Server Configuration
Describes the environment variables required to run the server.
| Name | Required | Description | Default |
|---|---|---|---|
| MCP_DEBUG_LOG | No | Enable debug logging (true/false) | false |
| AZURE_CLIENT_ID | No | The Azure client ID for service principal authentication | |
| AZURE_TENANT_ID | No | The Azure tenant ID | |
| AZURE_WORKSPACE_ID | No | The ID of the Sentinel workspace | |
| AZURE_CLIENT_SECRET | No | The Azure client secret for service principal authentication | |
| AZURE_RESOURCE_GROUP | No | The Azure resource group containing the Sentinel workspace | |
| AZURE_WORKSPACE_NAME | No | The name of the Sentinel workspace | |
| AZURE_SUBSCRIPTION_ID | No | The Azure subscription ID |
Tools
Functions exposed to the LLM to take actions
| Name | Description |
|---|---|
| sentinel_logs_search | Run a KQL query against Azure Monitor |
| sentinel_logs_search_with_dummy_data | Test a KQL query with mock data using a datatable. Validates KQL locally first. |
| sentinel_incident_list | List security incidents in Microsoft Sentinel |
| sentinel_incident_get | Get detailed information about a specific Sentinel incident |
| sentinel_workspace_get | Get workspace information (refactored, MCP-compliant) |
| sentinel_source_controls_list | List all Sentinel source controls in the current workspace. |
| sentinel_source_control_get | Get details for a specific Sentinel source control by ID. |
| sentinel_metadata_list | List all Sentinel metadata in the current workspace. |
| sentinel_metadata_get | Get details for specific Sentinel metadata by ID. |
| sentinel_ml_analytics_settings_list | List all Sentinel ML analytics settings in the current workspace. |
| sentinel_ml_analytics_setting_get | Get a specific Sentinel ML analytics setting by name. |
| sentinel_analytics_rule_list | List all analytics rules with key fields |
| sentinel_analytics_rule_get | Get details for a specific analytics rule |
| sentinel_analytics_rule_templates_list | List all Sentinel analytics rule templates |
| sentinel_analytics_rule_template_get | Get a specific Sentinel analytics rule template |
| sentinel_analytics_rules_count_by_tactic | Count Sentinel analytics rules by tactic. |
| sentinel_analytics_rule_templates_count_by_tactic | Count Sentinel analytics rule templates by tactic. |
| sentinel_analytics_rules_count_by_technique | Count Sentinel analytics rules by MITRE technique. |
| sentinel_analytics_rule_templates_count_by_technique | Count Sentinel analytics rule templates by MITRE technique. |
| markdown_templates_list | List available markdown templates and their descriptions. |
| markdown_template_get | Get the raw markdown content for a specific template by name. |
| tool_docs_list | Enumerate available Sentinel server documentation markdown paths. |
| tool_docs_get | Return the raw markdown for a given documentation path. |
| tool_docs_search | Full-text search across documentation; returns matching paths. |
| llm_instructions_get | Retrieve the LLM usage instructions for the Sentinel MCP Server. Use this tool first before all other tools. |
| sentinel_authorization_summary | Summarize Azure RBAC role assignments for Sentinel and Log Analytics access. |
| sentinel_hunting_queries_list | List all Sentinel hunting queries (saved searches) with optional tactic/technique filtering |
| sentinel_hunting_queries_count_by_tactic | Count Sentinel hunting queries (saved searches) by tactic |
| sentinel_hunting_query_get | Get full details of a Sentinel hunting query (saved search) by name or ID. |
| sentinel_logs_tables_list | List available tables in the Log Analytics workspace |
| sentinel_logs_table_schema_get | Get schema (columns/types) for a Log Analytics table |
| sentinel_logs_table_details_get | Get details (metadata, retention, row count, etc.) for a Log Analytics table |
| sentinel_query_validate | Validate KQL Query Syntax locally |
| entra_id_list_users | List users in Entra ID (Azure AD) via Microsoft Graph API. |
| entra_id_get_user | Get a user from Entra ID (Azure AD) by object ID, UPN, or email address. |
| entra_id_list_groups | List groups in Entra ID (Azure AD) via Microsoft Graph API. |
| entra_id_get_group | Get a group from Entra ID (Azure AD) by object ID. |
| log_analytics_saved_searches_list | List all saved searches in a Log Analytics workspace |
| log_analytics_saved_search_get | Get a specific saved search from a Log Analytics workspace |
| sentinel_watchlists_list | List all Sentinel watchlists |
| sentinel_watchlist_get | Get a specific Sentinel watchlist |
| sentinel_watchlist_items_list | List all items in a Sentinel watchlist |
| sentinel_watchlist_item_get | Get a specific item from a Sentinel watchlist |
| sentinel_connectors_list | List data connectors |
| sentinel_connectors_get | Get a specific data connector by ID |
| sentinel_ti_indicator_get | Get a specific Sentinel threat intelligence indicator |
| sentinel_ti_indicator_metrics_collect | Collect metrics for Sentinel threat intelligence indicators |
| sentinel_ip_geodata_get | Get geolocation data for an IP address |
| sentinel_domain_whois_get | Get WHOIS information for a domain |
Prompts
Interactive templates invoked by user choice
| Name | Description |
|---|---|
| sentinel_hunting_investigate_ip | Investigate an IP address |
| sentinel_incident_respond | Incident response workflow |
| sentinel_analytics_create_detection | Create a detection query |
| sentinel_hunting_create_query | Create an advanced KQL query |
Resources
Contextual data attached and managed by the client
| Name | Description |
|---|---|
| sentinel://reference/kql/basics | |
| resource://instructions | |
| sentinel://reference/kql/examples | |
| sentinel://reference/kql/examples/security |