Microsoft Solutions Partner — Data & AI · 11,000+ engagements

Microsoft Fabric Real-Time Intelligence Enterprise Guide (2026)

Eventhouse and KQL Database, Eventstream connectors, Real-Time Dashboards, and Reflex/Activator event-driven actions — the real-time analytics workload in Microsoft Fabric, built on Azure Data Explorer (Kusto) heritage and delivered by a 29-year Microsoft Solutions Partner.

Book a Real-Time Intelligence briefing Call 888-381-9725

What is Microsoft Fabric Real-Time Intelligence and how do enterprises deploy it? Microsoft Fabric Real-Time Intelligence is the real-time analytics workload in Microsoft Fabric. It is built on the Kusto engine that powers Azure Data Explorer, Defender XDR advanced hunting, Sentinel, and Azure Monitor. The five components are Eventhouse (the KQL Database storage and compute engine), Eventstream (visual stream ingestion and transformation from Event Hubs, IoT Hub, Kafka, CDC, and custom sources), Real-Time Dashboards (auto-refreshing KQL-backed visuals), Reflex/Activator (no-code event-driven actions), and KQL Querysets (the analyst query surface). KQL Database tables auto-mirror to OneLake in Delta Parquet for cross-workload query from Power BI, Lakehouse, and Warehouse. EPC Group deploys it through a five-phase fixed-fee Accelerator covering assessment, architecture, ingestion, analytics, and activate.

Microsoft Fabric Real-Time Intelligence is the real-time analytics workload in Fabric, built on the Kusto engine (KQL) that powers Azure Data Explorer, Defender XDR advanced hunting, Sentinel, and Azure Monitor. Five components — Eventhouse, Eventstream, Real-Time Dashboards, Reflex/Activator, and Querysets — compose into the operational telemetry plane. EPC Group delivers a fixed-fee five-phase Accelerator covering assess, architect, ingest, analyze, and activate.

Key Facts

Five components — Eventhouse (KQL Database), Eventstream, Real-Time Dashboards, Reflex/Activator, KQL Querysets
Eventhouse is the Fabric productization of Azure Data Explorer — same Kusto engine, same KQL syntax, same storage format
Eventstream ingests from Event Hubs, IoT Hub, Kafka, Confluent, Kinesis, Pub/Sub, CDC, and Custom App
KQL Database tables auto-mirror to OneLake in Delta Parquet for cross-workload query from Power BI, Lakehouse, and Warehouse
Reflex/Activator triggers Teams messages, Outlook emails, Power Automate flows, Fabric pipelines, and webhooks from stream conditions
Runs on Fabric capacity (F-SKUs) — Reserved Capacity discounts 41 percent against Pay-As-You-Go
29-year Microsoft Solutions Partner, 70+ Fortune 500 clients, 216+ M&A tenant consolidations
EPC Group five-phase Accelerator delivers production Real-Time Intelligence in 12 to 18 weeks, fixed-fee $200K to $650K

The five Fabric Real-Time Intelligence components

Real-Time Intelligence composes from five components — Eventhouse and KQL Database, Eventstream, Real-Time Dashboards, Reflex/Activator, and KQL Querysets. Every enterprise deployment activates all five, sequenced through the EPC Group five-phase Accelerator so each layer is stable before the next builds on top.

Eventhouse and KQL Database — the time-series engine

What it does: Eventhouse is the Real-Time Intelligence storage and compute engine. It hosts one or more KQL Databases — the Kusto column-store database that powers Azure Data Explorer, Defender XDR advanced hunting, Sentinel, and Azure Monitor. Eventhouse is purpose-built for petabyte-scale time-series and log analytics with sub-second query latency over billions of rows.

Column-store with hot-tier caching and cold-tier object storage — automatic policy-driven tiering
Ingestion throughput measured in millions of events per second per Eventhouse with auto-scaling compute
OneLake integration — KQL Database tables are auto-mirrored to OneLake in Delta Parquet for cross-workload query
Streaming ingest from Eventstream and queued batch ingest from blob, ADLS, S3, Event Hubs, and IoT Hub
Materialized views and update policies for stream-time aggregation, parsing, and deduplication
Row-level security, dynamic data masking, and managed-identity authentication to Entra ID

Notes: Eventhouse is the Fabric productization of Azure Data Explorer. Same Kusto engine, same KQL syntax, same storage format. The difference is the Fabric SKU model and the OneLake mirror.

