Microsoft Sentinel MCP Server Now Supports AI-Powered Threat Response Tools

Microsoft has introduced support for the new triage collection in public preview in the Microsoft Sentinel Model Context Protocol (MCP) server. This new feature enables integration of AI models with security incident triage and hunting APIs to simplify and accelerate threat response workflows.

The Microsoft Sentinel Model Context Protocol (MCP) server is a framework that allows AI-powered tools and agents to securely interact with Microsoft Sentinel and related security services through standardized APIs. It acts as a bridge between AI models and security data, enabling automated workflows such as incident triage, threat hunting, and investigation without exposing sensitive credentials.

“The triage collection in the Microsoft Sentinel Model Context Protocol (MCP) server integrates your AI models with APIs that support incident triage and hunting. This integration lets you prioritize incidents quickly and hunt over your own data easily, reducing mean time to resolution, risk exposure, and dwell time,” Microsoft explained.

What are the key features of the triage tool collection?

According to Microsoft, the triage tool collection is designed to streamline two critical security operations into one integrated workflow. It enables incident triage, which allows analysts to quickly prioritize threats by leveraging AI to gather and analyze related incidents, alerts, evidence, and entities. This collection also supports proactive threat hunting, where security teams can run advanced queries using Kusto Query Language (KQL) to find hidden risks and suspicious activities across their data environment.

The triage tool collection provides a series of tools covering incident triage, threat hunting, and file/vulnerability analysis. Administrators can perform a variety of tasks using these tools to enhance security operations. For example, they can list the last five incidents and determine which one requires immediate attention, retrieve alerts for a specific incident to analyze its evidence, or run advanced hunting queries to identify which users interacted with a particular entity.

Prerequisites

To use the triage tool collection, administrators will need a properly configured environment and compatible software. This includes having Microsoft Defender XDR, Defender for Endpoint, or Microsoft Sentinel connected to the Defender portal, along with a supported AI-enabled code editor or agent platform such as Visual Studio Code.

Microsoft notes that IT admins will need to ensure that the Sentinel MCP server interface is properly configured in their chosen client. Once set up, they can access the triage tool collection directly through its dedicated endpoint on the Triage tool collection page..