This MCP server exposes read-only access to a Microsoft Sentinel instance, enabling you to perform advanced querying, inspect incidents, view workspace metadata, and explore data connectors and watchlists. The toolset is designed for observation and analysis without making changes to the connected Sentinel environment. Use your MCP client (Claude Desktop, Cursor, or similar) to browse the available tools, such as KQL query execution, incident listings, analytics rule templates, hunting queries, data connectors, and threat intelligence lookups. Authentication can be done via Azure CLI, or via Azure AD service principal credentials supplied to the MCP client; if you connect using CLI auth, you may need to remove AZURE_CLIENT_ID and AZURE_CLIENT_SECRET from the client config as directed by the server documentation. The server also supports metadata access, ML analytics settings, and Entra ID user/group queries for read-only exploration.

Prerequisites:

• Python 3.8+ installed on your machine
• Git installed
• Azure CLI installed or an Azure AD app for authentication

Installation steps:

1. Clone the repository: git clone https://github.com/dstreefkerk/ms-sentinel-mcp-server.git cd ms-sentinel-mcp-server

2. Set up a Python virtual environment (recommended): python -m venv venv

   Windows

   venv\Scripts\activate

   macOS/Linux

   source venv/bin/activate

3. Install dependencies (inside the virtual environment): pip install -r requirements.txt

4. Install or configure the MCP server using the provided PowerShell script if you are on Windows, or ensure the Python entrypoint exists as described in the repository documentation. The README indicates an installation script is provided to set up dependencies and clipboard-ready configuration. Run the script if applicable: ./install.ps1 # Windows PowerShell (from repository root)

5. Start the MCP server (example command): python -m ms_sentinel_mcp_server

6. Authenticate to Azure (one-time): az login

7. Configure your MCP client with the server details and the environment variables described in the mcp_config section.

Note: If you are using Azure CLI authentication, you may need to remove AZURE_CLIENT_ID and AZURE_CLIENT_SECRET from your MCP client config as recommended by the server's guidance.

Tips and known considerations:

• The server is read-only by design for testing environments; do not connect to production Sentinel instances.
• When using Azure CLI authentication, you may omit explicit Azure AD credentials in the MCP client configuration; if you do provide them, ensure they correspond to a service principal with appropriate access.
• Ensure the environment running the MCP server has network access to the target Sentinel workspace and the necessary permissions to read data.
• If you encounter issues with KQL queries, use the provided sentinel_logs_search and sentinel_query_validate tools to test syntax locally with mock data.
• For deployment in containers or orchestration, adapt the mcp_config to your deployment model (docker, uvx, etc.) and manage secrets securely using your environment’s secret store.