Microsoft Sentinel MCP server
Query the Microsoft Sentinel data lake and run SOC operations from your AI agents.
About
Connect Tracecat to Microsoft Sentinel to query the data lake and run hunts from agents working alongside SOC analysts and threat hunters. You can pull long-retention telemetry from the Sentinel data lake to investigate signals that fall outside your hot indices. From there, agents can pivot through related entities, enrich findings with Defender and Entra context, and feed the result back into a Tracecat case with the connected user's audit trail intact.
Setup
- 1
Sign in with OAuth
You'll authorize Tracecat to access Microsoft Sentinel on your behalf. No API keys to manage.
- 2
Select the
Microsoft Sentineltile in the Tracecat MCP catalogOpen the
MCP catalogin your workspace, select theMicrosoft Sentineltile, and complete the OAuth flow. - 3
Enable
Microsoft Sentinelin your agentIn your
ai.agentaction orAgents→toolstab, selectMicrosoft Sentinelfrom theMCP integrationsdropdown.
Tools
Data exploration tools | The connector currently exposes the Sentinel data exploration tool collection, which lets agents query the Sentinel data lake and pivot through entities. Confirm with vendor docs for the latest set. |