Security Copilot and Sentinel MCP Server
by jguimera
A Python-based MCP server that integrates Microsoft Security Copilot and Microsoft Sentinel using Azure Identity Authentication. It enables running KQL queries, managing Security Copilot skillsets/plugins, and running prompts/skills.
Last updated: N/A
What is Security Copilot and Sentinel MCP Server?
This project implements an MCP server that acts as a bridge between development environments and Microsoft Security Copilot, allowing for testing, deployment, and execution of skills and plugins. It uses SSE as transport layer for the MCP server.
How to use Security Copilot and Sentinel MCP Server?
- Clone the repository. 2. Install dependencies using
pip install -r requirements.txt. 3. Configure the.envfile with your Azure credentials and Sentinel workspace details. 4. Start the server usingpython server.py. You can then use the available tools likerun_sentinel_query,get_skillsets,upload_plugin, andrun_promptfrom an MCP client like Cursor.
Key features of Security Copilot and Sentinel MCP Server
Sentinel Integration: Execute KQL queries against your Sentinel workspace
Security Copilot Management: List, upload, and update skillsets/plugins
Run prompts or skills within Security Copilot
Authentication Support: Multiple authentication methods including interactive browser, client secret, and managed identity
Use cases of Security Copilot and Sentinel MCP Server
Development, test and deployment of Security Copilot KQL Skills
Running KQL queries against Microsoft Sentinel
Uploading/Updating Microsoft Security Copilot skillsets/plugins
Running prompts and skills in Microsoft Security Copilot
FAQ from Security Copilot and Sentinel MCP Server
What is an MCP server?
What is an MCP server?
MCP stands for Model Context Protocol. An MCP server acts as a bridge between a client (like Cursor) and services like Microsoft Security Copilot, allowing the client to use tools and skills provided by the server.
What authentication methods are supported?
What authentication methods are supported?
The server supports interactive browser authentication, client secret authentication, and managed identity authentication.
How do I run a KQL query?
How do I run a KQL query?
Use the run_sentinel_query tool with the KQL query as a parameter. For example: /run_sentinel_query query="SecurityEvent | take 10"
How do I upload a new skillset/plugin?
How do I upload a new skillset/plugin?
Use the upload_plugin tool, providing the necessary details for the plugin. Refer to the documentation for the required parameters.
How do I configure Cursor to use this MCP server?
How do I configure Cursor to use this MCP server?
Add the .cursor folder (provided in the repository) inside your Cursor project. This folder contains the necessary configuration files to connect Cursor to the MCP server.