Security data volumes are growing faster than ever, but visibility across the entire digital estate hasn’t kept pace. As organizations expand across cloud, hybrid, and SaaS environments, critical security-relevant data is increasingly stored across multiple data stores due to governance and compliance requirements.

Microsoft understands this reality. Microsoft Sentinel data federation now in public preview, is designed to meet customers where their data already lives, while preserving governance. Powered by Microsoft Fabric, customers can federate data from Microsoft Fabric, Azure Data Lake Storage (ADLS) Gen 2, and Azure Databricks into Sentinel data lake—without copying or duplicating the data. Security teams can analyze data in place, unifying detections, investigations, and hunting across a broader digital estate, while data owners retain full ownership and policies remain intact.

Sentinel data federation benefit

Data federation ensures security data remains at its source while appearing seamlessly alongside native Sentinel data in the Sentinel data lake.

• This allows security teams to work with governed data confidently—without duplicating data or disrupting existing data ownership and compliance models.
• Using familiar Sentinel tools such as KQL hunting, notebooks, and custom graphs, teams can correlate signals, investigate incidents, and hunt across federated and ingested data in a unified experience. Analysts can seamlessly connect signals across domains and accelerate investigations.
• By running analytics on federated data first, customers can evaluate which datasets consistently deliver security value. Over time, high‑value data can be ingested into Sentinel data lake to unlock deeper detections, automation, and AI‑driven insights.

Sentinel data federation allows security teams to start broad, stay governed, and scale security analytics with clarity.

Customer use cases enabled by Sentinel data federation

Cross-domain threat hunting across the enterprise

With Sentinel data federation, Sentinel becomes the orchestration layer for advanced security analytics, not just a repository for ingested data.

By querying external data sources in place, security teams can:

• Run single KQL threat hunts that span Sentinel-native tables and federated data sources.
• Correlate security signals with business, identity, fraud, and application telemetry that may never be ingested into Sentinel.
• Perform investigations across years of historical data without migrating or reshaping it.

This enables SOC teams to move beyond siloed investigations and uncover patterns that only emerge when data is analyzed across the full digital estate.

“Microsoft leads the market in cloud‑native SIEM. Now with support for data federation, Sentinel is enabling security teams to analyze security data wherever it lives, preserving governance. For customers and managed security providers alike, this marks a pivotal shift in what a modern cloud SIEM can enable."

— Micah Heaton | Strategy Leader at BlueVoyant

AI-ready tooling for advanced security analytics

By extending Sentinel’s security knowledge layer across federated data, customers can:

• Leverage Sentinel custom graphs and AI/MCP tools to run analytics across federated and ingested data together.
• Deliver immediate investigative value to SOC teams by enriching incidents with broader context.
• Enable data scientists and advanced analysts to perform iterative threat discovery without copying or staging massive datasets into the Sentinel data lake.

This approach allows customers to apply advanced analytics and AI techniques to security problems at scale, while preserving governance and avoiding unnecessary data movement.

Data federation as a path to deeper Sentinel value

Data federation is not a replacement for ingestion, it’s a governance-first approach.

Many customers follow a natural progression:

1. Federate data to explore and investigate
2. Identify high-value signals through real investigations
3. Ingest valuable security data into Sentinel data lake overtime
4. Unlock detections, automation, and AI-powered insights at scale

This approach helps customers realize Sentinel value earlier while setting them up for long-term success.

Learn more

• Microsoft Sentinel—AI-Ready Platform
• Microsoft Sentinel data lake - YouTube
• Data federation overview in Microsoft Sentinel data lake
• Use federated data sources in Microsoft Sentinel
• Sentinel data federation ninja training
• Microsoft Sentinel data lake FAQ blog