Sentinel Foundry - MCP Server (Preview) (Github Community Release)
I’ve been cooking something that a lot of people in SOC have been struggling with — especially on the engineering side of Microsoft Sentinel. Thanks to the Microsoft Security team for shaping the capabilities of Sentinel even better with Sentinel Data Lake & Modern SecOps. Today’s the day I can finally share it. Note: This is not an official Microsoft product, but it is designed to make the Sentinel Build even better (complement) with much more intelligence. 🚀 Sentinel Foundry is now in public preview with 43 tools. (Sentinel Foundry - MCP Server) It’s an MCP server built to act like the brain of a strong Sentinel engineer — helping make building, improving, and operating Sentinel far more practical, faster, and honestly more enjoyable. For a lot of teams, the challenge is not understanding what Sentinel can do. The hard part is the engineering work around it: -> Deciding what data should actually be ingested -> Building a clean, scalable Sentinel foundation -> Writing useful detections instead of noisy ones -> Balancing security value with cost -> Turning ideas into deployable engineering outputs That is exactly why I built Sentinel Foundry to help communities grow stronger. It helps with the real engineering tasks behind Sentinel — from architecture thinking to detection design, deployment planning, ingestion strategy, automation ideas, and many of the workflows outlined in the GitHub project. How does it work? Here’s one of the flagship prompts I ran with it: “Give me a complete security posture report for our workspace. Score each pillar and tell me what to prioritise.” And within seconds, it produced a structured engineering blueprint that would normally take a lot longer to pull together manually. You can see the example prompts here in what it can do: https://github.com/prabhukiranveesam/Sentinel-Foundry#what-can-it-do I want building Sentinel to feel less like repetitive engineering overhead — and more like real security engineering that is fast, creative, and enjoyable. If you work with Sentinel as a SOC L2 analyst, engineer, detection engineer, consultant, or architect, I’d genuinely love for you to try it and tell me what you think. 🔗 Public Preview: https://github.com/prabhukiranveesam/Sentinel-Foundry This is just the start of an AI era — and I’m excited to keep shaping it with more powerful features over the coming days. This is very easy to set up and will be available to all of you at no cost during this month as part of the public preview, and your feedback is extremely valuable to shape this as a powerful solution.
KQL query not working
Hi everyone, I'm not a kusto expert so bare with me. I'm trying to replace a text to another text... The one in bold is what I'm tryng to use but is not working. Basically the log doesn't make a reference for (9999) which is actually "URL filtering log"... and I need this this to show on the results... not as (9999) but as "URL filtering log". I've been trying to use CommonSecurityLog | where DeviceProduct has 'PAN-OS' | where DeviceVendor =~ 'Palo AltoNetworks' //| where DeviceEventClassID =~ 'correlation' | extend ThreatId = extract('cat=([^;]+)', 1, AdditionalExtensions) | extend ThreatCategory = extract('PanOSThreatCategory=([^;]+)', 1, AdditionalExtensions) | extend str=strcat("9999", "9999", "URL") | extend replaced=replace_string(str, '9999', 'URL') | summarize Amount=count() by ThreatId, ThreatCategory, LogSeverity | top 20 by Amount RESULTS:McasShadowItReporting / Cloud Discovery in Azure Sentinel
Hi! I´m trying to Query the McasShadowItReporting Table, for Cloud App DISCOVERYs The Table is empty at the moment, the connector is warning me that the Workspace is onboarded to Unified Security Operations Platform So I cant activate it here I cant mange it via https://security.microsoft.com/, too The Documentation ( https://learn.microsoft.com/en-us/defender-cloud-apps/siem-sentinel#integrating-with-microsoft-sentinel ) Leads me to the SIEM Integration, which is configured for (for a while) I wonder if something is misconfigured here and why there is no log ingress / how I can query them
Sentinel Data Connector: Google Workspace (G Suite) (using Azure Functions)
I'm encountering a problem when attempting to run the GWorkspace_Report workbook in Azure Sentinel. The query is throwing this error related to the union operator: 'union' operator: Failed to resolve table expression named 'GWorkspace_ReportsAPI_gcp_CL' I've double-checked, and the GoogleWorkspaceReports connector is installed and updated to version 3.0.2. Has anyone seen this or know what might be causing the table GWorkspace_ReportsAPI_gcp_CL to be unresolved? Thanks!
Insecure Protocol Workbook
Greetings, maybe most orgs have already eliminated insecure protocols and this workbook is no longer functional? I have it added and it appears to be collecting but when I go to open the template it is completely empty. Is the Insecure Protocol aka IP still supported and if so is there any newer documentation than the blog from 2000 around it? I am hoping to identify ntlm by user and device as the domain controllers are all logging this and the MDI agents on them are forwarding this data to Defender for Identity and Sentinel.
DLP Alert Received, but no report.
Hi, I have received the following alert, but I am unable to locate the report in Compliance Centre. Can anyone give me guidance on where to look specifically? I only have default policies applied, but would like to look into this alert in more detail to understand what is happening and check it's legitimate. Many thanks, Pete A match of one or more of your organization’s policy rules has been detected. Report Id: xxxxxxx-0906-4c2e-887b-85cd0e68e117 Person who last modified document: Severity: High False positive: No Override: No Condition matched: External recipients Condition matched: Contains sensitive information
Add Search Results to alert details in Microsoft Sentinel
Hi everyone, I’m working with Microsoft Sentinel and looking to enhance my alerts by appending search results to the alert details. Specifically, I want to include the events that triggered these alerts in the SecurityAlert table for better context during investigations and for archival purposes. I came across this guide: https://learn.microsoft.com/en-us/azure/sentinel/customize-alert-details?tabs=azure, which explains how to customize alert details. However, it doesn’t clarify whether it’s possible to add search results directly to the alert details. Is there a way to achieve this? If so, what would be the best approach? I’d really appreciate any insights, best practices, or examples from those who have done something similar. Thanks in advance!
Problem running the Windows Feature Update Device Readiness Intune Report
I have a custom Intune role for our support staff. I want them to be able to run the Feature Update Device Readiness report. When they click on the Select target OS link, it shows "No data to display", instead of the OS list. They are able to click on Select scope tag and see a list of scope tags. Is there a permission they need that I'm missing? Here is what I have assigned for the custom role. Audit data Read Corporate device identifiers Create Delete Read Update Device compliance policies Read View Reports Device Configurations Read View Reports Endpoint Analytics Read Endpoint protection reports Read Enrollment programs Create device Delete device Read device Sync device Assign Profile Read Profile Managed apps Read Managed devices Delete Read Set Primary user Update View reports Organizations Read Remote tasks Clean PC Collect diagnostics Enable Windows IntuneAgent Get Filevault key Manage shared device users Reboot now Reset passcode Retire Set device name Sync devices Wipe Roles Read
