Forum Discussion

umamasurkar28's avatar
umamasurkar28
Icon for Microsoft rankMicrosoft
Nov 19, 2025

Microsoft Sentinel Graph with Microsoft Security Solutions

Why I Chose Sentinel Graph

Modern security operations demand speed and clarity. Attackers exploit complex relationships across identities, devices, and workloads. I needed a solution that could:

  • Correlate signals across identity, endpoint and cloud workloads.
  • Predict lateral movement and highlight blast radius for compromised accounts.
  • Integrate seamlessly with Microsoft Defender, Entra ID and Purview.

Sentinel Graph delivered exactly that, acting as the reasoning layer for AI-driven defense.

What's new: Sentinel Graph Public Preview 

Sentinel Graph introduces:

  • Graph-based threat hunting: Traverse relationships across millions of entities.
  • Blast radius analysis: Visualize the impact of compromised accounts or assets.
  • AI-powered reasoning: Built for integration with Security Copilot.
  • Native integration with Microsoft Defender and Purview for unified security posture.
Uncover Hidden Security Risks

Sentinel Graph helps security teams:

  • Expose lateral movement paths that attackers could exploit.
  • Identify choke points where defenses can be strengthened.
  • Reveal risky relationships between identities, devices, and resources that traditional tools miss.
  • Prioritize remediation by visualizing the most critical nodes in an attack path.

This capability transforms threat hunting from reactive alert triage to proactive risk discovery, enabling defenders to harden their environment before an attack occurs.

How to Enable Defense at All Stages

Sentinel Graph strengthens defense across:

  • Prevention: Identify choke points and harden critical paths before attackers exploit them.
  • Detection: Use graph traversal to uncover hidden attack paths and suspicious relationships.
  • Investigation: Quickly pivot from alerts to full graph-based context for deeper analysis.
  • Response: Contain threats faster by visualizing blast radius and isolating impacted entities.

This end-to-end approach ensures security teams can anticipate, detect, and respond with precision.

How I Implemented It
Step 1: Enabling Sentinel Graph
  • If you already have the Sentinel Data Lake, the graph is auto provisioned when you sign in to the Microsoft Defender portal.
  • Hunting graph and blast radius experiences appear directly in Defender.
  • New to Data Lake? Use the Sentinel Data Lake onboarding flow to enable both the data lake and graph.
Step 2: Integration with Microsoft Defender

Practical examples from my project:

  • Query: Show me all entities connected to this suspicious IP address.
    → Revealed lateral movement attempts across multiple endpoints.
  • Query: Map the blast radius of a compromised account.
    → Identified linked service principals and privileged accounts for isolation.
Step 3: Integration with Microsoft Purview
  • In Purview Insider Risk Management, follow Data Risk Graph setup instructions.
  • In Purview Data Security Investigations, enable Data Risk Graph for sensitive data flow analysis.

Example:

  • Query: Highlight all paths where sensitive data intersects with external connectors.
    → Helped detect risky data exfiltration paths.
Step 4: AI-Powered Insights

Using Microsoft Security Copilot, I asked:

  • Predict the next hop for this attacker based on current graph state.
  • Identify choke points in this attack path.

This reduced investigation time and improved proactive defense.

If you want to experience the power of Microsoft Sentinel Graph, here’s how you can get started
  1. Enable Sentinel Graph
    • In your Sentinel workspace, turn on the Sentinel Data Lake. The graph will be auto provisioned when you sign in to the Microsoft Defender portal.
  2. Connect Microsoft Security Solutions
    • Use built-in connectors to integrate Microsoft Defender, Microsoft Entra ID, and Microsoft Purview. This ensures unified visibility across identities, endpoints, and data.
  3. Explore Graph Queries
    • Start hunting with Sentinel Notebooks or take it a step further by integrating with Microsoft Security Copilot for natural language investigations.
    • Example: “Show me the blast radius of a compromised account.” or “Find everything connected to this suspicious IP address.”

You can sign up here for a free preview of Sentinel graph MCP tools, which will also roll out starting December 1, 2025.

Microsoft Graph Security API
microsoft sentinel
No RepliesBe the first to reply

Resources