Eventstream — connectors and stream transformations

What it does: Eventstream is the visual stream-processing canvas in Fabric. It ingests events from Azure Event Hubs, Azure IoT Hub, Kafka, Confluent Cloud, AWS Kinesis, Google Pub/Sub, Change Data Capture from operational databases, and the Fabric Custom App endpoint. Stream transformations — filter, aggregate, join, derive — run before the data lands in an Eventhouse, Lakehouse, Activator, or Custom App destination.

Source connectors for Event Hubs, IoT Hub, Kafka, Confluent, Kinesis, Pub/Sub, CDC (SQL Server, Azure SQL, PostgreSQL, Cosmos DB), and Custom App
No-code stream transformations — Filter, Manage Fields, Group By, Aggregate, Join, Union, Expand, and Window functions
Destination targets — Eventhouse KQL Database, Lakehouse table, Activator (Reflex), Custom App, Derived Stream
Derived Stream pattern — chain Eventstreams so one normalizes raw events and downstream streams branch to different destinations
Schema evolution and dead-letter routing for malformed events without halting the stream
Pricing folded into Fabric capacity (no separate Stream Analytics meter)

Notes: Eventstream replaces what Azure Stream Analytics jobs did pre-Fabric, with two differences — fully managed inside the Fabric capacity meter, and a visual canvas that removes the SQL-on-stream learning curve.

Real-Time Dashboards — KQL-backed live visuals

What it does: Real-Time Dashboards are auto-refreshing KQL-backed dashboards purpose-built for sub-second time-series visualization. They are not Power BI reports. They render KQL query results directly with parameter controls, drill-through, and conditional formatting tuned for operational use cases — NOC walls, SOC walls, factory-floor monitors, fraud-ops consoles.

Native KQL query backing — no semantic model layer, no DirectQuery translation, no row-set caching
Auto-refresh intervals as low as five seconds with parameterized time ranges
Cross-filter and drill-through across tiles without losing live refresh
Render targets — time series charts, anomaly bands, heatmaps, tables, KPIs, geographic maps
Embeddable in Microsoft Teams, SharePoint, and external portals via Power BI embed token model
Sharing and permissions inherited from the Fabric workspace and KQL Database RLS

Notes: Power BI is the right surface for analytical reporting against curated semantic models. Real-Time Dashboards are the right surface for operational telemetry rendered as fast as the KQL Database can return it. Both have a place; one does not replace the other.

Reflex (Activator) — event-driven actions

What it does: Reflex (productized as Activator in Fabric) is the no-code event-driven action layer of Real-Time Intelligence. It watches streams, KQL Database results, and Power BI data for user-defined conditions and triggers actions — Teams messages, Outlook emails, Power Automate flows, custom webhooks, Fabric pipelines — when conditions fire.

Object-centric monitoring — define an object (a sensor, a customer, a vehicle, a transaction), an evaluator (a condition), and an action
Triggers backed by Eventstream, KQL Database, or Power BI semantic model data
Built-in actions — Teams message, Outlook email, Power Automate flow, Fabric pipeline trigger, webhook
Stateful condition logic — detect changes ("entered state X"), thresholds, anomalies, and time-window aggregates
Versioning and audit trail for every evaluator and triggered action
Designed for business-user authoring with IT governance — not a developer-only event bus

Notes: Activator is what closes the loop from "we see the event" to "we acted on the event." It is the difference between Real-Time Intelligence as a monitoring tool and Real-Time Intelligence as an event-driven operational platform.

KQL Querysets — the analyst surface

What it does: KQL Querysets are the analyst-facing query environment inside Fabric. They are versioned collections of KQL queries against one or more KQL Databases, with shareable tabs, parameter controls, and inline visualizations. Querysets are how detection engineers, fraud analysts, and observability teams iterate on hypotheses before promoting queries to Real-Time Dashboards or Activator rules.

