Unlocking Microsoft Sentinel MCP
I started working with the MCP about a year ago, and since then, I’ve built, developed, and deployed dozens of MCPs across different security platforms. My work has included hands-on implementations of both Microsoft Sentinel and Defender XDR, as well as on other platforms, where MCP servers serve as the backbone for enabling AI-assisted data exploration, incident analysis, and security automation.
This experience has shown me how a carefully designed configuration can be the difference between a simple endpoint connection and a truly SOC aware assistant that understands workspaces, correlations, and context.
When I look back at how we consumed security data before MCP, the experience was often slow and heavy (from a team perspective). Analysts had to know the exact schema, memorize table names, and craft precise KQL queries just to get started. The barrier to entry was high, and even experienced defenders could spend more time on query mechanics than on actual analysis. In short, the “before MCP” world was defined by manual effort, steep learning curves, and slower investigations.
The introduction of MCP fundamentally changes this landscape. By acting as a protocol layer between AI-driven hosts (such as Copilot or VS Code) and backend systems like Microsoft Sentinel, MCP enables us to interact with data semantically. Instead of recalling the schema by heart, analysts can simply describe what they need, and MCP translates intent into the right data calls. The “after MCP” world is about natural interaction, context aware queries, and correlation rules that can be baked into configuration files like mcp.json. It doesn’t just save time, it can also lower the threshold for entry and make advanced investigation workflows more accessible to a broader audience.
That said, the known truth still holds. Tools don’t replace expertise. If you already know how to investigate incidents, structure correlations, and interpret data, MCP Sentinel amplifies your capabilities, becoming a force multiplier. But if you lack that foundational knowledge, MCP is just another interface, another shiny tool that doesn’t magically make you better at analysis.
The best results are achieved when seasoned analysts utilize MCP to codify their methods, ensuring that the AI layer doesn’t just guess, but applies tried and true security practices.
In other words, MCP divides the world of data consumption into two areas. Before, when everything was manual and heavy operations, and after, where semantic access changes the game, but only if you bring the proper knowledge to the table.
This article is part of a broader series I’m writing called Beyond KQL: The Sentinel MCP Series, where I explore how the MCP transforms the way we interact with Microsoft Sentinel, moving from traditional query investigation to intelligent, context aware analysis and much more.
Sentinel MCP in a nutshell
Microsoft Sentinel now offers Model Context Protocol (MCP) support, providing AI-driven tooling and context for enhanced security operations. The Sentinel MCP server publishes a catalog of purpose built tools through a unified hosted interface that authenticates with Microsoft Entra. Clients issue natural language intents and receive structured outputs aligned with investigation and response.
MCP defines a host client server model. The host coordinates one or more clients in the analyst workspace. The client maintains a stateful connection to the Sentinel MCP server and discovers available tools. The server provides context and executes tool calls across the Sentinel data lake. This shifts work from schema recall and KQL crafting to intent and evidence.
For analysts and security engineers, the result is faster correlation across long term telemetry with predictable outputs suitable for agents and automation. Use natural language to explore the Identity Device and Data Activity tables. Retrieve compact artifacts that list entities, risks, contributing signals, and supporting evidence. Describe workflow intent to create agents and let the server supply the correct instructions and tool invocations.
Sentinel MCP is a direct path from raw logs to decisions. It turns the data lake into a substrate with rich context and standardizes access for clients and agents. Expect shorter triage cycles, stronger investigations, and cleaner automation without the need for new infrastructure.
The Strategic implications of Sentinel are evolving from a traditional SIEM into a unified platform where data becomes a security graph and where agents operate with first party context rather than public training data. MCP standardizes how agents discover capabilities and act on them. The result is a lower mean time to triage, fewer false positives, and quicker containment, as analysts spend their time on judgment rather than syntax.
For security teams balancing coverage and cost, the data lake maintains a single, open format copy, while the MCP server provides semantic access across months of telemetry. You gain deep context without committing to custom connectors or additional infrastructure.
Key features of Sentinel MCP
- Unified hosted interface for AI driven security operations and uses Microsoft Entra for identity and requires no infrastructure deployment.
- Tool collections aligned to security scenarios and natural language access to the Sentinel data lake without schema recall or KQL crafting.
- Accelerated agent development with deterministic tool outputs enables predictable automation and agent creation with clear instructions.
- The cost efficiency of data integration and native connection to the security data lake preserves broad coverage with long term retention while controlling cost.
- Client and server architecture with clear roles, where the Host coordinates clients, the client maintains a stateful connection, and the server provides context and executes tools.
- Natural language exploration and correlation. Query identity device and data activity tables, retrieve structured evidence with entities and signals.
- The Agent ready responses and compact artifacts with risk drivers, supporting evidence, and suggested actions.
- Seamless integration with compatible clients. Examples include Visual Studio Code and Security Copilot, which facilitate interactive workflows.
