From SIEM to Data Platform: Scaling Threat Detection with Lakewatch, Unity Catalog, and AI at Adobe

Traditional security detection workflows, often confined to proprietary SIEM platforms, struggle to scale, evolve, and integrate with modern data ecosystems. At Adobe, security operations are being reimagined by extending detection capabilities into Databricks using Lakewatch, Unity Catalog, and AI-powered investigation. This approach complements existing SIEM workflows while unlocking new levels of scalability, automation, and data-driven insight.

In this session, we present how detection rules are migrated into version-controlled YAML with automated testing and backtesting gates, enabling repeatable and auditable development. By leveraging Lakewatch’s ingestion and normalization of cybersecurity telemetry into OCSF-formatted Delta tables, detections are enriched with both real-time and historical data from Unity Catalog. Detection logic is expressed in SQL and PySpark, with reusable components implemented as SQL UDFs, replacing traditional macro-based approaches.

Additionally, we showcase how AI-powered agents transform raw Lakewatch alerts into structured investigation summaries with actionable analyst recommendations, streamlining triage and response. Adobe is modernizing its detection workflows, accelerating development, improving detection fidelity, and establishing a unified, scalable security analytics platform within its broader data ecosystem.