Edit

Share via

Use an MCP tool in Microsoft Security Copilot

This article shows you how to add Microsoft Sentinel's Model Context Protocol (MCP) collection of security tools or your own custom tools to your AI agents in Microsoft Security Copilot.

For information about how to get started with MCP tools, see the following articles:

Add a Microsoft Sentinel tool collection

Important

You need to build your own custom Security Copilot agent before you can add Sentinel's collection of MCP tools. For more information, see Build an agent from scratch using the lite experience.

To add a Microsoft Sentinel tool collection during custom agent building, follow these steps:

  1. Select Add tool to open the Tools catalog modal.
  2. In the Add a tool modal, search for and select the tools you want to add from Microsoft Sentinel's collection of MCP tools. For example, search for "data exploration" to find the data exploration tool.
  3. Select Add selected to add the tools to your agent.

Your agent is now connected with Sentinel's available collection of tools. You can start prompting your agent and use the tools to deliver outcomes.

Add a custom tool collection

Custom MCP tools let you build deterministic workflows by prescribing exactly what data agents can reason over. To add your custom tool collection in Security Copilot, follow these steps:

Step 1: Create a YAML file for your tool collection

Use the following YAML file template to create and save your plugin. Specify which tools from your custom tool collection you want to add.

Descriptor:
  Name: <Name of the collection>
  DisplayName: <Friendly name for the collection>
  Description: <Friendly description for the collection>
  DescriptionForModel: <Detailed description of the collection to help with AI selection>
SkillGroups:
- Format: MCP
  Settings:
    Endpoint: <Enter custom tool URL>
    TokenScope: 4500ebfb-89b6-4b14-a480-7f749797bfcd/.default
    UseStreamableHttp: true
    UsePluginAuth: false
    AllowedTools: <Comma-separated list of tool names to add>
    TimeoutInSeconds: 300

For more information about all the parameters you can add and configure in your YAML file, see Model Context Protocol (MCP) plugins in Microsoft Security Copilot.

Step 2: Add the YAML file as a custom plugin

  1. Go to the Security Copilot portal and select the Sources icon in the prompt bar.

    Screenshot of the prompt bar in Security Copilot with the Sources icon highlighted.

  2. In the Manage sources pop-up window that appears, under Plugins, scroll down to the Custom section and select Add plugin.

    Screenshot of the Manage sources window in Security Copilot with the Add plugin option highlighted.

  3. From the drop-down options, specify if you want to make the plugin available to just yourself or anyone in the organization.

  4. Select Security Copilot plugin, choose the YAML file you created previously, then select Add.

    Screenshot of Add plugin pop-up window in Security Copilot with Security Copilot plugin and Add options highlighted.

  5. Finish the setup. Once your plugin is visible in the Custom section, you can turn the toggle on or off.

    Screenshot of Custom plugin option in Security Copilot with the added plugin visible.

Step 3: Build an agent using the saved plugin

  1. In the Security Copilot portal, go to Build and select Start from Scratch or open an existing custom agent.

  2. In your agent skill, select Add a tool and find the custom plugin you saved previously.

    Screenshot of Add a tool option in Security Copilot.

    Screenshot of Add a tool option in Security Copilot with the added plugin visible.

  3. Add the plugin to your agent.

Related content

  • Last updated on