Multi-tab query authoring against any KQL Database the user has access to
Saveable, shareable, versionable — querysets are first-class Fabric items inside a workspace
Inline render — table, time chart, anomaly chart, column chart, pivot — without leaving the queryset
Cross-database joins and external table queries for archived data in ADLS or Lakehouse
Copilot for KQL — natural-language to KQL generation, query explanation, and optimization suggestions
Export to Power BI semantic model or to Activator rule with one action

Notes: Querysets are the upstream of every Real-Time Dashboard tile and every Activator rule. Mature Real-Time Intelligence programs run a queryset library the same way mature SOCs run a hunting library — hypotheses graduate from queryset to dashboard to alert.

Six Fabric Real-Time Intelligence enterprise use cases

Six patterns cover the overwhelming majority of enterprise Real-Time Intelligence deployments. Most customers run two or three of them in combination — IoT plus observability for industrial operators, fraud plus capital markets for financial services, clinical plus network telemetry for healthcare systems.

IoT telemetry — connected industrial equipment

Manufacturers, energy operators, and logistics fleets stream sensor data from PLCs, gateways, vehicles, and meters into Eventhouse through Eventstream connectors to IoT Hub and Event Hubs. KQL time-series functions detect equipment drift before failure. Real-Time Dashboards run on plant-floor displays. Activator rules trigger work orders when vibration, temperature, or pressure crosses learned bands. Power BI executive layers read the OneLake mirror for trended KPIs.

Application observability — logs, metrics, traces

Engineering teams consolidate application logs (containers, serverless, mobile, batch) into Eventhouse as the central observability lake. KQL is the same language analysts already know from Azure Monitor and Sentinel, which removes the cross-tool retraining tax. OneLake mirror exposes the same data to Power BI for SRE leadership dashboards. The trade-off versus Datadog or Dynatrace is pre-built content breadth; the wins are unified storage, KQL across security and observability, and ingestion economics inside existing Fabric capacity.

Fraud detection — financial transaction streams

Banks and fintech operators stream authorization, payment, and account events from Kafka or Event Hubs into Eventhouse. KQL window functions and anomaly operators detect velocity, geography, device, and amount patterns inconsistent with the customer profile. Activator triggers SMS challenges, account holds, and case-management tickets in real time. Power BI reads OneLake for executive fraud-loss reporting. The compliance overlay maps to PCI DSS, NYDFS 23 NYCRR 500, and bank examination guidance.

Financial market data — quote and trade processing

Capital markets desks stream level-1 and level-2 quote feeds, executions, and order book updates into Eventhouse for surveillance, best-execution analysis, and TCA. KQL runs sub-millisecond aggregations against the rolling tick stream. Real-Time Dashboards drive surveillance and best-ex consoles. Compliance overlay maps to FINRA Rule 3110, SEC Rule 15c3-5, MiFID II Best Execution, and CAT reporting.

Clinical patient monitoring — bedside telemetry

Health systems stream bedside monitor telemetry, infusion-pump events, and EHR vitals into Eventhouse for early-warning detection (sepsis, deterioration, fall risk). KQL anomaly detection runs against rolling patient windows; Activator triggers nurse alerts via Teams. Deployment lives inside a BAA-covered Microsoft 365 and Fabric tenant with Eventstream filters so only the clinical signal needed reaches the analytics plane. Compliance maps to HIPAA Security and Privacy Rules and 42 CFR Part 2.

Network and security telemetry — firewalls, IDS, EDR

SOC teams already using Sentinel use Eventhouse for the high-volume telemetry tiers — VPC Flow Logs, DNS query logs, firewall connection logs, EDR process telemetry — where Sentinel ingestion would be uneconomical. Sentinel analytics rules query the Eventhouse via cross-workspace KQL when incidents demand deeper context. The model preserves SIEM economics while keeping forensic depth queryable in seconds rather than restored from archive. See /microsoft-sentinel-siem-enterprise-2026 for the SIEM architecture.

Honest comparison

Real-Time Intelligence vs Synapse Streaming vs Azure Stream Analytics vs Splunk

Four platforms get evaluated in the same room. The honest answer is that each one is best at something the others are not. The framework below is the same one EPC Group walks through in a Phase 1 assessment.

