Enterprise-Grade MDR Operations Framework for Microsoft Sentinel
A production-ready, enterprise-grade MDR framework that transforms chaotic security alerts into structured, actionable intelligence. Featuring a 4-tier operational hierarchy, 16 specialized agents, 40+ advanced skills, and intelligent escalation workflows designed for the rigorous demands of 24/7 security operations.
SentinelMCP replaces manual alert triage with automated intelligence processing, giving your security team time to investigate what matters.
| Feature | Capability |
|---|---|
| π€ Intelligent Automation | 16 specialized agents with AI-driven decision logic |
| π 4-Tier Architecture | Triage β Investigation β Forensic β Cloud Hunting |
| π Skills Framework | 40+ progressive skills across 4 maturity levels |
| π Smart Escalation | Automatic escalation with SLA-aware workflows |
| π Multi-Source Integration | 8 data sources: Defender XDR, Entra ID, Azure, AWS, GCP, and more |
| β Proven SLAs | Industry-standard response times with auto-escalation |
| π Role-Based Access | 16 defined roles with clear decision authorities |
| π Evidence-Ready | Forensic-grade case documentation and chain of custody |
New to SentinelMCP? Start here:
- START HERE: Overview (2 min) - What is SentinelMCP?
- Setup Instructions (5 min) - Get started
- Key Concepts (5 min) - Core architecture
Need more detail? See Documentation Guide below.
SentinelMCP is a battle-tested MDR framework that brings enterprise-grade alert handling and investigation procedures to Microsoft Sentinel. It eliminates the chaos of manual alert triage through:
- Intelligent Tier Routing - Each alert finds the right handler first time
- Automated FP Detection - Reduce noise by 60-80% in Tier 1
- Smart Escalation - No more "should I escalate this?" decisions
- Forensic-Grade Documentation - Investigation-ready evidence packages
- Skill-Based Assignment - Right person, right skills, right alert
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β DATA SOURCES β
β Defender Entra ID Azure AWS GCP Threat Intelligence β
βββββββββββββββββββββββββββββββ¬βββββββββββββββββββββββββββββββββββββββ
β
βββββββββββΌββββββββββ
β TIER 1: TRIAGE β 5-15 min SLA
β Normalize, β β 4 specialized agents
β Enrich, Filter β
βββββββββββ¬ββββββββββ
ββββββ΄ββββββ¬βββββββββββββββββββββ
β β β
ββββββββββββββββΌβββ ββββββββΌββββββ ββββββββββΌββββββ
β TIER 2: β β CLOUD β β Escalate β
β INVESTIGATION β β HUNTER β β to Tier 3? β
β 30-60 min SLA β β (Parallel)β β β
ββββββββββββ¬βββββββ ββββββββββββββ ββββββββββββββββ
β
ββββββββββββΌβββββββββββ
β TIER 3: FORENSIC β 8 hours SLA
β Root Cause, β β 4 forensic agents
β Evidence Package β
βββββββββββββββββββββββ
| Problem | SentinelMCP Solution |
|---|---|
| π¨ Alert Fatigue | Automatic false positive elimination + intelligent routing |
| π Investigation Confusion | Clear escalation decision trees + documented procedures |
| β° SLA Breaches | Automatic escalation when deadlines approach |
| πΎ Evidence Loss | Forensic-grade case management with chain of custody |
| π₯ Skills Gaps | Role + skill matrix ensures right analyst gets right alert |
| π Inconsistent Process | Standardized workflows prevent ad-hoc decisions |
| π Context Loss | Alert enrichment at every tier preserves investigation context |
- β Microsoft Sentinel workspace (production or eval)
- β Access to data sources (Defender XDR, Entra ID minimum)
- β Git installed
- β Python 3.8+ OR PowerShell 7+ (for customization)
# Clone the repository
git clone https://github.com/eshlomo1/SentinelMCP.git
cd SentinelMCP
# Review configuration
cat config.yaml
# Check your workspace ID
grep "workspace_id" config.yaml-
Update workspace details in
config.yaml:workspace_id: <your-workspace-id> tenant_id: <your-tenant-id> organization: <your-organization>
-
Review SLAs (
config.yaml):slas: critical: 5 minutes # Tier 1 response time high: 15 minutes medium: 1 hour low: 4 hours
-
Customize agents in
agents/:- Modify SLAs based on your capacity
- Add data sources specific to your environment
- Adjust escalation criteria
Each tier has crystal-clear responsibilities, defined escalation triggers, and measurable outcomes:
| Tier | Purpose | SLA | Agents | Key Output |
|---|---|---|---|---|
