Microsoft Sentinel MCP Server

A [Model Context Protocol][mcp] (MCP) server for Microsoft Sentinel. This server enables read-only access to a Microsoft Sentinel instance, including advanced querying, incident viewing, and resource exploration for Azure Sentinel environments. It provides a modular and extensible platform for observation-only security operations and analysis.

Microsoft have now released their own Sentinel MCP. Check it out here: https://learn.microsoft.com/en-us/azure/sentinel/datalake/sentinel-mcp-get-started?tabs=visual-studio

⚠️ IMPORTANT SECURITY NOTICE ⚠️

TEST ENVIRONMENTS ONLY: This Microsoft Sentinel MCP server only supports read-only operations and is intended exclusively for TEST environments. It is not intended to be connected to production Sentinel instances.

PRIVACY WARNING: Connecting this server to a production Microsoft Entra ID (Azure AD) or Sentinel environment may expose sensitive user and directory data to LLM operators or public LLMs. Use only with non-production/test tenants, or a private LLM with MCP support.

SECURITY WARNING: Connecting a production Microsoft Sentinel instance to a public LLM poses significant privacy and security risks. Use only private, secured environments for production security operations.

✨ Features

• KQL Query Execution: Run and validate KQL queries, test with mock data

• Log Analytics Management: Workspace info, table listings and schemas

• Security Incidents: List and view detailed incident information

• Analytics Rules: List, view, and analyze by MITRE tactics/techniques

• Rule Templates: Access and analyze templates by MITRE framework

• Hunting Queries: List, view details, and analyze by tactic

• Data Connectors: List and view connector details

• Watchlists: Manage watchlists and their items

• Threat Intelligence: Domain WHOIS and IP geolocation lookups

• Metadata & Source Control: List and view repository details

• ML Analytics: Access ML analytics settings

• Authorization: View RBAC role assignments

• Entra ID Users & Groups: View user and group details from Microsoft Entra ID

🚀 Quick Start

1. Authenticate with Azure CLI

Before using the MCP server, you must have authenticated to Azure with an account that has access to a Microsoft Sentinel workspace:

az login

2. Clone the Repository

git clone https://github.com/dstreefkerk/ms-sentinel-mcp-server.git
cd ms-sentinel-mcp-server

3. Install with PowerShell Script (Recommended)

Use the provided PowerShell installation script to set up the MCP server:

# Run from the repository root directory
.\install.ps1

The script will:

• Check for Python installation
• Create a virtual environment and install dependencies
• Generate a Claude Desktop configuration file
• Copy the configuration to your clipboard

After running the script, you can paste the configuration directly into your MCP client (Claude Desktop, Cursor, etc.).

4. Use the MCP server

The MCP server will be ready for use after you've configured your MCP client config with the relevant workspace info.

Just remember that if you're using Azure CLI auth, you need to remove AZURE_CLIENT_ID and AZURE_CLIENT_SECRET from your MCP client config.

📚 Documentation

Quick Start Guides

• LLM Quick Start Guide - Essential guide for LLM interaction (replaces auto-generated llms.txt)
• Documentation Navigation - Find the right documentation quickly
• Quick Reference - Tool categories and common patterns

Detailed Guides

• LLM Instructions - Comprehensive w

... View full README on GitHub