Fabric Real-Time Intelligence

Best when the workload needs sub-second query latency over weeks or months of event history — fraud, observability, security telemetry, IoT history, clinical event correlation — and the organization is already on Fabric. Wins on unified storage (OneLake mirror), KQL skill reuse from Sentinel and Defender XDR, and ingestion economics inside an existing Fabric capacity. Weaker on pre-built content for third-party sources outside the Microsoft ecosystem.

Synapse Streaming (Synapse Stream Analytics pools)

A previous-generation pattern. New builds default to Fabric Real-Time Intelligence or Azure Stream Analytics. Existing Synapse Streaming workloads are migration candidates to Eventstream plus Eventhouse, which gives the same stream transformation model plus a query-able historical KQL Database. See the companion hub at /azure-synapse-analytics-enterprise-guide-2026 for the broader Synapse-to-Fabric trajectory.

Azure Stream Analytics

Best when the workload is pure stream-SQL with no historical query layer — a one-minute aggregate from Event Hub routed to Power BI streaming, no need to query hours or days back. Lower cost than spinning up Fabric capacity for a single lightweight streaming job. Weaker when the operational team also needs to query event history; in that case Eventhouse plus Eventstream is the better landing zone.

Splunk and Datadog

Best when the workload requires the breadth of pre-built integrations, dashboards, and detections across thousands of third-party sources, or when there is multi-year operational investment in either platform. Wins on content marketplace and on heterogeneous source coverage. Weaker on integration with Power BI, Sentinel, Defender XDR, and the broader Microsoft data stack — that is where Real-Time Intelligence wins for Microsoft-anchored enterprises.

Ingestion economics

The honest truth about Fabric Real-Time Intelligence cost

Real-Time Intelligence runs on Fabric capacity (F-SKUs) shared across all Fabric workloads. There is no separate Eventhouse meter, no separate KQL meter, no per-source ingestion meter for Microsoft-native streaming sources. The cost levers are the capacity SKU, the reservation strategy, and how aggressively Eventstream filters and aggregates at the stream so only the events with analytic value land in Eventhouse.

Fabric capacity SKU

F-SKUs scale from F2 to F2048 capacity units. Real-Time Intelligence draws against the same capacity as Lakehouse, Warehouse, Power BI Premium, Data Factory, and Data Science. The first sizing exercise is whether the existing capacity has headroom or whether a dedicated capacity is needed for the Real-Time Intelligence workload.

Reserved Capacity

A one-year Reserved Capacity commitment discounts 41 percent against Pay-As-You-Go. Move to Reserved once daily capacity utilization is predictable for sixty days. The Reservation is the single largest commercial lever in a Fabric Real-Time Intelligence engagement.

Free Microsoft sources

Microsoft-native streaming sources — Defender XDR streaming API, Azure Monitor diagnostic settings routed through Eventstream — consume capacity but no per-source meter. The same pattern that makes Sentinel ingestion economics work for Microsoft-anchored tenants applies here.

Eventstream transformation

The cheapest event is the one that never lands. Filter, aggregate, and project at the Eventstream layer so only the events with analytic value reach Eventhouse. Aggressive transformation often cuts effective storage and query cost by sixty percent without losing detection or dashboard coverage.

Hot cache and cold tier

Eventhouse policy controls how many days of recent data sit in hot cache (sub-second query) versus cold tier (still queryable, higher latency, lower cost). Tune the policy per table — operational dashboards want hot, forensic and audit tables can live in cold without analyst pain.

OneLake storage

OneLake storage for KQL Database mirrors bills at object-storage rates separately from capacity. For most workloads OneLake storage is a small fraction of total cost; for high-cardinality, high-retention tables it is worth sizing explicitly in the Phase 1 assessment.

KQL primer

Kusto Query Language — the five patterns that cover ninety percent of real work

KQL is the query language across Real-Time Intelligence, Defender XDR advanced hunting, Sentinel, Azure Monitor, and Azure Data Explorer. Analysts already comfortable with SQL learn the basics in two to three weeks. The five patterns below cover the overwhelming majority of day-to-day production queries. Copilot for KQL inside Fabric generates queries from natural language and explains existing queries, which compresses the curve.