| π΄ Tier 1 | Rapid Triage | 5-15 min | 4 | Normalized alert + decision |
| π Tier 2 | Deep Analysis | 30-60 min | 4 | Investigation report + escalation decision |
| π‘ Tier 3 | Forensic Excellence | 8 hours | 4 | Root cause + evidence package |
| π’ Cloud Hunter | Proactive Hunt | 4 hours | 4 | Threat intel + anomaly data |
Automatic escalation based on these signals:
β οΈ Tier 1β2: Confirmed compromise, lateral movement, data exfiltration attemptsβ οΈ Tier 2β3: Multi-system compromise, APT indicators, legal hold requirementsβ οΈ Tier 3βClosure: Investigation complete, remediation plan in place
See DOCS/OPERATIONS/TIER_INTEGRATION.md β Detailed decision criteria + playbooks
New to SentinelMCP? Start at DOCS/README.md for role-based navigation
Complete documentation organized by role and use case:
| Role | Documentation | Time |
|---|---|---|
| π΄ Tier 1 Analyst | Alert Triage Procedures | 10 min |
| π Tier 2 Investigator | Investigation Workflow | 10 min |
| π‘ Tier 3 Forensic | Forensic Deep-Dive | 10 min |
| ποΈ Architect | System Design | 15 min |
| π¨βπ» Developer | Implementation Guide | 10 min |
| β Need Quick Answer? | FAQ & Reference | 2 min |
| π Troubleshooting | Support & Issues | 5 min |
SentinelMCP includes comprehensive reference materials. Access them at:
- DOCS/README.md β Master documentation index with search functionality
- DOCS/OPERATIONS/ β Tier procedures, SLAs, best practices
- DOCS/ARCHITECTURE/ β System design, capacity planning, integrations
- DOCS/DEVELOPMENT/ β Agent customization, extending workflows
- DOCS/REFERENCE/ β Quick lookups, glossary, FAQ
- DOCS/SUPPORT/ β Troubleshooting, version compatibility, diagnostics
SentinelMCP/
βββ π README.md β You are here
βββ π CONTRIBUTING.md β Contributing guidelines
βββ π CHANGELOG.md β Version history
βββ βοΈ LICENSE β MIT License
β
βββ π DOCS/ β COMPREHENSIVE DOCUMENTATION
β βββ README.md β Start here for navigation
β βββ OPERATIONS/ β Tier 1, 2, 3 procedures + best practices
β βββ ARCHITECTURE/ β System design + capacity planning
β βββ DEVELOPMENT/ β Agent customization + extending
β βββ REFERENCE/ β Quick lookups + glossary + FAQ
β βββ SUPPORT/ β Troubleshooting + diagnostics
β
βββ π€ agents/ β 16 Agent Definitions (4 tiers)
β βββ tier1-agents.yaml
β βββ tier2-agents.yaml
β βββ tier3-forensic-agents.yaml
β βββ cloud-hunter-agents.yaml
β
βββ π₯ roles/ β 16 Role Definitions
β βββ roles-matrix.yaml
β
βββ π‘ skills/ β 40+ Skills Framework
β βββ skills-matrix.yaml
β
βββ π schema/ β JSON Validation Schemas
β βββ agent-schema.json
β βββ alert-schema.json
β βββ investigation-schema.json
β βββ case-schema.json
β
βββ βοΈ data/ β Configuration + Workflows
βββ config.yaml β Workspace settings
βββ tier-integration.yaml β Escalation rules (technical)
βββ data-sources.yaml β Integrated data sources
βββ workflows.yaml β Operational workflows
βββ escalation-paths.yaml β Escalation decision matrices
git clone https://github.com/eshlomo1/SentinelMCP.git
cd SentinelMCP
cp config.yaml config.yaml.backup
# Edit config.yaml with your workspace detailsπ Start here: DOCS/README.md
This comprehensive guide covers:
- Role-specific documentation
- Task-based navigation
- Quick reference materials
- Troubleshooting guides
| Role | Start Here |
|---|---|
| Tier 1 Alert Analyst | DOCS/OPERATIONS/TIER1_OPERATIONS.md |
| Tier 2 Investigator | DOCS/OPERATIONS/INVESTIGATION_WORKFLOW.md |
| Tier 3 Forensic Analyst | DOCS/OPERATIONS/FORENSIC_PROCEDURES.md |
| Architect/Manager | DOCS/ARCHITECTURE/ARCHITECTURE_OVERVIEW.md |
| Developer/Engineer | DOCS/DEVELOPMENT/README.md |
| Need Quick Answer? | DOCS/REFERENCE/QUICK_REFERENCE.md |
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β DATA SOURCES β
β Defender XDR β Entra ID β Azure β AWS β GCP β Threat Intel β
ββββββββββββββββββββββββββββββββββ¬βββββββββββββββββββββββββββββββββ
β
βΌ
ββββββββββββββββββββββββββββββββββββββββββββββ
β TIER 1: TRIAGE & NORMALIZATION β
β β’ Alert Parser β’ Alert Router β
β β’ Alert Enricher β’ FP Eliminator β
ββββββββββββββββββββββββββββββββββββββββββββββ
β β
β βΌ
β ββββββββββββββββββββββββββββββββ
β β CLOUD HUNTER (Parallel) β
β β β’ Infrastructure Analyzer β
β β β’ Log Anomaly Detector β
β β β’ Threat Intel Enricher β
β β β’ Proactive Hunter β
β ββββββββββββββββββββββββββββββββ
β
βΌ
