Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Important
Microsoft Sentinel MCP server is currently in preview. This information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, expressed or implied, with respect to the information provided here.
Microsoft Sentinel’s Model Context Protocol (MCP) Server collections are logical groupings of related security-focused MCP tools that you can use in any compatible client to search and retrieve data from tables and create agents.
Our collections are scenario-focused and have security-optimized descriptions that help AI models pick the right tools and deliver those outcomes. For example, you can use the following sample prompts to get the appropriate tool:
- Find the top three users that are at risk and explain why they are at risk.
- Find sign-in failures in the last 24 hours and give me a brief summary of key findings.
- Identify devices that showed an outstanding number of outgoing network connections.
Available collections
The following table lists the available collections you can use:
| Collection | Description |
|---|---|
| Data exploration | Explore security data in Microsoft Sentinel data lake by searching for relevant tables and query lake |
| Security Copilot agent creation | Create Microsoft Security Copilot agents for complex workflows |