ms-sentinel-mcp-server

Overview Schema Related Servers Score Discussions

Server Configuration

Describes the environment variables required to run the server.

Name	Required	Description	Default
`MCP_DEBUG_LOG`	No	Enable debug logging (true/false)	false
`AZURE_CLIENT_ID`	No	The Azure client ID for service principal authentication
`AZURE_TENANT_ID`	No	The Azure tenant ID
`AZURE_WORKSPACE_ID`	No	The ID of the Sentinel workspace
`AZURE_CLIENT_SECRET`	No	The Azure client secret for service principal authentication
`AZURE_RESOURCE_GROUP`	No	The Azure resource group containing the Sentinel workspace
`AZURE_WORKSPACE_NAME`	No	The name of the Sentinel workspace
`AZURE_SUBSCRIPTION_ID`	No	The Azure subscription ID

Capabilities

Server capabilities have not been inspected yet.

Tools

Functions exposed to the LLM to take actions

Name	Description
sentinel_logs_searchC	Run a KQL query against Azure Monitor
sentinel_logs_search_with_dummy_dataC	Test a KQL query with mock data using a datatable. Validates KQL locally first.
sentinel_incident_listC	List security incidents in Microsoft Sentinel
sentinel_incident_getC	Get detailed information about a specific Sentinel incident
sentinel_workspace_getD	Get workspace information (refactored, MCP-compliant)
sentinel_source_controls_listC	List all Sentinel source controls in the current workspace.
sentinel_source_control_getC	Get details for a specific Sentinel source control by ID.
sentinel_metadata_listC	List all Sentinel metadata in the current workspace.
sentinel_metadata_getC	Get details for specific Sentinel metadata by ID.
sentinel_ml_analytics_settings_listC	List all Sentinel ML analytics settings in the current workspace.
sentinel_ml_analytics_setting_getC	Get a specific Sentinel ML analytics setting by name.
sentinel_analytics_rule_listC	List all analytics rules with key fields
sentinel_analytics_rule_getC	Get details for a specific analytics rule
sentinel_analytics_rule_templates_listC	List all Sentinel analytics rule templates
sentinel_analytics_rule_template_getC	Get a specific Sentinel analytics rule template
sentinel_analytics_rules_count_by_tacticC	Count Sentinel analytics rules by tactic.
sentinel_analytics_rule_templates_count_by_tacticC	Count Sentinel analytics rule templates by tactic.
sentinel_analytics_rules_count_by_techniqueC	Count Sentinel analytics rules by MITRE technique.
sentinel_analytics_rule_templates_count_by_techniqueC	Count Sentinel analytics rule templates by MITRE technique.
markdown_templates_listC	List available markdown templates and their descriptions.
markdown_template_getC	Get the raw markdown content for a specific template by name.
tool_docs_listC	Enumerate available Sentinel server documentation markdown paths.
tool_docs_getC	Return the raw markdown for a given documentation path.
tool_docs_searchC	Full-text search across documentation; returns matching paths.
llm_instructions_getB	Retrieve the LLM usage instructions for the Sentinel MCP Server. Use this tool first before all other tools.
sentinel_authorization_summaryC	Summarize Azure RBAC role assignments for Sentinel and Log Analytics access.
sentinel_hunting_queries_listB	List all Sentinel hunting queries (saved searches) with optional tactic/technique filtering
sentinel_hunting_queries_count_by_tacticC	Count Sentinel hunting queries (saved searches) by tactic
sentinel_hunting_query_getC	Get full details of a Sentinel hunting query (saved search) by name or ID.
sentinel_logs_tables_listC	List available tables in the Log Analytics workspace
sentinel_logs_table_schema_getC	Get schema (columns/types) for a Log Analytics table
sentinel_logs_table_details_getC	Get details (metadata, retention, row count, etc.) for a Log Analytics table
sentinel_query_validateC	Validate KQL Query Syntax locally
entra_id_list_usersC	List users in Entra ID (Azure AD) via Microsoft Graph API.
entra_id_get_userC	Get a user from Entra ID (Azure AD) by object ID, UPN, or email address.
entra_id_list_groupsC	List groups in Entra ID (Azure AD) via Microsoft Graph API.
entra_id_get_groupC	Get a group from Entra ID (Azure AD) by object ID.
log_analytics_saved_searches_listC	List all saved searches in a Log Analytics workspace
log_analytics_saved_search_getC	Get a specific saved search from a Log Analytics workspace
sentinel_watchlists_listC	List all Sentinel watchlists
sentinel_watchlist_getD	Get a specific Sentinel watchlist
sentinel_watchlist_items_listC	List all items in a Sentinel watchlist
sentinel_watchlist_item_getC	Get a specific item from a Sentinel watchlist
sentinel_connectors_listC	List data connectors
sentinel_connectors_getC	Get a specific data connector by ID
sentinel_ti_indicator_getC	Get a specific Sentinel threat intelligence indicator
sentinel_ti_indicator_metrics_collectC	Collect metrics for Sentinel threat intelligence indicators
sentinel_ip_geodata_getC	Get geolocation data for an IP address
sentinel_domain_whois_getC	Get WHOIS information for a domain

Prompts

Interactive templates invoked by user choice

Name	Description
`sentinel_hunting_investigate_ip`	Investigate an IP address
`sentinel_incident_respond`	Incident response workflow
`sentinel_analytics_create_detection`	Create a detection query
`sentinel_hunting_create_query`	Create an advanced KQL query

Resources

Contextual data attached and managed by the client

Name	Description
`sentinel://reference/kql/basics`
`resource://instructions`
`sentinel://reference/kql/examples`
`sentinel://reference/kql/examples/security`

Latest Blog Posts

Tool Definition Quality Score (TDQS)
By punkpeye on April 3, 2026.
mcp
The Hackers Who Tracked My Sleep Cycle
By punkpeye on March 26, 2026.
security
Open Source Has a Bot Problem
By punkpeye on March 19, 2026.
open source

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/dstreefkerk/ms-sentinel-mcp-server'

If you have feedback or need assistance with the MCP directory API, please join our Discord server