A typical shopper request I’ve gotten over the previous a number of years is the right way to finest handle rising information prices within the safety info and occasion administration (SIEM) system. For many, it requires a strategic method to storing and accessing the info; both use chilly/frozen storage, separate analytics, and ingest utilizing an information cloud like Snowflake; or use an information pipeline administration instrument to cut back information volumes and probably route it to a decrease value storage possibility. Since Amazon Safety Lake popped onto the scene in 2023, many have used it as a low-cost choice to retailer long-term information within the Open Cybersecurity Schema Framework for simple entry. Different distributors have additionally launched storage options for low-cost, long-term information storage (e.g., Cribl Lake), which may be particularly helpful if you’re already utilizing the instrument for information routing.
Information, Information All over the place, And No Excellent Answer
Nonetheless, safety information administration points have endured. In The Forrester Wave™: Safety Analytics Platforms, This fall 2022, one piece of buyer suggestions Microsoft Sentinel prospects gave was that the providing is dear as a result of its pricing mannequin relies on the amount of information ingested and predicting prices may be tough. Related considerations got here up throughout distributors within the recently-released replace of that report, The Forrester Wave™: Safety Analytics Platforms, Q2 2025. Though it’s not the one SIEM system through which prospects have had this problem, it’s the one we’re speaking about at present, as Microsoft simply introduced the Microsoft Sentinel Information Lake.
Microsoft Takes The Information Lake Plunge
Microsoft Sentinel Information Lake is now a function of Microsoft Sentinel, offering a low-cost information storage possibility that’s nonetheless accessible within the platform. In a serious architectural change, it shifts the platform to having two information tiers: the analytics tier (dearer, used for detections, investigation, and many others.) and the info lake tier for long-term storage.
In accordance with Microsoft, information retention within the information lake tier is priced at lower than 15% of its conventional analytics logs. You possibly can nonetheless entry the info within the information tier utilizing KQL and create retrohunts (scheduled or in any other case) throughout the info that promote the info into the analytics tier (for a price, in fact). Customers can even work together with the info utilizing the Microsoft Sentinel Visible Studio Code extension and PySpark. This will assist higher information exploration by way of Jupyter notebooks, a pivotal change that speaks to customers’ rising have to have higher management and understanding of their information for detection engineering.
Carry Your Personal Water To Be taught The Worth Of Each Drop
An African proverb says, “When you carry your individual water, you’ll be taught the worth of each drop.” This additionally applies to safety information. Even with a safety information lake like Microsoft Sentinel Information Lake, you continue to must be strategic with the info you carry into the platform. Earlier than this, we noticed some prospects make sacrifices with the info they ingested into Sentinel versus the info they put into Azure Log Analytics so they may have that long-term storage accessible in some type. This simplifies the equation by giving an possibility through which long-term information is made for use and probably promoted in Sentinel instantly. It’s nonetheless crucial to resolve what information you want instantly for detection and response versus what information must be saved long run for entry for compliance and risk looking.
However Wait, There’s Extra
One other a part of the Microsoft announcement that will have slipped underneath the radar is that Microsoft Defender Menace Intelligence will likely be converged into Defender XDR and Sentinel at no extra value, beginning in October 2025. That is consistent with adjustments from Cisco Splunk, which now integrates Cisco Talos risk intelligence into the enterprise safety license at no cost. It’s additionally consistent with a lot of the safety trade’s evolution to a platform method.
Let’s Join
To debate your choices and strategize on the right way to make one of the best use out of those bulletins, arrange a steering session or inquiry with me.
I’ll even be talking at Forrester’s Safety & Threat Summit 2025 in Austin, Texas, from November 5–7.
