Microsoft Defender XDR MCP server
Investigate Defender XDR alerts, hunt threats, and query the Microsoft Sentinel data lake with natural language.
About
Connect Tracecat to Microsoft Defender XDR to investigate alerts and hunt across the Sentinel data lake for SOC teams running Microsoft as their primary SIEM and XDR. You can pick up a Defender XDR incident, analyze entities and devices, and run a KQL query against the data lake from a workflow. From there, look up IOCs against Microsoft threat intelligence, investigate sign-in activity, and surface device outliers with every tool call running under the user's delegated Entra permissions.
Setup
- 1
Sign in with OAuth
You'll authorize Tracecat to access Microsoft Defender XDR on your behalf. No API keys to manage.
- 2
Select the
Microsoft Defender XDRtile in the Tracecat MCP catalogOpen the
MCP catalogin your workspace, select theMicrosoft Defender XDRtile, and complete the OAuth flow. - 3
Enable
Microsoft Defender XDRin your agentIn your
ai.agentaction orAgents→toolstab, selectMicrosoft Defender XDRfrom theMCP integrationsdropdown.
Tools
sentinel_data_lake_queryQuery tables in the Microsoft Sentinel data lake with KQL.
sentinel_search_tablesSearch the Sentinel data lake for relevant tables based on intent.
sentinel_incident_triageTriage Microsoft Sentinel and Defender XDR incidents end to end.
sentinel_threat_huntingHunt for threats across signals using guided hunting tools.
sentinel_entity_analysisAnalyze users, devices, and other entities for risk indicators.
sentinel_iocs_lookupLook up URL, file, and IP IOCs against Microsoft threat intelligence.
sentinel_signin_investigationInvestigate sign-in activity and password spray alerts.
sentinel_device_outliersIdentify devices showing outlier network or process behavior.