1. Filter, project, summarize — the SQL analog

where filters rows, project selects columns, summarize by aggregates. The mental model from SQL transfers one-for-one. This pattern covers most analytical queries against a single table.

2. make-series and bin — time-bucketed aggregations

make-series with bin(timestamp, 1m) generates fixed-interval time series for any metric. This is the foundation of every time-series chart, every trend dashboard tile, and every anomaly detection pipeline.

3. series_decompose_anomalies — anomaly detection

Decomposes a time series into baseline, seasonal, and anomaly components and returns anomaly flags with confidence scores. Used for fraud detection, equipment drift, clinical deterioration, and observability outlier surfacing without standing up a separate ML pipeline.

4. let and materialize — query-time CTEs

let binds expressions to names like a SQL CTE. materialize caches the intermediate result so subsequent references reuse it. Together they make complex multi-stage queries readable and performant.

5. join with kind — entity correlation

KQL join supports inner, leftouter, rightouter, fullouter, leftanti, rightanti, leftsemi, and rightsemi semantics explicitly. The kind parameter is what makes KQL joins predictable across the very different cardinality patterns analysts encounter in event correlation.

Security telemetry

Pairing Real-Time Intelligence with Sentinel and Defender XDR

The most common security-telemetry pattern EPC Group ships is to keep Sentinel as the SIEM of record for the alert-grade signal that needs analytics rules, incident management, SOAR, and regulatory retention, and to use a Fabric Real-Time Intelligence Eventhouse as the long-tail telemetry lake for high-volume, low-unit-value sources where Sentinel ingestion would not pencil out — VPC Flow Logs, DNS query logs, firewall connection logs, EDR process telemetry. The same KQL works across both surfaces, so SOC analysts use one query language end-to-end.

Sentinel for alerting and SOAR

Microsoft 365, Entra ID, Defender XDR, and the alert-grade third-party feeds land in Sentinel where analytics rules, incident queue, and Logic Apps playbooks operate. Microsoft-native sources ingest free. See /microsoft-sentinel-siem-enterprise-2026.

Eventhouse for telemetry depth

High-volume telemetry that has forensic value but not alert value lands in Eventhouse via Eventstream. Sentinel analytics rules can query the Eventhouse via cross-workspace KQL when an incident demands the deeper context. The result is full forensic depth queryable in seconds instead of restored from archive.

Defender XDR advanced hunting

Defender XDR advanced hunting uses the same KQL engine and can query the Eventhouse the same way as Sentinel. Investigators move between Defender XDR, Sentinel, and the Eventhouse without learning a new query language at any boundary.

Governance and compliance — Real-Time Intelligence mapped to your regulatory reality

Real-Time Intelligence inherits the broader Fabric and Microsoft Cloud compliance footprint — HIPAA Business Associate Agreement coverage, SOC 2 Type II, FedRAMP High for Azure Government deployments, FINRA-aligned controls for financial services, CMMC 2.0 for defense contractors, and GxP for life sciences. EPC Group extends the Microsoft control mapping into an auditor-ready matrix tying every Eventstream, KQL Database policy, Activator rule, and Real-Time Dashboard to the regulatory control identifiers in scope. See our standards alignment library for the full mapping, and the companion hub at /enterprise-regulated-analytics-microsoft for the regulated analytics architecture.

HIPAA

SOC 2

FedRAMP

FINRA

CMMC

GxP

The EPC Group Real-Time Intelligence Accelerator — five phases, fixed fee

The accelerator anchors on The EPC Group Lifecycle — Assess, Architecture, Ingestion, Analytics, Activate. Fixed-scope between $200,000 and $650,000 depending on use case breadth, source-system count, regulatory scope, and managed-service tail. Senior architect-led, named on-record, no offshore handoff.

Phase 1 — Assess

Real-time use case selection and source inventory in three weeks

Phase one is a fixed-fee assessment that scores candidate real-time use cases (IoT, fraud, observability, clinical, capital markets, network telemetry) against business value and feasibility, inventories source systems and their throughput characteristics, models ingestion economics against Fabric capacity, and ships a costed roadmap. The output is the decision package a steering committee uses to approve Phases 2 through 5.