ββββββββββββββββββββββββββββββββββββββββββββββ
β TIER 2: INVESTIGATION & ANALYSIS β
β β’ Malware Analyzer β
β β’ Network Investigator β’ Identity Analyzerβ
β β’ Threat Assessor β
ββββββββββββββββββββ¬ββββββββββββββββββββββββ
β
βΌ
ββββββββββββββββββββββββββββββββββββββββββββββ
β TIER 3: FORENSIC & ROOT CAUSE ANALYSIS β
β β’ Forensic Investigator β
β β’ Incident Reconstructor β
β β’ Evidence Collector β
β β’ Root Cause Analyzer β
ββββββββββββββββββββββββββββββββββββββββββββββ
β
βΌ
ββββββββββββββββββββββββββ
β RESOLUTION OUTPUT β
β β’ Investigation Case β
β β’ Evidence Package β
β β’ Root Cause Report β
β β’ Remediation Plan β
ββββββββββββββββββββββββββ
SentinelMCP ingest from 8 major sources with intelligent enrichment at every tier:
- β Microsoft Defender XDR β Endpoint, email, cloud app threats
- β Entra ID β Authentication, identity risk events
- β Azure Security Center β Infrastructure + vulnerability data
- β AWS CloudTrail β Cloud infrastructure activity
- β GCP Audit Logs β Google Cloud operations
- β Third-Party SIEM β Integrate additional tools
- β Threat Intelligence Feeds β External threat context
- β Custom Logs β Application-specific security events
Every alert follows this intelligent, efficient path:
Raw Alert β Normalize β Enrich β Route β Investigate β Escalate β Close
(T1) (T1) (T1) (T1) (T2) (T3) (T3)
git clone https://github.com/eshlomo1/SentinelMCP.git
cd SentinelMCPπ DOCS/README.md β Complete navigation guide by role
π DOCS/README.md β Complete navigation guide by role
Edit data/config.yaml with your workspace details:
workspace_id: your-workspace-id
tenant_id: your-tenant-id
environment: production
slas:
critical: 5 minutes
high: 15 minutes
medium: 1 hour
low: 4 hours| Agent | Role | Purpose |
|---|---|---|
| AlertParser | t1-alert-normalization | Convert raw alerts to standard format |
| AlertEnricher | t1-alert-enrichment | Add context from threat intel + directory |
| AlertRouter | t1-alert-routing | Intelligently route to appropriate tier |
| FPEliminator | t1-fp-detection | Eliminate 60-80% of false positives |
| Agent | Role | Purpose |
|---|---|---|
| MalwareAnalyzer | t2-malware-analysis | Analyze indicators of compromise |
| NetworkInvestigator | t2-network-investigation | Track lateral movement + data flows |
| IdentityAnalyzer | t2-identity-analysis | Investigate anomalous user activity |
| ThreatAssessor | t2-threat-assessment | Risk + impact evaluation |
| Agent | Role | Purpose |
|---|---|---|
| ForensicInvestigator | t3-forensic-investigation | Deep forensic analysis + evidence |
| IncidentReconstructor | t3-incident-reconstruction | Timeline + attack chain reconstruction |
| EvidenceCollector | t3-evidence-collection | Chain of custody + legal preservation |
| RootCauseAnalyzer | t3-root-cause-analysis | Determine how + why incidents occurred |
| Agent | Role | Purpose |
|---|---|---|
| InfrastructureAnalyzer | ch-infrastructure-security | Cloud resource + config analysis |
| LogAnomalyDetector | ch-log-analysis | ML-powered anomaly detection |
| ThreatIntelEnricher | ch-threat-intelligence | External threat correlation |
| ProactiveHunter | ch-proactive-hunting | Hypothesis-driven threat hunting |
vs. Manual Alert Triage:
- β‘ 10x Faster β Automated routing vs. manual sorting
- π― 98% Accuracy β Consistent decision logic vs. human variance
- π 60-80% Fewer FPs β Automated false positive elimination
- π Forensic-Ready β Chain of custody from day one
vs. Legacy SIEM Workflows:
- π§ Intelligent Escalation β ML-driven decisions vs. threshold-based
- π Tier Specialization β Role-specific tools vs. one-size-fits-all
- π SLA Automation β Auto-escalate vs. manual deadline tracking
- π₯ Skills-Based Assignment β Right person, right alert, right skills
- Questions? β DOCS/README.md for complete navigation
- Want to contribute? β CONTRIBUTING.md
- Best practices? β DOCS/OPERATIONS/BEST_PRACTICES.md
- Issues? β DOCS/SUPPORT/ for troubleshooting
| Property | Value |
|---|---|
| License | MIT |
| Version | 1.0.0 |
| Status | π’ Production |
| Organization | PurpleX Lab |
| Last Updated | February 14, 2026 |
| Repository | github.com/eshlomo1/SentinelMCP |
SentinelMCP β Transform alerts into intelligent investigations
Documentation β’ Contribute β’ Issues β’ License