From 8ad86bad8934f1630c8ffbeb9319e4b4360ed1b7 Mon Sep 17 00:00:00 2001 From: gbarroutlook Date: Wed, 13 May 2026 17:12:16 -0700 Subject: [PATCH 1/2] Add Microsoft Sentinel Triage v2 MCP server --- ...icrosoft-sentinel-triagev2-mcp-server.json | 61 +++++++++++++++++++ 1 file changed, 61 insertions(+) create mode 100644 partners/servers/microsoft-sentinel-triagev2-mcp-server.json diff --git a/partners/servers/microsoft-sentinel-triagev2-mcp-server.json b/partners/servers/microsoft-sentinel-triagev2-mcp-server.json new file mode 100644 index 0000000..17db400 --- /dev/null +++ b/partners/servers/microsoft-sentinel-triagev2-mcp-server.json @@ -0,0 +1,61 @@ +{ + "name": "ms-sentinel-triagev2", + "title": "Microsoft Sentinel Triage", + "summary": "The Triage tool collection in the Microsoft Sentinel MCP server provides security analysts and AI agents with direct access to Microsoft Defender for Endpoint and Microsoft Graph Security APIs for incident triage, investigation, and threat hunting.", + "description": "The Triage tool collection in the Microsoft Sentinel MCP server provides security analysts and AI agents with direct access to Microsoft Defender for Endpoint and Microsoft Graph Security APIs for incident triage, investigation, and threat hunting. Retrieve machine details, file intelligence, IP reputation, user-related alerts, vulnerability data, investigation status, remediation activities, threat indicators, and run advanced hunting queries — all from a single managed MCP endpoint. Learn more: https://learn.microsoft.com/en-us/azure/sentinel/datalake/sentinel-mcp-triage-tool", + "vendor": "Microsoft", + "kind": "mcp", + "remote": "https://sentinel.microsoft.com/mcp/triagev2", + "icon": "https://cdn.jsdelivr.net/gh/Azure/MCP/community/registry/icons/Sentinel.svg", + "externalDocumentation": { + "title": "Microsoft Sentinel Triage documentation", + "url": "https://learn.microsoft.com/en-us/azure/sentinel/datalake/sentinel-mcp-triage-tool" + }, + "license": { + "name": "Microsoft License", + "url": "https://www.microsoft.com/licensing/terms/welcome/welcomepage" + }, + "useCases": [ + { + "name": "Machine Triage", + "description": "Build security agents that retrieve device metadata—OS version, health status, risk score, exposure level, logged-on users, and open alerts—for any machine involved in an incident, enabling rapid scoping without leaving the investigation workflow." + }, + { + "name": "File Intelligence Lookup", + "description": "Build security agents that look up file hashes to retrieve file reputation, related alerts, global prevalence statistics, and the list of machines where the file was observed, accelerating malware triage and blast-radius assessment." + }, + { + "name": "Incident and Alert Investigation", + "description": "Build security agents that fetch full incident and alert details from Microsoft Graph Security—including severity, status, assigned analyst, and linked entities—and correlate them with raw Defender telemetry to reconstruct attack timelines." + }, + { + "name": "Advanced Threat Hunting", + "description": "Build security agents that execute KQL hunting queries via the Microsoft Graph runHuntingQuery API to proactively search across endpoint telemetry for IOCs, suspicious behaviors, or lateral movement patterns beyond what surfaced alerts describe." + }, + { + "name": "Vulnerability and Remediation Tracking", + "description": "Build security agents that enumerate CVEs affecting specific machines, list machines exposed to a given vulnerability, and check the status of active remediation tasks—supporting prioritized patch-management decisions during triage." + } + ], + "categories": "Security", + "tags": ["security", "sentinel", "defender", "triage", "mde", "incident-response", "threat-hunting"], + "supportContactInfo": { + "name": "Microsoft Customer Support", + "email": "support@microsoft.com" + }, + "versionName": "original", + "securitySchemes": { + "sentinelTriageOAuth": { + "type": "oauth2", + "description": "Authenticate with Microsoft Sentinel using OAuth2 authorization code flow with PKCE support.", + "flows": ["authorizationCode"], + "authorizationUrl": "https://login.microsoftonline.com", + "tokenUrl": "https://login.microsoftonline.com", + "scopes": ["4500ebfb-89b6-4b14-a480-7f749797bfcd"] + } + }, + "visibility": "true", + "authSchemas": ["OAuth2", "AgentIdentity"], + "audience": "4500ebfb-89b6-4b14-a480-7f749797bfcd", + "customProperties": { "x-ms-preview": true } +} \ No newline at end of file From 8eaa42d0543befba405b22d5b02842588ec00224 Mon Sep 17 00:00:00 2001 From: gbarroutlook Date: Mon, 18 May 2026 13:44:54 -0700 Subject: [PATCH 2/2] Correct json error --- partners/servers/microsoft-sentinel-triagev2-mcp-server.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/partners/servers/microsoft-sentinel-triagev2-mcp-server.json b/partners/servers/microsoft-sentinel-triagev2-mcp-server.json index 17db400..5d4e448 100644 --- a/partners/servers/microsoft-sentinel-triagev2-mcp-server.json +++ b/partners/servers/microsoft-sentinel-triagev2-mcp-server.json @@ -1,7 +1,7 @@ { "name": "ms-sentinel-triagev2", "title": "Microsoft Sentinel Triage", - "summary": "The Triage tool collection in the Microsoft Sentinel MCP server provides security analysts and AI agents with direct access to Microsoft Defender for Endpoint and Microsoft Graph Security APIs for incident triage, investigation, and threat hunting.", + "summary": "Triage tools that expose Defender for Endpoint and Graph Security APIs for investigation and threat hunting.", "description": "The Triage tool collection in the Microsoft Sentinel MCP server provides security analysts and AI agents with direct access to Microsoft Defender for Endpoint and Microsoft Graph Security APIs for incident triage, investigation, and threat hunting. Retrieve machine details, file intelligence, IP reputation, user-related alerts, vulnerability data, investigation status, remediation activities, threat indicators, and run advanced hunting queries — all from a single managed MCP endpoint. Learn more: https://learn.microsoft.com/en-us/azure/sentinel/datalake/sentinel-mcp-triage-tool", "vendor": "Microsoft", "kind": "mcp",