Microsoft Defender XDR MCP server
Investigate Defender XDR alerts, hunt threats, and query the Microsoft Sentinel data lake with natural language.
About
Connect Tracecat to Microsoft Defender XDR to investigate alerts and hunt across the Sentinel data lake for SOC teams running Microsoft as their primary SIEM and XDR. You can pick up a Defender XDR incident, analyze entities and devices, and run a KQL query against the data lake from a workflow. From there, look up IOCs against Microsoft threat intelligence, investigate sign-in activity, and surface device outliers with every tool call running under the user's delegated Entra permissions.
Setup
- 1
Sign in with OAuth
You'll authorize Tracecat to access Microsoft Defender XDR on your behalf. No API keys to manage.
- 2
Select the
Microsoft Defender XDRtile in the Tracecat MCP catalogOpen the
MCP catalogin your workspace, select theMicrosoft Defender XDRtile, and complete the OAuth flow. - 3
Enable
Microsoft Defender XDRin your agentIn your
ai.agentaction orAgents→toolstab, selectMicrosoft Defender XDRfrom theMCP integrationsdropdown.
Tools
sentinel_data_lake_query | Query tables in the Microsoft Sentinel data lake with KQL. |
sentinel_search_tables | Search the Sentinel data lake for relevant tables based on intent. |
sentinel_incident_triage | Triage Microsoft Sentinel and Defender XDR incidents end to end. |
sentinel_threat_hunting | Hunt for threats across signals using guided hunting tools. |
sentinel_entity_analysis | Analyze users, devices, and other entities for risk indicators. |
sentinel_iocs_lookup | Look up URL, file, and IP IOCs against Microsoft threat intelligence. |
sentinel_signin_investigation | Investigate sign-in activity and password spray alerts. |
sentinel_device_outliers | Identify devices showing outlier network or process behavior. |