ms-sentinel-mcp-server

ms-sentinel-mcp-server

2
security

The Microsoft Sentinel MCP Server is designed to provide secure, read-only access to Microsoft Sentinel environments for testing purposes. It allows advanced querying, incident viewing, and resource exploration, with features such as KQL query execution and log analytics management.

Microsoft Sentinel MCP Server

A Model Context Protocol (MCP) server for Microsoft Sentinel providing read-only access for testing environments. It offers:

  • KQL query execution and validation with mock data
  • Management of Log Analytics workspaces, tables, and schemas
  • Viewing security incidents and analyzing analytics rules
  • Access to rule templates, hunting queries, and data connectors
  • Management of watchlists and threat intelligence lookups
  • Meta & source control viewing
  • RBAC role assignments and Entra ID user/group details.

🚀 Quick Start

  1. Authenticate with Azure CLI.
  2. Clone the repository.
  3. Use PowerShell script for installation.
  4. Use the MCP server.

🛠️ Usage

Supports Claude Desktop and other MCP clients. Manual environment setup and alternative server run options are available.

🧩 Development

Extend server capabilities by adding resources, tools, and prompts to dedicated directories.

🔐 Authentication & Environment Variables

Supports Azure Python SDK DefaultAzureCredential. Service Principal or Azure CLI authentication methods are available.