Databricks Lakewatch: The First True Agentic SIEM for the Lakehouse
By Dillip Chowdary • Mar 24, 2026
The **SIEM** (Security Information and Event Management) market has been ripe for disruption for a decade, and today **Databricks** delivered the knockout blow. Unveiled at their Spring Security Summit, **Databricks Lakewatch** is being billed as the world's first "Agentic SIEM." Built natively on the **Delta Lake** architecture and powered by **Anthropic's Claude 4.6** reasoning engine, Lakewatch moves beyond simple alerting into autonomous threat hunting and investigation.
Moving Security to the Data, Not the Other Way Around
Traditional SIEMs like Splunk or Sentinel require data to be ingested into proprietary silos, leading to massive egress costs and "data lag." **Lakewatch** flips the script by running security logic directly on the **Lakehouse**. This means security teams can analyze petabytes of historical logs without moving a single byte. By leveraging **Unity Catalog** for unified governance, Lakewatch can correlate network logs, cloud trail events, and application telemetry in a single, high-performance environment.
The "Agentic" part comes from the deep integration with **Anthropic Claude**. Unlike traditional AI assistants that simply summarize alerts, Lakewatch's agents can independently formulate a hypothesis, write **SQL** queries to test it, analyze the results, and then pivot to a different data source if the hypothesis is disproven. This mimics the workflow of a senior **SOC** (Security Operations Center) analyst at machine speed.
Autonomous Investigation Workflows
When Lakewatch detects a potential anomaly—such as a suspicious **IAM** role assumption followed by a large data transfer—it doesn't just fire an alert. It spawns a dedicated **Investigation Agent**. This agent immediately gathers context: Who owns the IAM role? What IP addresses were involved? Has this pattern occurred elsewhere in the industry? The agent then presents a complete, cited report to the human operator, often before the operator has even seen the initial alert.
Technically, Lakewatch utilizes Databricks' **Serverless Compute** to scale investigation resources on-demand. This is paired with a new feature called **"Log-to-Logic"** (L2L), which translates unstructured logs into a semantic graph that Claude can reason over. This solves the "dirty data" problem that has historically made AI-driven security difficult to implement at scale.
Technical Insight: The Anthropic Edge
Databricks chose Anthropic Claude for its superior tool-use reliability and lower hallucination rates compared to other frontier models. Claude's "Constitutional AI" framework also ensures that the security agents strictly adhere to corporate compliance policies during autonomous investigations.
Impact on the Security Operations Center
The goal of Lakewatch is not to replace security analysts, but to solve the **"Alert Fatigue"** crisis. By automating the first 30–60 minutes of every investigation, Lakewatch allows human analysts to focus on high-level strategy and complex response. Databricks claims that early beta testers saw a 70% reduction in **Mean Time to Resolution** (MTTR) for critical incidents.
The pricing model is also disruptive. Instead of charging per GB of ingestion, Databricks is charging based on **Compute usage** and **Agent outcomes**. This aligns the cost of the tool with the value it provides, a significant shift from the legacy "tax on data" model. Lakewatch is available in public preview starting today for all **Databricks SQL** customers.