The Security Copilot and Sentinel MCP server provides integration between development environments and Microsoft Security services. It allows you to run KQL queries against Sentinel, manage Security Copilot skillsets/plugins, and execute prompts or skills within Security Copilot using the Model Context Protocol (MCP).
Clone the repository:
git clone https://github.com/jguimera/SecurityCopilotMCPServer.git
cd SecurityCopilotMCPServer
Install dependencies:
pip install -r requirements.txt
Create a .env file with the following configuration:
SENTINEL_SUBSCRIPTION_ID=your_subscription_id
SENTINEL_RESOURCE_GROUP=your_resource_group
SENTINEL_WORKSPACE_NAME=your_workspace_name
SENTINEL_WORKSPACE_ID=your_workspace_id
#Authentication Options: interactive, client_secret
AUTHENTICATION_TYPE=interactive
#Add App Reg to use ClientID and Secret authentication (optional)
#AZURE_TENANT_ID=your_tenant_id
#AZURE_CLIENT_ID=your_client_id
#AZURE_CLIENT_SECRET=your_client_secret
Run the MCP server:
python server.py
To run tests before starting the server:
python server.py --run-tests
The MCP server provides the following tools:
Execute KQL queries against your Microsoft Sentinel workspace:
/run_sentinel_query query="SecurityIncident | where TimeGenerated > ago(7d) | limit 10"
List existing skillsets/plugins in Security Copilot:
/get_skillsets
Upload a new or update an existing skillset/plugin to Security Copilot:
/upload_plugin path="/path/to/skillset/folder"
Execute a prompt or skill within Security Copilot:
/run_prompt content="List the most recent risky users"
To use this MCP server with Cursor:
.cursor folder inside your client project to enable the MCP toolssecuritycopilotdev.mdc: Custom Cursor Rules to help agents understand user promptsmcp.json: Configuration that connects Cursor to the MCP serverYou can invoke tools directly using the syntax:
/tool_name parameter1="Value of the tool parameter"
For example:
/run_prompt content="List the most recent risky users"
For more information on configuring MCP servers with Cursor, visit: https://docs.cursor.com/context/model-context-protocol#configuring-mcp-servers
To add this MCP server to Claude Code, run this command in your terminal:
claude mcp add-json "security-copilot-mcp-server" '{"command":"python","args":["server.py"]}'See the official Claude Code MCP documentation for more details.
There are two ways to add an MCP server to Cursor. The most common way is to add the server globally in the ~/.cursor/mcp.json file so that it is available in all of your projects.
If you only need the server in a single project, you can add it to the project instead by creating or adding it to the .cursor/mcp.json file.
To add a global MCP server go to Cursor Settings > Tools & Integrations and click "New MCP Server".
When you click that button the ~/.cursor/mcp.json file will be opened and you can add your server like this:
{
"mcpServers": {
"security-copilot-mcp-server": {
"command": "python",
"args": [
"server.py"
]
}
}
}To add an MCP server to a project you can create a new .cursor/mcp.json file or add it to the existing one. This will look exactly the same as the global MCP server example above.
Once the server is installed, you might need to head back to Settings > MCP and click the refresh button.
The Cursor agent will then be able to see the available tools the added MCP server has available and will call them when it needs to.
You can also explicitly ask the agent to use the tool by mentioning the tool name and describing what the function does.
To add this MCP server to Claude Desktop:
1. Find your configuration file:
~/Library/Application Support/Claude/claude_desktop_config.json%APPDATA%\Claude\claude_desktop_config.json~/.config/Claude/claude_desktop_config.json2. Add this to your configuration file:
{
"mcpServers": {
"security-copilot-mcp-server": {
"command": "python",
"args": [
"server.py"
]
}
}
}3. Restart Claude Desktop for the changes to take effect