Use case scoring — business value, latency requirement, feasibility, and data availability
Source inventory — Event Hubs, IoT Hub, Kafka, CDC sources, REST endpoints, batch loaders
Throughput sizing — events per second peak and sustained, payload size, retention window
Costed roadmap with Fabric capacity unit consumption modeling for year one and year two

Phase 2 — Architecture

Eventhouse, Eventstream, and capacity architecture

Phase two establishes the Real-Time Intelligence architecture — Eventhouse and KQL Database topology, Eventstream source and destination wiring, OneLake mirror policies, Fabric capacity sizing and reservation strategy, RBAC and row-level security model, and the integration points to Sentinel, Power BI, and downstream operational systems via Activator.

Eventhouse and KQL Database topology with cache and retention policies per table
Eventstream source and destination wiring with derived stream patterns for fan-out
Fabric capacity sizing (F-SKU) and Reserved Capacity model for predictable spend
RBAC and row-level security model with Entra ID groups mapped to KQL Database policies

Phase 3 — Ingestion

Source onboarding and stream transformations in six to eight weeks

Phase three onboards source systems in waves — wave one is the highest-value, lowest-complexity Microsoft-native sources (Event Hubs, IoT Hub, Defender data), wave two is third-party Kafka and Kinesis, wave three is CDC from operational databases, and wave four is REST and Custom App endpoints. Each wave is validated for ingestion health, parsing accuracy, and downstream query latency before the next wave begins.

Wave 1 — Event Hubs, IoT Hub, Defender XDR streaming API
Wave 2 — Third-party Kafka, Confluent, Kinesis, Pub/Sub
Wave 3 — CDC from SQL Server, Azure SQL, PostgreSQL, Cosmos DB
Wave 4 — REST polling sources and Custom App push endpoints

Phase 4 — Analytics

KQL content pack, dashboards, and querysets

Phase four deploys the EPC Group KQL content pack tailored to the use case mix (manufacturing, fraud, observability, clinical, capital markets, network telemetry), authors Real-Time Dashboards for the operational consoles, ships the queryset library that hunters and analysts use day-to-day, and tunes ingestion filters and materialized views against the first thirty days of production data.

KQL content pack tuned to use case mix — anomaly, threshold, trend, and pattern detections
Real-Time Dashboards for NOC, SOC, factory-floor, fraud-ops, and clinical consoles
Queryset library with parameterized hypothesis queries for analyst self-service
Materialized views and update policies for stream-time aggregation and parsing

Phase 5 — Activate

Reflex/Activator rules and operational handoff

Phase five lights up Activator rules that close the loop from "we see the event" to "we acted on the event" — Teams alerts, Power Automate flows, ticket creation, equipment hold signals, customer notifications. Senior architect leads the customer team through the first thirty days of rule operation, then either hands off to internal operations or to EPC Group managed Real-Time Intelligence services for steady-state run.

Activator rule library — Teams alert, ticket creation, hold signal, customer notification, downstream API call
Power Automate flow integration for human-in-the-loop response workflows
Cross-Sentinel integration so security-grade Activator alerts flow to the SOC incident queue
24/7 managed Real-Time Intelligence handoff, or customer ops enablement and training

Why EPC Group leads enterprise Fabric Real-Time Intelligence deployments

Years Microsoft consulting

70+

Fortune 500 clients

1,500+

Power BI deployments

216+

M&A tenant consolidations

Microsoft Solutions Partner — Data & AI

Microsoft Solutions Partner with the Data & AI designation plus five additional designations covering Modern Work, Infrastructure, Security, Digital & App Innovation, and Business Applications. Senior architects average two decades of Microsoft platform delivery experience.

Four-time Microsoft Press author

Founder Errin O’Connor has nearly three decades of Microsoft consulting leadership and is a four-time Microsoft Press author across Power BI, SharePoint, Azure, and large-scale migrations — the Power BI book remains a working reference for enterprise Power BI and Fabric programs.

Fixed-fee accelerators

Every Real-Time Intelligence engagement is fixed-fee with a costed roadmap and a named senior architect on-record from kickoff through go-live. No T&M overruns, no offshore handoff, no junior-led production cutover.