Sentinel MCP Relation
MCP is an open standard that governs how language models interact with external tools, memory, and context in a safe, structured, and stateful manner. MCP uses a client and server architecture with three primary roles:
- MCP host: The AI application that orchestrates one or more clients inside the user workspace
- MCP client: The component that maintains a connection to an MCP server discovers available tools and pulls context for the host
- MCP server: The program that exposes tools and provides context to connected clients
In the Sentinel environment, the MCP server is Microsoft Sentinel MCP. It publishes tool catalogs that operate over the Sentinel data lake and returns structured outputs suitable for investigation and automation. A host such as Visual Studio Code or Security Copilot instantiates an MCP client that connects to the Sentinel MCP endpoint, retrieves the available tools, and issues natural language intents. The server executes tool calls across identity devices and data activity tables, returning compact artifacts with entity signals, evidence, and suggested actions.
-
MCP Host: This is the AI application or environment (such as VS Code, a Copilot style agent) that coordinates with clients. It sends user-level commands/intents.
-
MCP Client: The connector inside the host that maintains the connection, handles requests (like “list tools”, “call tool”, “list resources”, etc.) over MCP to the server.
-
MCP Server: Managed by Microsoft in the Sentinel context. It exposes tool collections, data access APIs, prompts, and context. It serves as the bridge to the backend (data lake, graph, and telemetry) for AI agents.
| Role | What it is in MCP terms | Concrete example in Sentinel MCP |
|---|---|---|
| MCP Host | The AI application environment that coordinates one or more MCP clients | VSCode (when using a Copilot extension) acts as the MCP host. |
| MCP Client | A component within the host that handles protocol level interactions (communication, context, etc) | Inside VS Code, there is an MCP client module/object that maintains the connection to the Sentinel MCP server. |
| MCP Server | The backend service that provides context, tools, APIs, telemetry, graph, etc., to connected clients | Microsoft’s Sentinel MCP server (hosted by Microsoft) that exposes data exploration, tools, APIs over your Sentinel environment. |
The Initial Configurations
What You Need Before You Begin
Make sure these conditions are satisfied:
-
Your tenant is onboarded to the Sentinel data lake and, where relevant, to the Sentinel graph. Without that, the MCP tools will have no backend data to surface.
-
The invoking identity has Security Reader permissions (or equivalent) in the Sentinel tenant, so it can query logs, tables, and security artifacts.
-
You have Visual Studio Code installed, ideally with the capabilities to use Copilot / an AI-powered “agent” chat in VS Code. (VS Code + MCP support).
Once those are in place, let’s configure.
Step 1: Add the Sentinel MCP Server in VS Code
You’ll register Sentinel’s MCP endpoint inside VS Code so your client (inside VS Code) can speak to the MCP server (hosted by Microsoft).
In VSCode, type and select MCP: Add Server. Then, VSCode will ask which transport to choose: HTTP or Server-Sent Events.
Enter the MCP server URL you need, depending on which tool collection you are using this link:https://sentinel.microsoft.com/mcp/data-exploration
Give it a friendly Server ID (alias) so you can recognize this connection (e.g. “Sentinel MCP”).
VS Code will prompt you to “Trust” the server definition. Accept.
You’ll be asked to allow the server definition to be used with your identity. You must use an account with the appropriate permissions (E.g., Security Reader).
After successful authentication, VS Code sets up a file mcp.json in the workspace (or updates it). This file holds your MCP server configuration.
At this point, the VS Code side has a client configured to talk to the Sentinel MCP server.
Step 2: Enable Agent Mode (Copilot Chat) in VS Code
The MCP tools are surfaced in Agent mode, so you must switch the VS Code chat to Agent mode.
In the Chat UI, switch the mode to Agent mode instead of the regular “Ask / assistant” mode.
You should see a “Tools” icon (or configuration icon) in the prompt bar. Click that to inspect which MCP tools are active.
Expand the row for your newly added MCP server to view the available tools. In the agent creation collection, Microsoft exposes several tools relevant to building your own Security Copilot agents.
Now your chat interface is ready to invoke MCP tools as needed.
Example Flow Once Setup
Here’s what a typical interaction might look like after setup:
-
You open Chat (Agent mode), enable tools from your Sentinel MCP server.
-
You prompt something like: “Create an agent that analyzes Sentinel incidents, correlates with alerts, and produces a summary.”
-
The system picks the appropriate tool, like
start_agent_creationto initiate an agent build. -
You may receive a session ID in return. Then you call
compose_agentwith that ID to define the agent’s actions. -
Eventually, you might call
deploy_agent. The tools themselves are handled via the MCP server. -
Meanwhile, the AI can also call data exploration tools (if your server includes them) to fetch security telemetry for context.
Caveats & Gotchas to Be Aware Of
-
The MCP server is in preview, so behavior may change. Microsoft warns it may be substantially modified before GA.
-
Ensure your identity has sufficient permissions (E.g., Security Reader). If not, the server may authenticate, but you’ll get errors when invoking tools.
-
The mcp.json file is sensitive and captures server configurations. Don’t commit secrets or credentials to it.
-
Always review the enabled tools, as an overbroad set could cause unexpected surprises.
-
If Chat doesn’t show tools or the server shows “not running”, use VS Code’s command palette (
MCP: List Servers) to verify the server status or inspect logs. -
The context file helps, but if it’s absent, the AI may be less precise in its use of tools.
