Edit

Share via

Get started with Microsoft Sentinel MCP server (preview)

Important

Microsoft Sentinel MCP server is currently in preview. This information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, expressed or implied, with respect to the information provided here.

This article shows you how to set up and use Microsoft Sentinel's Model Context Protocol (MCP) collection of security tools to enable natural language queries against your security data. Sentinel's support for MCP enables security teams to bring AI into their security operations by allowing AI models to access security data in a standard way.

Sentinel's collection of security tools are designed to work with multiple clients and automation platforms. You can use these tools to search for relevant tables, retrieve data, and create Security Copilot agents.

Prerequisites

To use Microsoft Sentinel MCP server and access its collection of tools, you need to be onboarded to Microsoft Sentinel data lake. For more information, see Onboard to Microsoft Sentinel data lake and Microsoft Sentinel graph (preview).

You also need the Security reader role to list and invoke Sentinel's collection of MCP tools.

Supported code editors and agent platforms

Microsoft Sentinel's support for MCP tools works with the following AI-powered code editors and agent-building platforms:

  • Visual Studio Code
  • Security Copilot

Add Microsoft Sentinel's collection of MCP tools

  1. Add MCP server:

    1. Press Ctrl + Shift + P then type or choose MCP: Add Server.

      Screenshot of Visual Studio Code with Add server highlighted.

    2. Choose HTTP (HTTP or Server-Sent Events).

      Screenshot of Visual Studio Code with HTTP or Server-Sent Events highlighted.

    3. Enter the URL of the MCP server you want to access then press Enter:

    4. Assign a friendly Server ID (for example, Microsoft Sentinel MCP server)

    5. Choose whether to make the server available in all Visual Studio Code workspaces or just the current one.

  2. Allow authentication. When prompted, select Allow to authenticate using an account with at least a Security reader role.

    Screenshot of a Visual Studio Code dialog box prompting the user to authenticate.

  3. Open Visual Studio Code's chat. Select View > Chat, select the Toggle Chat icon beside the search bar, or press Ctrl + Alt + I.

  4. Verify connection. Set the chat to Agent mode then confirm by selecting the Configure Tools icon that you see added under the MCP server.

    Screenshot of a Visual Studio Code Agent menu with the Agent mode and tool icon highlighted.

After adding Microsoft Sentinel's collection of tools, you can use the following sample prompts to interact with data in your Microsoft Sentinel data lake.

  • Find the top three users that are at risk and explain why they are at risk.
  • Find sign-in failures in the last 24 hours and give me a brief summary of key findings.
  • Identify devices that showed an outstanding number of outgoing network connections.

To understand how agents invoke our tools to answer these prompts, see How Microsoft Sentinel MCP tools work alongside your agent.

Next step