Tool collection in Microsoft Sentinel MCP server

Microsoft Sentinel’s Model Context Protocol (MCP) Server collections are logical groupings of related security-focused MCP tools that you can use in any compatible client to:

• Search for relevant tables
• Retrieve data
• Analyze entities
• Create Security Copilot agents
• Triage incidents
• Hunt for threats

Our collections are scenario-focused and have security-optimized descriptions that help AI models pick the right tools and deliver those outcomes. For example, you can use the following sample prompts to get the appropriate tool:

• Find the top three users that are at risk and explain why they're at risk.
• Find sign-in failures in the last 24 hours and give me a brief summary of key findings.
• Identify devices that showed an outstanding number of outgoing network connections.
• Help me understand if the user <user object ID> is compromised.
• Investigate users with a password spray alert in the last seven days and tell me if any of them are compromised.
• Find all the URL IOCs from <threat analytics report> and analyze them to tell me everything Microsoft knows about them.

Available collections

The following table lists the available collections you can use:

Create your own custom MCP tool

You can enable agents to retrieve and reason over knowledge from your library of saved Kusto Query Language (KQL) queries in advanced hunting by using custom MCP tools. Creating your own Sentinel MCP tools lets you have granular control over the data accessible to your security agents and create deterministic agentic workflows.

For more information, see Create and use custom Microsoft Sentinel MCP tools.

Related content

• What is Microsoft Sentinel’s support for Model Context Protocol (MCP)?
• Get started with Microsoft Sentinel MCP server