====== Lakewatch ======
**Lakewatch** is a security data platform developed by Databricks that implements an open lakehouse architecture for unified security telemetry management. As of 2026, the platform operates in Private Preview and represents a modern approach to security information and event management (SIEM) infrastructure, designed to consolidate security, IT, and business telemetry at petabyte-scale operations (([[https://www.databricks.com/blog/alert-fatigue-business-risk|Databricks - Alert Fatigue and Business Risk (2026]]))

===== Architecture and Technical Foundation =====
Lakewatch is built on an open lakehouse architecture, which combines elements of data lakes and data warehouses to provide a unified data management system. This architectural approach enables the platform to ingest and process 100% of security, IT, and business telemetry from diverse sources without the constraints imposed by proprietary SIEM solutions (([[https://www.databricks.com/blog/alert-fatigue-business-risk|Databricks - Alert Fatigue and Business Risk (2026]])).

The platform leverages the Open Cybersecurity Schema Framework (OCSF) for automated normalization of incoming telemetry data. OCSF provides a standardized schema for representing security events across heterogeneous data sources, enabling organizations to normalize data from firewalls, endpoint detection and response (EDR) systems, cloud providers, and traditional security appliances into a consistent format. This normalization capability addresses a fundamental challenge in enterprise security operations: the fragmentation of security event formats across different vendors and tools (([[https://www.databricks.com/blog/alert-fatigue-business-risk|Databricks - Alert Fatigue and Business Risk (2026]]))

===== Agent-Based Approach =====
Lakewatch incorporates **Agent Bricks**, which represent Databricks' approach to agentic security operations. Rather than relying on static rules and manual alert triage processes, Agent Bricks enable automated decision-making and response workflows within the security data platform. This agentic approach integrates directly with the unified telemetry layer, allowing agents to operate across the complete dataset without the visibility limitations inherent in traditional siloed SIEM deployments (([[https://www.databricks.com/blog/alert-fatigue-business-risk|Databricks - Alert Fatigue and Business Risk (2026]]))

===== Security Tax Elimination =====
A key value proposition of Lakewatch is its approach to reducing the "security tax"—the operational burden and cost overhead that organizations incur when implementing and maintaining proprietary SIEM solutions. Traditional SIEM platforms often require significant data ingestion, storage, and licensing costs that grow with data volume, creating financial and operational constraints on security teams' ability to retain and analyze historical telemetry.

By utilizing an open lakehouse architecture rather than a proprietary platform, Lakewatch enables organizations to leverage existing data infrastructure investments and avoid vendor lock-in. The use of standardized schemas and open-source tooling for data normalization further reduces the operational overhead typically associated with proprietary SIEM deployments (([[https://www.databricks.com/blog/alert-fatigue-business-risk|Databricks - Alert Fatigue and Business Risk (2026]]))

===== Current Status and Availability =====
As of May 2026, Lakewatch remains in Private Preview status, indicating that the platform is undergoing controlled testing with selected customers before general availability. This preview phase allows Databricks to validate the architecture's performance at petabyte scale, refine the Agent Bricks framework, and optimize the OCSF normalization pipeline based on real-world deployment scenarios across diverse enterprise security environments.


===== See Also =====
  * [[lakebase_manager|Lakebase Manager]]
  * [[lakehouse|Lakehouse]]
  * [[lakebase|Lakebase]]
  * [[databricks_apps|Databricks Apps]]
  * [[lakewatch_vs_traditional_siem|Lakewatch vs Traditional SIEM]]

===== References =====