Microsoft Sentinel Introduces Custom Graphs Support in Public Preview

Microsoft Sentinel adds custom graphs to help security teams visualize relationships and uncover hidden attack paths faster.

Microsoft Security image

Key Takeaways:

  • Microsoft Sentinel introduces custom graphs to visualize relationships across security data.
  • This feature helps discover hidden attack paths, privilege abuse, and complex multi-entity threats.
  • It enables more tailored, environment-specific threat investigations using flexible graph models.

Microsoft has introduced custom graphs support in Microsoft Sentinel, which is available in public preview starting April 1, 2026. This new capability is designed to help security teams better understand and investigate complex attacks by visualizing relationships across security data in a more connected way.

Modern cyberattacks span multiple entities (users, devices, identities, applications, and data), and traditional table‑based queries can hide these connections. Custom graphs address this by showing how entities relate to one another, which makes it easier to discover real risks that might otherwise go unnoticed, such as indirect attack paths or over‑privileged access chains.

How custom graphs work?

Custom graphs work by modeling security data as a network of connected entities, where users, devices, identities, workloads, and data stores become nodes and their interactions (such as access, movement, or delegation) form the links between them. Analysts can run graph queries and analytics to trace attack paths, measure blast radius, detect privilege abuse, and surface unusual patterns that are difficult to identify when events are viewed only as isolated logs or alerts.

Unlike predefined graphs, custom graphs allow teams to design relationship models that reflect the unique structure of their own environment, which blends data from the Microsoft Sentinel data lake with non‑Microsoft and third‑party sources. This adaptability enables security teams to represent real‑world attack scenarios specific to their infrastructure and risks, which helps them move beyond generic detections and conduct investigations that align closely with how their organization actually operates.

Once created, custom graphs can be examined to reveal how attacks move through an environment, including hidden attack paths, privilege escalation chains, and critical choke points that influence blast radius. These insights expose unusual relationships and patterns that standard queries often miss, allowing SOC teams to investigate incidents more quickly and make decisions with greater confidence.