Today, we’re excited to announce the General Availability of Microsoft Sentinel MCP (Model Context Protocol) server, a fully managed cloud service built on an open standard that empowers AI agents to seamlessly access your entire security context through natural language, eliminating the need for complex data engineering as you build agents. This unlocks new levels of AI agent performance and effectiveness, enabling them to do more for you.
Since the public preview launch on September 30, hundreds of customers have explored MCP tools that provide semantic access to their entire security context. These tools allow security AI agents to operate with unprecedented precision by understanding your unique security context in natural language.
Today, we’re introducing multiple innovations and new capabilities designed to help even more customers unlock more with AI-driven security.
This post offers a high-level overview of what’s new. Stay tuned for deep-dive blogs that will unpack each feature in detail.
Connect to Sentinel MCP server from Multiple AI Platforms
By adopting the MCP open standard, we can progress on our mission to empower effective AI agents wherever you choose to run them. Beyond Security Copilot and VSCode Github Copilot, Sentinel MCP server is now natively integrated with Copilot Studio and Microsoft Foundry agent-building experiences. When creating an agent in any of these platforms, you can easily select Sentinel MCP tools, no pre-configuration required. It’s ready to use, so if you are using any of these platforms, dive in and give it a try. Click here for detailed guidance
Figure 1: Microsoft Copilot Studio
Figure 2: Microsoft Foundry
Additionally, you can now connect OpenAI ChatGPT to Sentinel MCP server through a secured OAuth authentication through a simple configuration in Entra. Learn how here
Figure 3: ChatGPT uses Sentinel MCP tools to assess threat impact on your organizationCustom KQL Tools
Many organizations rely on a curated library of KQL queries for incident triage, investigation, and threat hunting used in manual Standard Operating Procedures (SOP) or SOAR playbooks—often managed within Defender Advanced Hunting. Now, with Sentinel MCP server, you can instantly transform these saved KQL queries into custom tools with just a click. This new capability allows you to empower your AI agents with precise, actionable data tailored to your unique security workflows. Once a KQL query is saved as a tool, Sentinel MCP server automatically creates and maintains a corresponding MCP tool—ensuring it’s always in sync with the latest version of your saved query in Defender Advanced Hunting. Any connected agent can invoke this tool, confident it reflects your most current logic and requirements. Learn more here
Figure 4: Converting saved queries to MCP tools through Defender Advanced Hunting
Entity Analyzer
Assessing the risk of entities is a core task for SOC teams—whether triaging incidents, investigating threats, or automating response workflows. Traditionally, this has required building complex playbooks or custom logic to gather and analyze fragmented security data from multiple sources.
With entity analyzer, this complexity is eliminated. The tool leverages your organization’s security data in Sentinel to deliver comprehensive, reasoned risk assessments for any entity your agents encounter – starting with users and urls. By providing a unified, out-of-the-box solution for entity analysis, entity analyzer enables your AI agents to make smarter decisions and automate more tasks—without the need to manually engineer risk evaluation logic for each entity type.
This not only accelerates agent development, but also ensures your agents are always working with the most relevant and up-to-date context from across your security environment. Entity Analyzer is now available to any MCP client integrated with Sentinel MCP Server. And for those building SOAR workflows, entity analyzer is natively integrated with Logic Apps, making it easy to enrich entities and automate verdicts within your playbooks. Learn how to build a Logic Apps playbook with Entity Analyzer
Graph Tools
Microsoft Sentinel graph connects assets, identities, activities, and threat intelligence into a unified security graph, uncovering insights that structured data alone can’t provide such as relationships, blast radius, and attack paths. The graph is now generally available, and these advanced insights can be accessed by AI agents in natural language through a dedicated set of MCP tools. Graph MCP tools are offered in a sign-up preview.
Triage Incidents and Alerts
Sentinel MCP server extends to enable natural language access to a set of APIs that enable incident and alert triage. AI agents can use these tools to carry out autonomous triage and investigation of Defender XDR and Sentinel alerts and incidents. In the next couple of weeks, it will be available, out of the box, to all customers using Microsoft Defender XDR, Microsoft Sentinel or Microsoft Defender for Endpoint. Stay tuned.
Smarter Security, Less Effort
With the latest innovations in Sentinel MCP server, security teams can now harness the full power of AI-driven automation with unprecedented simplicity and impact. From seamless integration with leading AI platforms to instant creation of custom KQL tools and out-of-the-box entity analysis, Sentinel MCP server empowers your agents to deliver smarter, faster, and more effective security outcomes. These advancements eliminate manual complexity, accelerate agent development, and ensure your SOC is always equipped with the most relevant context. Currently, features like entity analysis are available at no additional charge; as we continue to evolve the platform, we’ll share updates on future pricing well in advance. Try out the new features today and stay tuned for deep-dive updates as we continue to push the boundaries of AI-powered security automation. Learn how to get started
Microsoft