Microsoft Sentinel▌
by microsoft
Query and analyze security data, incidents, and threat intelligence in Microsoft Sentinel’s data lake using natural lang
Query and analyze security data, incidents, and threat intelligence from Microsoft Sentinel's data lake using natural language.
best for
- / Security analysts investigating incidents
- / Building automated threat hunting agents
- / SOC teams analyzing authentication patterns
- / Security researchers studying attack vectors
capabilities
- / Search relevant security tables with natural language
- / Retrieve data from Microsoft Sentinel's data lake
- / Query sign-in logs and authentication events
- / Analyze multi-factor authentication failures
- / Correlate security events across different data sources
- / Extract threat intelligence data
what it does
Query Microsoft Sentinel's security data lake using natural language to search tables and retrieve security logs, incidents, and threat intelligence data.
about
Microsoft Sentinel is an official MCP server published by microsoft that provides AI assistants with tools and capabilities via the Model Context Protocol. Query and analyze security data, incidents, and threat intelligence in Microsoft Sentinel’s data lake using natural lang It is categorized under auth security, analytics data.
how to install
You can install Microsoft Sentinel in your AI client of choice. Use the install panel on this page to get one-click setup for Cursor, Claude Desktop, VS Code, and other MCP-compatible clients. This server supports remote connections over HTTP, so no local installation is required.
license
MIT
Microsoft Sentinel is released under the MIT license. This is a permissive open-source license, meaning you can freely use, modify, and distribute the software.
readme
Microsoft Sentinel Data Exploration
INSTALL 
The data exploration tool collection in the Microsoft Sentinel MCP server lets you search for relevant tables and retrieve data from Microsoft Sentinel's data lake using natural language.
🌐 The Microsoft Sentinel Data Exploration MCP Server Endpoint
The Microsoft Sentinel Data Exploration MCP Server is accessible to any IDE, agent, or tool that supports the Model Context Protocol (MCP). Any compatible client can connect to the following remote MCP endpoint:
Authentication OAuth 2.0
🧩 Use cases
Password-Spray Hunt Build security agents that autonomously select relevant sign-in tables, aggregates login attempts by user and IP, and flags patterns consistent with password-spray behavior—like low-frequency attempts over several months across many accounts.
Impossible Travel Check Build security agents that correlate sign-in events by user, calculates geodistance and time gaps between logins, and flags cases where travel speed exceeds realistic thresholds, suggesting credential compromise.
Multi-factor authorization failures Build security agents that analyzes multi-factor auth logs to detect spikes in failure rates, clustering by user, IP, or time window, and surfaces anomalies that deviate from baseline behavior over long periods.
Dormant Account wake-up Build security agents that based on inactivity thresholds, scans for accounts with long silence followed by recent activity, and builds a timeline showing when and how these accounts re-engaged.
📚 Learn more
Explore Microsoft Sentinel data lake with data exploration collection