azure or Entra ID to start using this feature.

Improved data access: Updated data lake KQL and notebook experience

Run asynchronous KQL queries on the Sentinel data lake to process larger datasets efficiently. Results are stored in a hot cache for up to 24 hours, giving your SOC instant access without rehydrating data to the analytics tier. This accelerates investigations, streamlines workflows, and enables more data to be analyzed in a single query.

With Microsoft Sentinel data lake, SOC teams gain immediate access to a curated set of out-of-the-box KQL queries and job templates that cover the most critical security scenarios, enabling teams to quickly establish baselines, hunt threats, rapid anomaly detection and investigation of rare or risky behaviors. These prebuilt analytics empower security teams to quickly surface suspicious patterns, track emerging threats, and automate routine checks across vast historical data—helping organizations stay ahead of attackers, minimize manual effort, and accelerate security operations with confidence. This will be available by early December, see documentation for more information, see KQL and the Microsoft Sentinel data lake - Microsoft Security | Microsoft Learn

A new samples panel is available in Visual Studio Code, giving users quick access to notebook examples that have been vetted by Microsoft Research. This helps users get started faster and learn best practices for working with notebooks.

Integrated Intelligence: Threat Analytics now included for SIEM customers

Customers can now tap into Microsoft’s extensive threat intelligence library, offering deep insights into threat actors, their tactics, and known vulnerabilities—alongside finished intelligence from Microsoft Threat Research. It delivers real-time indicators of compromise and maps to MITRE techniques, tactics, and procedures (TTPs), empowering proactive threat hunting and effective remediation. T

Improved triage: AI-powered incident experience

The Defender incident queue is getting better. We are in public preview with an updated AI-powered experience, designed to help SOC analysts prioritize incidents more effectively during triage, ensuring that the most critical threats are addressed first. By leveraging an advanced algorithm that assigns risk scores based on alert types, criticality tags, MITRE techniques, threat analytics and more, it brings transparency and actionable insights to incident prioritization. Analysts benefit from a clear view of why incidents are ranked highly, allowing for faster, more confident decision-making.

Pre-built solutions: track HIPPA and GDPR compliance

We have two new out-of-the-box compliance solutions in public preview, helping customer adhere to industry requirements, without significant configuration.

The HIPAA compliance solution helps healthcare organizations safeguard protected health information (PHI) with integrated dashboards, real‑time threat detection, and audit‑ready reporting. Prebuilt analytics and watchlists for users and assets make it easier to monitor access, detect anomalies, and respond to incidents while reducing operational complexity.
The GDPR Compliance & Data Security Solution unifies alerts, data classification, and audit evidence across Microsoft Purview, Azure SQL, Microsoft 365, UEBA, and Entra ID to monitor GDPR requirements in cloud and hybrid environments. It offers real‑time risk detection, end‑to‑end audit trails, and customizable dashboards to streamline reporting and strengthen data protection.

You can access these solutions in the Content Hub today. To learn more, see: New Compliance Solutions in Microsoft Sentinel: HIPAA & GDPR Reports | Microsoft Community Hub

Join us at Ignite 2025 to learn about Microsoft’s latest innovations

Be the first to experience these innovations and more at Microsoft Ignite 2025. Register to secure your spot and explore the future of AI-powered security operations.