Microsoft Sentinel Gets Smarter with Expanded Data Lake Ingestion, AI-Powered SIEM Migration

Microsoft Sentinel has announced several updates that improve how organizations bring in security data and manage it across different sources. These changes focus on making business operations clearer and more efficient for IT teams working to understand activity in their environments.

Microsoft Sentinel now supports direct ingestion of data from Microsoft Defender for Office (MDO) and Microsoft Defender for Cloud Apps (MDA) into the Sentinel data lake. Up until now, this feature was only available for Microsoft Defender for Endpoint (MDE) data. Administrators can choose to ingest supported XDR tables into the data lake tier by clicking the data lake tier option during the retention settings configuration. This expansion enables cost‑effective long‑term retention, centralized data management, and enhanced historical analysis.

Accelerated migration from QRadar to Microsoft Sentinel

Additionally, Microsoft has introduced a new AI-powered SIEM migration experience to help organizations seamlessly transition from IBM QRadar to Microsoft Sentinel. This new feature helps organizations move their existing detection rules and activate the necessary data connectors when switching to Sentinel’s cloud‑based SIEM. This streamlining boosts visibility across their environment, speeds up threat identification, and supports more advanced, cloud‑driven security operations.

Microsoft also offers free migration assistance through the Cloud Accelerate Factory program. All eligible customers can get hands‑on support to rapidly set up Sentinel and transition from platforms like Splunk or QRadar using the enhanced SIEM migration experience.

Growth of the connector ecosystem

Microsoft has announced new and expanded native and partner Sentinel connectors, which were originally announced at Ignite 2025. This release expands the ecosystem to more than 350 integrations that help organizations unify signals, strengthen analytics, and enhance threat response across diverse environments. These additions offer broader coverage across cloud security, identity, endpoint protection, IT operations, and threat intelligence.

Updated ASIM schema for better normalization

Microsoft has updated the Advanced Security Information Model (ASIM) to ensure that all schemas follow a unified standard. It creates consistent field coverage and a reliable foundation for faster parser development and future normalization enhancements. This update also adds inspection and risk fields to older schemas, which enables more uniform handling of security findings and risk information across different activity types.

Last but not least, Microsoft has introduced a new UBEA Behaviours layer in public preview in Microsoft Sentinel. This new feature interprets raw security telemetry by turning sequences of events into clear, human‑readable behavioral insights.