Microsoft Sentinel MCP Server
by dstreefkerk
The Microsoft Sentinel MCP Server enables read-only access to a Microsoft Sentinel instance. It provides a modular and extensible platform for observation-only security operations and analysis.
Last updated: N/A
What is Microsoft Sentinel MCP Server?
A Model Context Protocol (MCP) server for Microsoft Sentinel that allows read-only access to a Sentinel instance, including querying, incident viewing, and resource exploration.
How to use Microsoft Sentinel MCP Server?
- Authenticate with Azure CLI. 2. Clone the repository. 3. Install using the PowerShell script. 4. Configure your MCP client with the relevant workspace info, remembering to remove
AZURE_CLIENT_IDandAZURE_CLIENT_SECRETif using Azure CLI auth.
Key features of Microsoft Sentinel MCP Server
KQL Query Execution
Log Analytics Management
Security Incidents: List and view detailed incident information
Analytics Rules: List, view, and analyze by MITRE tactics/techniques
Data Connectors: List and view connector details
Watchlists: Manage watchlists and their items
Threat Intelligence: Domain WHOIS and IP geolocation lookups
Entra ID Users & Groups: View user and group details from Microsoft Entra ID
Use cases of Microsoft Sentinel MCP Server
Observation-only security operations
Security analysis
KQL query validation and testing
Incident investigation
Threat intelligence gathering
FAQ from Microsoft Sentinel MCP Server
Is this server safe for production environments?
Is this server safe for production environments?
No, this server is intended for TEST environments only due to potential security and privacy risks when connected to production Sentinel instances or public LLMs.
What authentication methods are supported?
What authentication methods are supported?
The MCP Server supports any authentication method supported by the Azure Python SDK's DefaultAzureCredential, including Azure CLI and Service Principal authentication.
How do I install the server?
How do I install the server?
The recommended method is to use the provided PowerShell installation script (install.ps1). Alternatively, you can manually set up the environment by configuring environment variables and installing dependencies.
How do I enable debug logging?
How do I enable debug logging?
Set the MCP_DEBUG_LOG environment variable to true in your .env file. Logs will be written to your temp directory as sentinel_mcp_server.log.
Where can I find documentation for the available tools?
Where can I find documentation for the available tools?
Full documentation for the available tools can be found in the resources/tool_docs/ directory.