Provides configuration management for authentication credentials and Sentinel workspace settings
Enables cloning repositories to work with Security Copilot skills and plugins locally
Used as the implementation language for the MCP server with support for Python 3.8+
Security Copilot and Sentinel MCP Server
A Python-based MCP server using FastMCP library that provides integration with Microsoft Security Copilot and Microsoft Sentinel using Azure Identity Authentication.
Overview
This project implements an MCP server that enables:
Running KQL queries against Microsoft Sentinel
Uploading/Updating Microsoft Security Copilot skillsets/plugins
Running prompts and skills in Microsoft Security Copilot
The server acts as a bridge between development environments and Microsoft Security Copilot, allowing for testing, deployment, and execution of skills and plugins. It uses SSE as transport layer for the MCP server. There are many use cases for the current integration. One of the most interesting ones is to support the development, test and deployment of Security Copilot KQL Skills.
Features
Sentinel Integration: Execute KQL queries against your Sentinel workspace
Security Copilot Management:
List existing skillsets/plugins
Upload new or update existing skillsets/plugins
Run prompts or skills within Security Copilot
Authentication Support: Multiple authentication methods including interactive browser, client secret, and managed identity
Roadmap
The next features will include:
Promptbook test and Update
Run Advance Hunting queries in Defender XDR
Prerequisites
Python 3.8+
Microsoft Sentinel workspace
Microsoft Security Copilot access
Appropriate Azure permissions for Sentinel and Security Copilot
Installation
Clone the repository:
git clone https://github.com/jguimera/SecurityCopilotMCPServer.git cd SecurityCopilotMCPServerInstall dependencies:
pip install -r requirements.txtCreate a
.env
file with the following configuration:#Add App Reg to use ClientID and Secret authentication #AZURE_TENANT_ID=your_tenant_id #AZURE_CLIENT_ID=your_client_id #AZURE_CLIENT_SECRET=your_client_secret SENTINEL_SUBSCRIPTION_ID=your_subscription_id SENTINEL_RESOURCE_GROUP=your_resource_group SENTINEL_WORKSPACE_NAME=your_workspace_name SENTINEL_WORKSPACE_ID=your_workspace_id #Authentication Options: interactive, client_secret AUTHENTICATION_TYPE=interactive
Usage
Starting the Server
Run the MCP server:
To run tests before starting the server:
Available Tools
The MCP server provides the following tools:
run_sentinel_query: Execute KQL queries in Sentinel
get_skillsets: List skillsets in Security Copilot
upload_plugin: Upload or update a skillset/plugin
run_prompt: Run a prompt or skill in Security Copilot
MCP Client Config for Cursor
You can use this MCP server from the Client of your choice. In this repo you can find intructions and config files for Cursor.
Add the .cursor folder inside your client project to enable the MCP tools. This folder contains two files:
Cursor Project Rules (securitycopilotdev.mdc): This file include some Custom Cursor Rules to help the agents in the process definition and understanding user prompts.
MCP Client Configuration (mcp.json): File that connects Cursor to the MCP server.
You can invoke the tool directly using /tool_name parameter1="Value of the tool parameter" For example: /run_prompt content="List the most recent risky users"
More info: https://docs.cursor.com/context/model-context-protocol#configuring-mcp-servers
Contributing
Contributions are welcome! Please feel free to submit a Pull Request.
Fork the repository
Create your feature branch (
git checkout -b feature/amazing-feature
)Commit your changes (
git commit -m 'Add some amazing feature'
)Push to the branch (
git push origin feature/amazing-feature
)Open a Pull Request
License
This project is licensed under the MIT License - see the LICENSE file for details.
This server cannot be installed
remote-capable server
The server can be hosted and run remotely because it primarily relies on remote services or has no dependency on the local environment.
A Python-based MCP server that enables integration with Microsoft Security Copilot and Microsoft Sentinel, allowing users to run KQL queries, manage skillsets/plugins, and execute prompts in Security Copilot.
Related MCP Servers
- -securityFlicense-qualityThis is an MCP server that facilitates building tools for interacting with various APIs and workflows, supporting Python-based development with potential for customizable prompts and user configurations.Last updated -
- AsecurityFlicenseAqualityA Python-based server that helps users easily install and configure other MCP servers across different platforms.Last updated -23
- AsecurityAlicenseAqualityAn MCP server that enables running CLI for Microsoft 365 commands through GitHub Copilot Agent, allowing users to interact with Microsoft 365 services using natural language.Last updated -47146MIT License
- -securityFlicense-qualityA minimal Python package for easily setting up and running MCP servers and clients, allowing functions to be automatically exposed as tools that LLMs can use with just 2 lines of code.Last updated -23