Abstract data visualisation representing Databricks Lakewatch cybersecurity and large-scale data analytics Databricks Lakewatch security analytics dashboard showing real-time threat detection and data monitoring

Learn how to get started with Databricks Lakewatch

Learn more

Introducing Databricks Lakewatch

Ben Jarvis
Ico-16x16-linkedin
Chief Technology Officer, Data & AI
17 April 2026

What is Databricks Lakewatch and Why It Matters for Security Teams  

 

Security teams are under increasing pressure. 

Data volumes continue to grow, threats are more complex, and traditional SIEM platforms are becoming harder to manage cost-effectively. In many environments, costs are rising while less data is retained and visibility is reduced. 

On 24 March, Databricks announced Lakewatch, a new open, agentic SIEM designed for AI-driven security operations. This announcement reflects a broader shift in how security platforms are evolving. As a result, a new approach is emerging: Databricks SIEM. 

This blog explains what Databricks Lakewatch is, how it works, and why it will become an important part of modern security architecture.

Databricks Lakewatch Launch Diagram

What is Databricks Lakewatch? 

Databricks Lakewatch is an approach to security analytics that combines traditional SIEM platforms with the Databricks Lakehouse. 

This moves away from traditional, legacy SIEM systems that struggle to scale to large data volumes, into a lakehouse based architecture that is based on open file formats, incorporates governance at the core and is infinitely scalable to handle large data volumes. 

This creates a security data platform that enables teams to: 

• Retain larger volumes of security data 
Analyse data across multiple systems 
 Apply machine learning to detection and investigation 
• Investigate incidents over longer timeframes 

 

How Databricks Lakewatch Works 

Databricks Lakewatch uses a lakehouse architecture designed for scale and flexibility. 

Security data is ingested from telemetry sources into Databricks, where it is stored and analysed. 

Key elements include: 

Data ingestion from applications, identity systems, endpoints, and networks 
Delta Lake storage for structured, cost-efficient retention 
Normalisation using open schemas such as OCSF and ECS 
Intelligent analytics and machine learning for detection and investigation  

By separating storage from compute, this model allows large volumes of data to be retained without increasing costs in line with ingestion. 

Databricks Lakewatch data sources dashboard with integrated cloud and SaaS security systems

Why Databricks Lakewatch Matters 

The Lakewatch announcement highlights several changes in security operations that make this approach increasingly important.

1. Data Volumes Continue to Increase

Security data is growing across cloud platforms, endpoints, applications, and identity systems.  Traditional SIEM platforms often require trade-offs between cost and retention. Data may be filtered, sampled, or deleted to manage licensing and storage. 

Databricks Lakewatch removes this constraint by enabling long-term storage of full-fidelity data.

2. Threats Are Becoming More Automated

Attackers are increasingly using automation and AI to identify vulnerabilities and execute attacks at scale. 

This reduces the time available to detect and respond.  Databricks Lakewatch supports faster analysis by enabling: 

Large-scale data processing 
Cross-platform correlation 
More advanced detection techniques 

3. Traditional SIEM Architectures Are Cost-Constrained

Most SIEM platforms couple storage and compute, creating a cost impact for every byte of data ingested. This leads to: 

Reduced data retention 
Limited historical analysis
Gaps in visibility  

Databricks Lakewatch separates storage from compute, allowing data to be stored cost-effectively and analysed when required.

4. Security Requires Broader Context

Security investigations increasingly depend on data beyond traditional logs. Relevant signals may include: 

Identity and access activity 
Business applications 
Collaboration platforms 
Operational data  

Databricks Lakewatch enables analysis across these sources in one platform, improving context and decision-making. 

 

From SIEM to Security Data Platforms 

The introduction of Lakewatch reflects a shift towards security data platforms. 

In this model: 

Data is stored in open formats 
Analytics runs directly on the data platform 
Machine learning is integrated into detection and investigation 
Security teams can query data across systems  

Databricks Lakewatch aligns with this approach by extending traditional SIEM systems with a scalable data foundation. 

Databricks Lakewatch Use Cases by Industry 

The ability to retain and analyse large volumes of data over time creates new opportunities across industries. 

  • Healthcare: Monitor access to sensitive patient records across identity, application, and endpoint data, supporting GDPR and NHS compliance through extended data retention.
  • Public Sector: Enable long‑term audit and investigation across multiple systems, helping organisations meet national security frameworks and regulatory requirements.
  • Retail and E-commerce: Detect account takeover attempts by correlating web, device, and authentication data, and analyse fraud patterns during high‑volume trading periods.
  • Financial Services: Correlate transaction data with identity and authentication events to identify fraud patterns, while supporting regulatory reporting through long‑term, queryable security data.
  • Manufacturing and Supply Chain: Correlate operational technology (OT) and IT security data to detect anomalies, while monitoring supplier and third‑party risk over longer timeframes.

What This Means for Security Teams

Adopting Databricks Lakewatch changes how security operations are delivered.

Teams can:

• Reduce reliance on high-cost SIEM storage
• Retain and analyse more historical data
• Improve investigation speed and effectiveness
• Apply machine learning to detection and analysis
• Gain visibility across multiple systems

This supports a more scalable and flexible approach to security analytics.

 

How Telefónica Tech Supports Databricks Lakewatch

Telefónica Tech works with Databricks to help organisations adopt this model.

This includes:

• Assessing SIEM costs and data architecture
• Designing Databricks Lakewatch solutions
• Integrating with existing security platforms
• Building analytics and detection use cases

Learn more about Databricks Lakewatch with Teleónica Tech here.

 

Start Your SIEM Modernisation Journey

The Lakewatch announcement signals a clear direction for security platforms.

Traditional SIEM tools remain important, but they are no longer sufficient on their own.

Databricks Lakewatch provides a way to extend SIEM with scalable data storage and advanced analytics, helping security teams improve visibility, manage costs, and strengthen operations.

Speak to our team to assess how this approach can support your security strategy.

Abstract data visualisation representing Databricks Lakewatch cybersecurity and large-scale data analytics
Databricks Lakewatch
Find out more

More from Jóse

Databricks Select Consulting Partner badge representing certified data and AI expertise
Article
Databricks Announcements from FabCon 2026
Find out more
Microsoft Fabric analytics platform logo illustrating unified data, analytics, and AI capabilities compared to Power BI
Blog
Microsoft Fabric vs Power BI – Which Is Right for Your Organisation?
Find out more
The image shows Microsoft Ignite event 2025
Blog
Key Data & AI Announcements from Microsoft Ignite
Find out more
Article
Hybrid and Multi-Cloud Intelligence
Find out more
Article
Democratising Data Engineering with AI and Low-Code Tools
Find out more
Article
Building Unified Intelligence with Data and AI for Faster Outcomes
Find out more
Article
Unified Platforms Replace Fragmented Data Stacks
Find out more
Article
Behind the Scenes of Merlin Entertainments’ Data Transformation
Find out more
Article
FabCon Vienna 2025
Find out more
Telefónica Tech UK