mcp-sentinel-detection-engine

An MCP server exposing a Sigma → KQL → Microsoft Sentinel Terraform pipeline to Claude. Local stdio, certificate-based Azure auth, read-only by construction.

View on GitHub →

mcp-sentinel-detection-engine screenshot

Detection engineering as it’s practiced today is sigma-cli plus four context-switches: pick the right Log Analytics table, catch the column typo, smoke-test on live data, emit Terraform. This server collapses that loop into a Claude conversation. Every step is safe to expose to a model and auditable on stderr.

Companion to mcp-defender-xdr: hunt there, ship detections from here.

Why this matters

sigma-cli, pySigma, uncoder.io, and SigmaToARM already convert Sigma rules to KQL or ARM. None of them close the loop on the four things that actually take an analyst’s morning: choosing the right Log Analytics table for the rule, catching the column-name typo before it goes to production, smoke-testing the converted query against live data, and emitting Terraform that drops cleanly into an existing infra-as-code repo. The agent is the orchestrator; the server’s job is to make every step safe to expose to a model.

Key technical decisions

Threat model summary

Full threat model → github.com/MFisher14/mcp-sentinel-detection-engine/blob/main/THREAT_MODEL.md

Screenshots

README of mcp-sentinel-detection-engine showing the v0.1.0 alpha status callout, CI and pip-audit badges, table of contents, and a companion link to mcp-defender-xdr.

What’s next

Full v0.2 roadmap → github.com/MFisher14/mcp-sentinel-detection-engine/milestone/1

Threat model

Read-only by construction — only `https://api.loganalytics.io/.default` is requested; destructive KQL verbs (`.drop`, `.alter`, `.ingest`, `.purge`, …) are rejected before any HTTP call; row cap ≤ 10; 60 s server timeout. Auth is OAuth 2.0 client credentials with an X.509 certificate per Azure App Registration — the PFX private key never leaves the host, and MSAL caches tokens in memory per `(tenant, scope)` with a 60 s pre-expiry refresh. Multi-tenant fan-out uses N distinct MSAL apps; per-tenant results are labelled with the server-provided tenant key, never derived from upstream JSON. Prompt-injection-aware input validation strips control characters / zero-width / RTL overrides at the validation boundary before pySigma sees the payload. Terraform emission only — `terraform apply` is a human-gated step in a separate write-credentialed pipeline kept off the LLM-facing host.