playbooks

home / mcp / security copilot and sentinel mcp server

Security Copilot and Sentinel MCP Server

MCP Server that integrates with Security Copilot, Sentinel and other tools (in the future). It enhance the process of developing , testing and uploading Security Copilot artifacts.

Installation
Add the following to your MCP client configuration file.

Configuration

View docs
{
  "mcpServers": {
    "jguimera-securitycopilotmcpserver": {
      "command": "python",
      "args": [
        "server.py"
      ],
      "env": {
        "AZURE_CLIENT_ID": "YOUR_CLIENT_ID",
        "AZURE_TENANT_ID": "YOUR_TENANT_ID",
        "AUTHENTICATION_TYPE": "interactive",
        "AZURE_CLIENT_SECRET": "YOUR_CLIENT_SECRET",
        "SENTINEL_WORKSPACE_ID": "YOUR_WORKSPACE_ID",
        "SENTINEL_RESOURCE_GROUP": "YOUR_RESOURCE_GROUP",
        "SENTINEL_WORKSPACE_NAME": "YOUR_WORKSPACE_NAME",
        "SENTINEL_SUBSCRIPTION_ID": "YOUR_SUBSCRIPTION_ID"
      }
    }
  }
}

You can run a Python-based MCP server that bridges development environments with Microsoft Security Copilot and Microsoft Sentinel. This server lets you run KQL queries against Sentinel, manage Security Copilot skillsets/plugins, and execute prompts or skills directly from your MCP client, making testing, deployment, and integration workflows streamlined.

How to use

Install and start the MCP server, then connect with your MCP client to access tools that run Sentinel queries, list and upload Security Copilot skillsets/plugins, and run prompts or skills in Security Copilot. Use the client to invoke tools such as run_sentinel_query, get_skillsets, upload_plugin, and run_prompt to interact with your security data and Copilot skills.

How to install

Prerequisites: Python 3.8+ and access to Microsoft Sentinel and Security Copilot.

# Step 1: Clone the MCP server repository
git clone https://github.com/jguimera/SecurityCopilotMCPServer.git
cd SecurityCopilotMCPServer

# Step 2: Install dependencies
pip install -r requirements.txt

# Step 3: Create environment configuration
# Create a .env file with Azure and Sentinel settings
# AZURE_TENANT_ID=your_tenant_id
# AZURE_CLIENT_ID=your_client_id
# AZURE_CLIENT_SECRET=your_client_secret
SENTINEL_SUBSCRIPTION_ID=your_subscription_id
SENTINEL_RESOURCE_GROUP=your_resource_group
SENTINEL_WORKSPACE_NAME=your_workspace_name
SENTINEL_WORKSPACE_ID=your_workspace_id
# Authentication options: interactive or client_secret
AUTHENTICATION_TYPE=interactive

Starting the server

To launch the MCP server, run the following command from the project directory.

python server.py

Running tests before starting

If you want to run the test suite prior to starting the server, use this command.

python server.py --run-tests

Available tools

run_sentinel_query

Execute KQL queries against the connected Microsoft Sentinel workspace to retrieve logs and intelligence.

get_skillsets

List existing Security Copilot skillsets/plugins available in your environment.

upload_plugin

Upload a new or update an existing Security Copilot skillset or plugin.

run_prompt

Run a prompt or skill within Security Copilot from the MCP server.