News
Microsoft Introduces Agentic Capabilities in Sentinel for Smarter Threat Defense
Microsoft has announced new capabilities in Microsoft Sentinel designed to support the use of autonomous AI agents in security operations. The updates, unveiled in a company blog post this week, aim to evolve Sentinel beyond a traditional SIEM to what Microsoft calls an "agentic platform."
"Defenders need to protect AI end-to-end and for that they need a platform that brings together data, context, automation and intelligent agents, enabling them to defend and adapt at AI speed," said Microsoft. "That platform is Microsoft Sentinel."
The Sentinel data lake, now generally available, offers a lower-cost ingestion and storage option for both structured and semi-structured data. Microsoft said this allows organizations to retain security telemetry longer and enables richer historical analysis. Sentinel also adds a new graph layer, currently in public preview, that maps the relationships between entities -- such as devices, users and alerts -- across Microsoft security products. This graph is accessible to AI agents through the MCP server, which acts as a middleware protocol to support agent reasoning and task execution over real-time data.
The updates are designed to enable both Microsoft Security Copilot and external or custom AI agents to access and act on contextual data within enterprise environments. Under the new architecture, agents can perform tasks such as triaging alerts, summarizing incidents and enforcing policies. Microsoft states that agents must identify the data sources they use and provide documentation of their decision-making process, which is intended to improve transparency and accountability.
The announcement is part of Microsoft's broader investment in agentic AI -- systems designed to perform autonomous tasks based on defined goals and real-time environmental data.
Microsoft has previously said that agent oversight, identity tracking and governance will be central to its implementation of agentic systems. Each agent is assigned a unique identity through Microsoft Entra and can be subject to role-based access and policy controls. While Microsoft has not stated whether all agent actions require human approval, it emphasizes the importance of accountability and documentation as AI takes on more operational tasks.
Microsoft plans to make agent integration available via a new Microsoft Security Store, where organizations can deploy vetted third-party or partner-built agents. Sentinel's expanded capabilities are integrated with Microsoft Defender and Purview, and Microsoft said it is working on broader support across its ecosystem.
For orgs using or considering Microsoft Sentinel, the move toward agentic capabilities offers new ways to automate routine tasks and strengthen threat response. It also brings new architectural and governance challenges, especially in areas such as agent deployment, compliance and transparency. "We are entering a new era where security is adaptive, intelligent and acts at the speed of thought," said Microsoft. "The advances announced today are the foundation for a new generation of defense."