Sentinel Enables AI Agents with MCP Server Preview

A new MCP server is available for Microsoft Sentinel, the company’s SIEM, supporting natural language queries.

The Sentinel MCP server provides a standard for AI tools to connect to Sentinel’s data lake—which includes Defender XDR and Purview data.

Developers, AI tools, and agents can query Sentinel data using MCP to help security analysts use Sentinel’s data lake to resolve issues. 

A new model context protocol (MCP) server is available in public preview for Sentinel, Microsoft’s security information and event management (SIEM) cloud service. The Sentinel MCP server requires no additional configuration or deployment and could prove helpful for internal and third-party developers who build AI agents to help security analysts resolve security issues more rapidly, using natural language via large language models (LLMs). 

MCP is a relatively new open standard that lets AI systems interconnect with external systems and data. The Sentinel MCP server uses Entra ID to authenticate client connections to the Sentinel data lake and currently offers a limited set of tools for LLMs to access. However, the available tools are likely to expand to offer additional tools prior to Sentinel MCP server’s general availability, which is expected in early 2026.