Sentinel’s Moving House — Into Defender’s Flat
Microsoft’s decided Sentinel deserves a proper home. By 1 July 2026, it’ll be packed up and settled nicely into the Microsoft Defender portal. No more back-and-forth between flats (or portals)—it’s all under one roof now.
What’s Changing?
- One-Stop Shop: Sentinel’s bags are packed and it’s leaving the Azure portal. Everything—alerts, rules, investigations—will now live in Defender.
- Shared Incident Queue: Whether it’s Sentinel or Defender XDR blowing the whistle, they’ll pipe down into the same inbox. Much easier to keep the noise down.
- Unified Threat Hunting: Run your KQL queries across both datasets like you mean business. More context, less faff.
- Security Copilot On Tap: Automated responses, AI insights—like having the cleverest member of the IT team never call in sick.
Why It’s Actually Quite Brilliant
- Streamlined Workflows: No more hopping between dashboards like a caffeine-fuelled squirrel. Everything’s where you need it.
- Budget-Friendly Logs: The new Sentinel Data Lake claims to cut retention costs by up to 90%. You could buy a round with the savings (if anyone’s buying).
- Better Threat Intelligence: Defender Threat Intel’s folding in too—real-time IOCs, MITRE mappings and more, included for free.
Mark Your Calendar
Dates -What’s Happening:
July 2025 You get a polite nudge: one year to get sorted
October 2025 MDTI rolls into the mix, phase one
July 2026 Azure portal locks the door; Defender takes over
If you’re managing Sentinel, now’s the time to dust off your migration plan, check those RBAC setups, and give your incident triage a dry run.
Dirk Kambiz
Interesting, it looks like Microsoft are looking to compete in the unified SOC space.