Sentinel FAQs

Question 1

What is Sentinel?

Accepted Answer

Sentinel is a tool that provides read-only access to Microsoft Sentinel data. It allows you to query logs, view incidents, and explore resources, primarily for testing and integration with Large Language Models (LLMs).

Question 2

What are the key features of Sentinel?

Accepted Answer

Sentinel's features include executing and validating KQL queries, managing Log Analytics workspaces, listing and viewing security incident details, analyzing analytics rules by MITRE tactics, and performing domain/IP lookups.

Question 3

How do I install and use Sentinel?

Accepted Answer

The recommended installation method uses a PowerShell script. This script automates the environment setup, generates a Claude Desktop configuration file, and copies it to your clipboard for easy integration with MCP clients.

Question 4

Is Sentinel safe to use with production Microsoft Sentinel instances?

Accepted Answer

No. Sentinel is explicitly designed for TEST environments only. Connecting it to a production Sentinel instance can expose sensitive data to LLMs or unauthorized users.

Question 5

What is an MCP Server and how does Sentinel use it?

Accepted Answer

MCP (Model Context Protocol) Server provides a standardized interface for LLMs to interact with data sources. Sentinel uses an MCP Server to provide read-only access to Sentinel data for LLMs, enabling them to perform security analysis and testing.

Sentinel

About

Key Features

Use Cases