Lakewatch: Databricks introduces agent-based Open SIEM with Claude integration

The company Databricks has introduced Lakewatch, a new SIEM system (Security Information and Event Management) that aims to break new ground in security monitoring. Lakewatch is based on an open Security Lakehouse architecture, setting itself apart from established SIEM offerings that typically couple storage and compute, according to the announcement. AI agents are intended to automatically detect, triage, and initiate countermeasures against threats.

As Databricks explains in its blog, Lakewatch enables companies to consolidate all security, IT, and business data in a unified environment – including multimodal formats like video and audio in the petabyte range. Databricks promises up to 80 percent lower total cost of ownership compared to traditional SIEM systems. According to Databricks, these systems discard a large portion of incoming telemetry data to keep storage costs under control. Lakewatch, on the other hand, decouples storage and compute and retains all data.

More on the topic: data2day 2026 – CfP opened

On October 7 and 8, 2026, data2day invites Data Scientists, Data Engineers, and Data Teams to the 13th edition of the conference. Until April 15, experts can still submit their proposals for talks and workshops for the Call for Proposals.

Lakewatch uses the Open Cybersecurity Schema Framework (OCSF) as an open standard for data normalization. Security logs from both structured and unstructured sources are automatically converted into a unified schema. Data ingestion occurs via Lakeflow Connect, which connects sources like AWS or Okta. Governance and compliance requirements such as NIS2 or DORA can be covered through the fine-grained access controls of the Unity Catalog.

AI Agents Instead of Manual Workflows

The core of Lakewatch consists of agent-based functions: With the Agent Bricks introduced last year, custom security agents can be created that analyze telemetry data in a variety of formats. They correlate signals, reduce false alarms, and shorten the mean time to detect and respond (MTTD/MTTR). For natural language queries and automated triage workflows, Databricks integrates its AI agent Genie. Detection-as-Code approaches with YAML, SQL, and Python also enable automated tests via CI/CD pipelines.

For agent reasoning, Databricks relies on Claude models from Anthropic. The two companies have deepened their partnership in conjunction with the Lakewatch announcement: Claude 3.7 Sonnet is used for signal correlation and threat analysis. In return, Anthropic uses Databricks' Security Lakehouse infrastructure. The approach of letting AI agents work together as teams is also reflected in Anthropic's multi-agent systems for code reviews.

Open Ecosystem and Partner Network

Databricks is deliberately positioning Lakewatch as an open ecosystem. At launch, partners include Palo Alto Networks, Zscaler, Wiz (Google Cloud), Okta, CrowdStrike competitor Arctic Wolf, Cribl, and Deloitte, among others. The development also includes two acquisitions: Antimatter (secure authentication for AI agents) and SiftD.ai, founded by the inventor of the Splunk query language SPL. Adobe and Dropbox are among the first selected customers testing the SIEM system. According to the announcement, Lakewatch is available immediately as a private preview.

(map)