The Gaps
No True Vector Store Exposure
Semantic search implies that embeddings (vector representations of your data) are available for similarity matching. The current Sentinel MCP preview does not expose a dedicated vector index API or any endpoint for uploading or retrieving embeddings directly.
Behind the scenes, Microsoft’s own semantic models operate over internal telemetry indexes, not your tenant-managed store. That means:
-
You can’t inject your own embeddings or fine-tuned representations.
-
You can’t control how context windows or relevance scoring are computed.
-
You can’t query at the embedding level (e.g., cosine similarity, dot product, top-k search).
Essentially, “semantic search” right now is limited to natural language → KQL translation plus lightweight embedding lookup from Microsoft-managed data. Not an actual open semantic interface.
Missing authProvider Enforcement in Manual Configs
Manual JSON configs (like the default) lack many settings, for example, the automatic OAuth handshake unless it authProvider: "microsoft-entra-id" is explicitly defined and linked to a trusted context. Without it, your MCP client runs in anonymous mode and cannot resolve tenant-specific semantic indexes.
No Configurable Context Window or Schema Awareness
The semantic engine currently has a fixed context window and limited schema awareness. It can “understand” standard tables like SecurityEvent, SigninLogs, AuditLogs, etc., but it cannot ingest your custom tables or enrich them semantically.
If your SOC ingests proprietary logs (e.g., via custom connectors), the MCP server won’t interpret them semantically; it will fall back to a generic keyword search.
Missing Tool Collections for Advanced NLP Tasks
The MCP tool catalog for Sentinel preview exposes collections like:
-
data-exploration -
semantic-search -
agent-creation
But it’s missing:
-
context-summarization -
cross-index-correlation -
incident-similarity-clustering
These are key semantic tasks for a mature AI SOC, and right now, you can’t call them directly.
No Semantic Cache or Conversation Memory
Each semantic search query is stateless. There’s no retained conversational memory in the MCP session.
That means you can’t ask: “Now expand on the previous query, but focus on device events.”
Every query is a clean slate. The agent (Copilot or VS Code) must reattach previous results to maintain continuity, which slows down workflows.
No Schema Adaptation or Custom Table Awareness
The semantic engine only understands Microsoft-managed schemas like SigninLogs, SecurityEvent, or AuditLogs.
If your organization ingests:
-
Custom connectors,
-
Partner telemetry (like SentinelOne or CrowdStrike), or
-
Custom tables (
MyApp_CL,ThreatHunt_CL),
The semantic parser won’t know how to interpret those fields semantically. It will either ignore them or misclassify attributes, producing low-quality results.
Why an Enriched MCP JSON Makes Sentinel Better
When people first connect to Sentinel’s MCP server, they usually start with the bare minimum:
This is enough to register the MCP server. VS Code or Copilot will recognize there’s an endpoint out there, but that’s all. It’s like knowing the address of a data center without knowing which racks, tenants, or services live inside. Functional, but not intelligent.
Workspace Boundaries Context
A better mcp.json adds workspace boundaries:
"workspaceBoundary": {
"primary": {
"workspaceId": "…",
"workspaceName": "…siem",
"description": "Primary Sentinel workspace for security monitoring"
Now, the MCP client isn’t just pointing at “Sentinel in general.” It’s scoped to a specific SIEM workspace. This prevents confusion in multi-workspace environments and gives AI-assisted queries the right context immediately.
Time Windows and Correlations
The enriched JSON also defines incident analysis parameters:
"incidentAnalysis": {
"timeRange": "7d",
"correlations": {
"primary": [
{
"table": "SecurityIncident",
"key": "AlertIds",
"correlateWith": "SecurityAlert"
Why does this matter?
Time range – Instead of the AI guessing whether to look back 24 hours or 90 days, you give it a fixed boundary. That means faster queries and less noise.
Correlation rules – By specifying how incidents link to alerts (SecurityIncident.AlertIds with SecurityAlert), you should enforce SOC logic inside the MCP layer. Instead of vague semantic matching, you get reproducible, deterministic joins between events.
From Raw Connection to SOC-Aware Assistant
With these additions, your mcp.json stops being just a dumb connector and start acting like a SOC aware configuration file. It tells the MCP client:
-
Which workspace to use?
-
How far back to search?
-
How to correlate incidents with alerts.
That’s the difference between raw semantic search (“guess what I meant”) and guided analysis (“apply the rules I use in production”).
Note: The mcp.json file must have dedicated parameters for your environment. Otherwise, it can create a massive hallucination.
Summary
This post reviews what Microsoft Sentinel MCP is and why it matters in modern SOC operations. MCP acts as the intelligence layer that connects AI-driven tools, such as Copilot or VS Code, to Sentinel’s data lake, enabling semantic, context-aware access to security data.
The article focuses on how a well-designed mcp.json configuration turns this connection into a powerful SOC-aware assistant by defining workspace boundaries, incident analysis parameters, and correlation logic. This article is part of Beyond KQL: The Sentinel MCP Series, which explores what Sentinel MCP is, how to configure it, and how to use it effectively in real-world SOC environments.
References
What is Microsoft Sentinel’s support for Model Context Protocol (MCP)?