Compliance-native content

EPC Group ships KQL content packs, Real-Time Dashboards, Activator rules, and governance matrices mapped to HIPAA, SOC 2, FedRAMP, FINRA, CMMC, and GxP — the evidence auditors actually accept, not generic platform screenshots.

Frequently asked questions — Fabric Real-Time Intelligence

What is Microsoft Fabric Real-Time Intelligence and how does it differ from Azure Data Explorer?

Real-Time Intelligence is the real-time analytics workload in Fabric, built on the same Kusto engine as Azure Data Explorer, Defender XDR advanced hunting, Sentinel, and Azure Monitor. Three differences from standalone ADX. First, SKU model — it runs on shared Fabric capacity (F-SKUs) instead of dedicated ADX clusters. Second, OneLake — KQL Database tables auto-mirror to Delta Parquet for cross-workload query from Power BI, Lakehouse, and Warehouse without copying. Third, surrounding components — Eventstream, Real-Time Dashboards, Reflex/Activator, and Querysets are first-class Fabric items rather than separately wired Azure resources. KQL syntax and storage are identical, so ADX skills transfer one-for-one.

When is Fabric Real-Time Intelligence the right choice versus Azure Stream Analytics or Synapse Streaming?

Real-Time Intelligence wins when the workload needs sub-second query latency over weeks or months of event history — fraud, observability, security telemetry, IoT history, clinical correlation. The Kusto column-store and time-series operators outperform Synapse Streaming SQL or Stream Analytics SQL against the same volumes. Azure Stream Analytics is the right answer for pure stream-SQL with no historical query layer — a one-minute aggregate from Event Hub routed to Power BI streaming. Synapse Streaming is being superseded; new builds default to Fabric Eventstream + Eventhouse.

How does Real-Time Intelligence compare to Splunk or Datadog for observability?

For Microsoft-anchored enterprises already on Fabric, Real-Time Intelligence wins on unified storage (KQL Database queryable from Power BI via OneLake mirror), ingestion economics inside existing Fabric capacity, and KQL skill reuse from Sentinel, Defender XDR, and Azure Monitor. Splunk and Datadog win on content breadth — pre-built dashboards, integrations, and detections across thousands of third-party sources — and on operational maturity for environments with multi-year sunk investment. The decision turns on where the signal lives, how much pre-built content is required day one, and existing tool investment. EPC Group has shipped hybrid models where Real-Time Intelligence handles Microsoft-anchored telemetry while Splunk or Datadog handles long-tail third-party content.

How does Fabric Real-Time Intelligence pricing actually work?

It runs on Fabric capacity (F2 through F2048). Capacity units are shared across all Fabric workloads — Real-Time Intelligence, Lakehouse, Warehouse, Power BI Premium, Data Factory, Data Science. The two consumption levers are ingestion (events per second translated to CU-seconds) and query (KQL queries translated to CU-seconds). OneLake storage bills separately at object-storage rates. Microsoft-native streaming sources (Defender XDR streaming API, Azure Monitor diagnostics) consume capacity but no per-source meter. The two largest cost levers are the F-SKU and Reserved Capacity (41 percent discount versus Pay-As-You-Go), then aggressive Eventstream transformation so only events with analytic value land in Eventhouse.

What does the KQL learning curve look like for an analytics team adopting Fabric Real-Time Intelligence?

KQL is the query language across Real-Time Intelligence, Defender XDR advanced hunting, Sentinel, Azure Monitor, and Azure Data Explorer. SQL-fluent analysts learn the basics — where, project, summarize, join — in two to three weeks part-time. Time-series operators (make-series, series_decompose, series_outliers), pattern functions (parse, parse_json, has_any), and statistical operators (percentile, hll, dcount) reach working competence in eight to twelve weeks. The five most useful patterns: filter-project-summarize, make-series for time-bucketing, series_decompose_anomalies for anomaly detection, materialize-with-let for query-time CTEs, and join-with-kind for explicit join semantics. Copilot for KQL compresses the curve materially.

How does Reflex/Activator differ from Power Automate and Logic Apps?

