Microsoft Sentinel Announcements 22nd July 2025

Today, July 22nd 2025, Microsoft have announced two major enhancements to the Microsoft Sentinel platform. 

This article outlines what these changes are and below we have included some further analysis of what impact they may have to our clients and to our Managed Security Service.

Microsoft Sentinel data lake

Microsoft have announced that Microsoft Sentinel data lake is now in preview. Prior to this announcement many clients have been concerned about the costs of mass data ingestion into Sentinel and the costs of long-term storage of security event data.

A popular way of managing these costs is to use a third party technology to distil event log entries down to those that are relevant and only pass the more important data to Sentinel. These third party technologies can reduce costs considerably but involves the adoption and management of two different technologies.

Sentinel data lake provides a first party, Microsoft, cost-effective data lake within the Sentinel service. Storage costs are indicated to be very competitive, and the intention is to provide a mechanism that allows clients to ingest and store all of their security data in one integrated solution.

Sentinel data lake is now available in public preview with general availability anticipated to be later this year.

Microsoft is converging Microsoft Defender Threat Intelligence (MDTI) directly into Defender XDR and Microsoft Sentinel

Microsoft Defender XDR & Sentinel can ingest threat intelligence from multiple sources from third parties and Microsoft. Some of these sources are free and community based, but services such as our Managed Security Service often consume paid for threat intelligence from trusted third party companies.

Microsoft have announced that they are converging Microsoft Defender Threat Intelligence (MDTI) directly into Defender XDR and Microsoft Sentinel, which will provide world-class, real-time threat intelligence. This convergence will grant customers access to Microsoft’s extensive repository of both raw and finished threat intelligence, developed from 84 trillion daily signals and backed by over 10,000 security professionals. Previously Microsoft Defender Threat Intelligence (MDTI) was available at a significant additional cost.

The convergence of MDTI value into Microsoft Sentinel and Defender XDR will take place over the course of several months and will be completed by the first half of next year. Features in the first phase of this convergence, which will be available by October, include: 

Finished Threat Intelligence: Defender XDR customers will have access to Microsoft’s comprehensive threat intelligence library. This includes exclusive analyses of threat activity and the detailed content focused on threat actors, threat tooling, and vulnerabilities found. This intelligence can be connected directly to related incidents and affected assets, revealing endpoint vulnerabilities and recommended actions. 

The convergence of MDTI’s finished intelligence into threat analytics also introduces threat actor-linked indicators of compromise (IOCs).  IOCs will be updated in real time as new evidence emerges from Microsoft researchers—to investigate specific attacker infrastructure and behaviour, which supports more effective threat hunting and remediation.

IOCs in Case Management: Sentinel customers will be able to share threat actor IOCs via Sentinel case management to collaborate and share threat research across teams within their organisation. This streamlined sharing not only enhances cross-team collaboration but also accelerates the identification and containment of threats as new intelligence is discovered. 

Implications of Sentinel data lake Announcement

The Sentinel data lake announcement has a wider range of implications as it opens up cost-effective Security Data Architectures that were not previously available without using third party solutions. 

Implications to clients

Clients who use a third party solution do not need to make any immediate change to the platform and do not need to adopt Sentinel data lake. However, we would recommend that they review the benefits that the data lake solution provides and make an informed decision as to whether the technology should be adopted in the future. If a client decides to adopt Sentinel data lake, then there are multiple approaches to adoption, including the mid-long term continuing use of existing 3rd party infrastructure, adding new sources only to Sentinel.

We expect to assist clients in conducting the necessary data architecture workshops to determine both mid and long-term target architectures. 

Implications to the Quorum Managed Security Service

We expect to assist each of our clients to adopt this new feature in a tailored manner that allows them and us to readily query all available data sources. To this end we are adopting Sentinel data lake internally so that we are fully conversant with the product set before our clients require our services.

Implications of Defender Threat Intelligence Announcement

Implications to clients

Once MDTI is fully converged into Defender XDR and Sentinel, customer alerts, incidents, and investigations will be automatically enriched with relevant threat context, enabling faster, more precise detection and response to emerging threats. Customers will benefit from the entirety of MDTI’s finished and raw intelligence —including open-source intelligence (OSINT), in-depth threat articles, and advanced internet data sets.

Existing MDTI customers will continue to have full access to their current MDTI experience until the product is retired on August 1, 2026. We encourage clients to validate with their licensing partner or Microsoft account team to understand how to reduce their current license and transition to this new unified threat intelligence experience in Defender XDR or Sentinel at no additional cost.

Microsoft Defender Threat Intelligence (MDTI) can be consumed alongside multiple OSINT and paid for feeds.

Implications to the Quorum Managed Security Service

We will be making this service available to all of our analysts and users across our own and all client subscriptions subject to their approval and individual change management processes. We will continue to use our existing third-party Threat Intelligence sources but will evaluate their relevance compared to the Microsoft offering.

Implications to the wider industry

Microsoft Defender XDR and Sentinel are by no means the only platforms in the Security Observability space. This announcement may impact the volume of Sentinel users consuming third-party threat intelligence feeds but there will be a robust market for these services for other XDR platforms. As such we don’t expect that this announcement will have a significant impact to existing suppliers. However, it should be expected that this may provoke price reductions from some suppliers in an effort to make their services justifiable as an additional source to augment the threat intelligence freely available within Sentinel.