MicrosoftMicrosoftNice article, but let’s be candid: the “unified portal” currently feels more like a frontend consolidation than true backend integration.
This is especially visible in Advanced Hunting, which remains unreliable after the Sentinel + Defender XDR integration. The underlying Log Analytics backends are still separate, so the exact same query may run against Advanced Hunting Log Analytics or Sentinel Log Analytics depending on the selected time range. That creates inconsistent behavior and results.
There are also schema mismatches between the two environments. For example, the AdditionalFields column in the DeviceInfo table is a string in XDR, but dynamic in Sentinel. Issues like this create constant friction for daily investigations, threat hunting, and detection engineering.
From a customer perspective, this is directly affecting operational efficiency. Unfortunately, despite multiple support cases and escalations, product team is not interested in providing improvements in those matters.
It is also worth noting that Sentinel Data Lake is still unavailable in many Azure regions, including major ones such as West Europe.
MicrosoftYou're right that Advanced Hunting currently surfaces behavioral differences depending on time range and which backend resolves the query. The schema inconsistencies (like AdditionalFields being string in XDR vs. dynamic in Sentinel tables) add friction for detection engineers who work across both. These are real gaps, and I understand the frustration — especially when support escalations don't move the needle. Will raise this up.
On the "frontend vs. backend" point — the article's thesis is specifically about what's coming through the unified platform that doesn't exist in standalone Sentinel at all: the 2-tier Data Lake architecture, Sentinel Graph for relationship-based investigation, and MCP-based AI agents. These are new backend capabilities, not UI consolidation. The correlation engine that links incidents across Defender XDR + Sentinel and others is also a backend integration that standalone Sentinel can't replicate.
Sentinel Data Lake is available in West EU with some capacity issues but it has been rolled out incrementally.
The opportunity for partners is in helping customers navigate exactly the kind of complexity you're describing.