Activator is purpose-built for object-centric, stream-driven event detection inside Fabric. You define an object (a sensor, customer, transaction), an evaluator (a condition over time-series or stream data), and an action — Teams message, Outlook email, Power Automate flow, Fabric pipeline, webhook. Power Automate and Logic Apps are general-purpose workflow engines that orchestrate across hundreds of SaaS and on-prem systems but are not optimized for high-throughput stream evaluation. The typical pattern: Activator detects at stream speed and triggers a Power Automate flow for the multi-step workflow that follows. Activator is what makes Real-Time Intelligence event-driven rather than monitoring-only.

How does Fabric Real-Time Intelligence integrate with Sentinel and Defender XDR for security telemetry?

The pattern most enterprises adopt: keep Sentinel as the SIEM of record for alert-grade signal that needs analytics rules, incident management, SOAR, and regulatory retention; use a Fabric Eventhouse as the long-tail telemetry lake for high-volume, low-unit-value sources (VPC Flow Logs, DNS query logs, firewall connection logs, EDR process telemetry) where Sentinel ingestion does not pencil out. Sentinel analytics rules query the Eventhouse via cross-workspace KQL when incidents demand deeper context; Defender XDR advanced hunting queries it the same way. Result: SIEM economics preserved, forensic depth queryable in seconds instead of restored from archive. See /microsoft-sentinel-siem-enterprise-2026.

What does an EPC Group Real-Time Intelligence engagement actually deliver?

A fixed-fee five-phase accelerator anchored on the EPC Group Lifecycle — Assess, Architecture, Ingestion, Analytics, Activate — priced $200K to $650K depending on use case count, source-system breadth, regulatory scope, and managed-service tail. Deliverables: use case scoring + costed roadmap, Fabric capacity sizing with Reserved Capacity recommendation, Eventhouse + KQL Database topology with RBAC and RLS, Eventstream pipelines for every in-scope source with transformations and dead-letter routing, KQL content pack tuned to the use cases, Real-Time Dashboards for operational consoles, queryset library for analyst self-service, Activator rule library, and an auditor-ready control matrix. Senior-architect-led, named on-record, no offshore handoff.

Continue exploring the EPC Group enterprise Microsoft library

Real-Time Intelligence sits inside the broader Fabric and Microsoft Cloud orchestration story. These hubs cover adjacent and complementary territory.

Microsoft Cloud Orchestrator

The end-to-end Microsoft cloud orchestration model under which Fabric Real-Time Intelligence sits as the real-time analytics plane.

Microsoft Fabric Expertise Hub

The pillar hub for Microsoft Fabric — Lakehouse, Warehouse, Data Factory, Real-Time Intelligence, and Power BI inside the unified Fabric capacity model.

Microsoft Fabric Training and Learning Hub

Role-based learning paths, certifications, and enablement programs for Fabric data engineers, analysts, and architects.

Microsoft Power BI Expertise Hub

Power BI hub from the four-time Microsoft Press author — semantic models, governance, embedded, and the OneLake mirror integration with Real-Time Intelligence.

Azure Synapse Analytics Enterprise Guide

Synapse architecture and the migration trajectory to Fabric Lakehouse, Warehouse, and Real-Time Intelligence for streaming workloads.

Database vs Warehouse vs Lake (Microsoft 2026)

The decision framework for choosing operational database, data warehouse, data lake, lakehouse, or KQL Database — including where Real-Time Intelligence fits.

Microsoft Sentinel SIEM + SOAR Enterprise Guide

The companion Sentinel hub — pairs Sentinel for alert-grade security telemetry with Eventhouse for long-tail forensic depth.

Enterprise Regulated Analytics on Microsoft

How Real-Time Intelligence, Fabric, Purview, and Sentinel compose into a regulated analytics architecture for HIPAA, SOC 2, FedRAMP, FINRA, CMMC, and GxP environments.

Stand up Fabric Real-Time Intelligence the way Microsoft-anchored enterprises should

Book a Real-Time Intelligence briefing with an EPC Group senior architect. Two-hour working session — use case scoring, source inventory, capacity sizing, accelerator scoping. Zero obligation, board-ready output.

Book the briefing 888-381-9725

‌
‌
‌

‌
‌