diff --git a/partners/servers/microsoft-sentinel-triagev2-mcp-server.json b/partners/servers/microsoft-sentinel-triagev2-mcp-server.json new file mode 100644 index 0000000..5d4e448 --- /dev/null +++ b/partners/servers/microsoft-sentinel-triagev2-mcp-server.json @@ -0,0 +1,61 @@ +{ + "name": "ms-sentinel-triagev2", + "title": "Microsoft Sentinel Triage", + "summary": "Triage tools that expose Defender for Endpoint and Graph Security APIs for investigation and threat hunting.", + "description": "The Triage tool collection in the Microsoft Sentinel MCP server provides security analysts and AI agents with direct access to Microsoft Defender for Endpoint and Microsoft Graph Security APIs for incident triage, investigation, and threat hunting. Retrieve machine details, file intelligence, IP reputation, user-related alerts, vulnerability data, investigation status, remediation activities, threat indicators, and run advanced hunting queries — all from a single managed MCP endpoint. Learn more: https://learn.microsoft.com/en-us/azure/sentinel/datalake/sentinel-mcp-triage-tool", + "vendor": "Microsoft", + "kind": "mcp", + "remote": "https://sentinel.microsoft.com/mcp/triagev2", + "icon": "https://cdn.jsdelivr.net/gh/Azure/MCP/community/registry/icons/Sentinel.svg", + "externalDocumentation": { + "title": "Microsoft Sentinel Triage documentation", + "url": "https://learn.microsoft.com/en-us/azure/sentinel/datalake/sentinel-mcp-triage-tool" + }, + "license": { + "name": "Microsoft License", + "url": "https://www.microsoft.com/licensing/terms/welcome/welcomepage" + }, + "useCases": [ + { + "name": "Machine Triage", + "description": "Build security agents that retrieve device metadata—OS version, health status, risk score, exposure level, logged-on users, and open alerts—for any machine involved in an incident, enabling rapid scoping without leaving the investigation workflow." + }, + { + "name": "File Intelligence Lookup", + "description": "Build security agents that look up file hashes to retrieve file reputation, related alerts, global prevalence statistics, and the list of machines where the file was observed, accelerating malware triage and blast-radius assessment." + }, + { + "name": "Incident and Alert Investigation", + "description": "Build security agents that fetch full incident and alert details from Microsoft Graph Security—including severity, status, assigned analyst, and linked entities—and correlate them with raw Defender telemetry to reconstruct attack timelines." + }, + { + "name": "Advanced Threat Hunting", + "description": "Build security agents that execute KQL hunting queries via the Microsoft Graph runHuntingQuery API to proactively search across endpoint telemetry for IOCs, suspicious behaviors, or lateral movement patterns beyond what surfaced alerts describe." + }, + { + "name": "Vulnerability and Remediation Tracking", + "description": "Build security agents that enumerate CVEs affecting specific machines, list machines exposed to a given vulnerability, and check the status of active remediation tasks—supporting prioritized patch-management decisions during triage." + } + ], + "categories": "Security", + "tags": ["security", "sentinel", "defender", "triage", "mde", "incident-response", "threat-hunting"], + "supportContactInfo": { + "name": "Microsoft Customer Support", + "email": "support@microsoft.com" + }, + "versionName": "original", + "securitySchemes": { + "sentinelTriageOAuth": { + "type": "oauth2", + "description": "Authenticate with Microsoft Sentinel using OAuth2 authorization code flow with PKCE support.", + "flows": ["authorizationCode"], + "authorizationUrl": "https://login.microsoftonline.com", + "tokenUrl": "https://login.microsoftonline.com", + "scopes": ["4500ebfb-89b6-4b14-a480-7f749797bfcd"] + } + }, + "visibility": "true", + "authSchemas": ["OAuth2", "AgentIdentity"], + "audience": "4500ebfb-89b6-4b14-a480-7f749797bfcd", + "customProperties": { "x-ms-preview": true } +} \ No newline at end of file