Microsoft Sentinel MCP (Preview)
This collection of tools from the Microsoft Sentinel MCP server lets your playbooks reason over comprehensive security data, enabling powerful and flexible SOC automation.
This connector is available in the following products and regions:
| Service | Class | Regions |
|---|---|---|
| Copilot Studio | Premium | All Power Automate regions except the following: - US Government (GCC) - US Government (GCC High) - China Cloud operated by 21Vianet - US Department of Defense (DoD) |
| Logic Apps | Standard | All Logic Apps regions except the following: - Azure Government regions - Azure China regions - US Department of Defense (DoD) |
| Power Apps | Premium | All Power Apps regions except the following: - US Government (GCC) - US Government (GCC High) - China Cloud operated by 21Vianet - US Department of Defense (DoD) |
| Power Automate | Premium | All Power Automate regions except the following: - US Government (GCC) - US Government (GCC High) - China Cloud operated by 21Vianet - US Department of Defense (DoD) |
| Contact | |
|---|---|
| Name | Microsoft |
| URL | https://support.microsoft.com |
| Connector Metadata | |
|---|---|
| Publisher | Microsoft |
| Website | https://learn.microsoft.com/en-us/azure/sentinel/datalake/sentinel-lake-overview |
| Privacy policy | https://privacy.microsoft.com |
| Categories | Security |
Prerequisites
Sentinel Workspace id
Supported Operations
Entity Analyzer
Generate a risk assessment for entities (e.g. url, user, etc.) based on your organization's recent activity, prevalence, and associated threat intelligence.
Obtaining Credentials
For detailed permissions explanation please see: https://learn.microsoft.com/en-us/azure/sentinel/roles#roles-and-permissions-for-the-microsoft-sentinel-data-lake-preview. This tool requires Security reader role. The following modes of access is supported:
Entra Id
Execute operations on-behalf-of logged in user.
Managed Identity
Execute operations on-behalf-of Logic Apps managed identity.
Creating a connection
The connector supports the following authentication types:
| Logic Apps Managed Identity | Create a connection using a Managed Identity | LOGICAPPS only | Not shareable |
| Microsoft Entra ID Integrated | Use Microsoft Entra ID to access | All regions | Not shareable |
| Service principal authentication | Use your Microsoft Entra ID application for service principal authentication | All regions | Not shareable |
| Default [DEPRECATED] | This option is only for older connections without an explicit authentication type, and is only provided for backward compatibility. | All regions | Not shareable |
Logic Apps Managed Identity
Auth ID: managedIdentityAuth
Applicable: LOGICAPPS only
Create a connection using a Managed Identity
This is not shareable connection. If the power app is shared with another user, another user will be prompted to create new connection explicitly.
| Name | Type | Description | Required |
|---|---|---|---|
| Managed Identity | managedIdentity | Sign in with a Managed Identity | True |
Microsoft Entra ID Integrated
Auth ID: tokenBasedAuth
Applicable: All regions
Use Microsoft Entra ID to access
This is not shareable connection. If the power app is shared with another user, another user will be prompted to create new connection explicitly.
Service principal authentication
Auth ID: servicePrincipalAuth
Applicable: All regions
Use your Microsoft Entra ID application for service principal authentication
This is not shareable connection. If the power app is shared with another user, another user will be prompted to create new connection explicitly.
| Name | Type | Description | Required |
|---|---|---|---|
| Client ID | string | True | |
| Client secret | securestring | True | |
| Tenant ID | string | True |
Default [DEPRECATED]
Applicable: All regions
This option is only for older connections without an explicit authentication type, and is only provided for backward compatibility.
This is not shareable connection. If the power app is shared with another user, another user will be prompted to create new connection explicitly.
Throttling Limits
| Name | Calls | Renewal Period |
|---|---|---|
| API calls per connection | 100 | 60 seconds |
Actions
| Microsoft Sentinel - Data Exploration MCP Server |
The data exploration tool collection in the Microsoft Sentinel Model Context Protocol (MCP) server lets you search for relevant tables and retrieve data from Microsoft Sentinel's data lake using natural language. Learn more: https://aka.ms/mcp/data-exploration |
Microsoft Sentinel - Data Exploration MCP Server
The data exploration tool collection in the Microsoft Sentinel Model Context Protocol (MCP) server lets you search for relevant tables and retrieve data from Microsoft Sentinel's data lake using natural language. Learn more: https://aka.ms/mcp/data-exploration