home / mcp / microsoft sentinel data exploration mcp server
Provides access to Microsoft Sentinel data lake via natural language queries and structural exploration for security analytics.
Configuration
View docs{
"mcpServers": {
"microsoft-sentinel-data-exploration-mcp": {
"url": "https://sentinel.microsoft.com/mcp/data-exploration"
}
}
}You can connect your MCP client to the Microsoft Sentinel Data Exploration endpoint to query and explore data lake tables using natural language. This MCP server enables you to locate relevant tables, run queries, and surface insights through an OAuth 2.0 secured endpoint, making it easier to build security analytics agents and automations around Microsoft Sentinel data.
To use this MCP server, connect your MCP client to the remote endpoint and authenticate with OAuth 2.0. Once connected, you can describe the data you want to retrieve in natural language, and the server will help you locate relevant tables, aggregate data as needed, and surface security signals. Typical workflows include detecting password-spray patterns across many accounts, correlating sign-in events by user and location, monitoring multi-factor authentication failures, and identifying dormant accounts that wake up with recent activity.
Prerequisites you need before using this MCP server include having access to an OAuth 2.0 capable client and the ability to reach the endpoint. You should also have a client that supports the Model Context Protocol (MCP). Use the following guidance to prepare your environment and connect.
Endpoint and authentication details - Remote MCP endpoint: https://sentinel.microsoft.com/mcp/data-exploration - Authentication: OAuth 2.0