| name | mcp-usage-monitoring |
| description | Use this skill when asked to monitor, audit, or analyze MCP (Model Context Protocol) server usage in the environment. Triggers on keywords like "MCP usage", "MCP server monitoring", "MCP activity", "Graph MCP", "Sentinel MCP", "Azure MCP", "MCP audit", "tool usage monitoring", "MCP breakdown", "who is using MCP", or when investigating MCP user activity, Graph API calls from MCP servers, or workspace query governance. This skill provides comprehensive MCP server telemetry analysis across Graph MCP, Sentinel MCP, and Azure MCP servers including usage trends, endpoint access patterns, user attribution, cross-server user analysis, sensitive API detection, workspace query governance, and security risk assessment with inline and markdown file reporting. |
| threat_pulse_domains | ["admin"] |
| drill_down_prompt | Run MCP usage monitoring report — Graph/Sentinel/Azure MCP activity, user attribution |
MCP Server Usage Monitoring — Instructions
Purpose
This skill monitors and audits Model Context Protocol (MCP) server usage across your Microsoft Sentinel and Defender XDR environment. MCP servers are AI-powered tools that enable language models to interact with Microsoft security services — and like any privileged access channel, they require monitoring.
What this skill tracks:
| MCP Server | Telemetry Source | Key Identifier |
|---|
| Microsoft Graph MCP Server | MicrosoftGraphActivityLogs | AppId = e8c77dc2-69b3-43f4-bc51-3213c9d915b4 |
| Sentinel Data Lake MCP | CloudAppEvents | RecordType 403, Interface = IMcpToolTemplate |
| Sentinel Triage MCP | MicrosoftGraphActivityLogs + SigninLogs | AppId = 7b7b3966-1961-47b5-b080-43ca5482e21c ("Microsoft Defender Mcp") — dedicated AppId with full user attribution via delegated cert auth |
| Azure MCP Server | AzureActivity | No dedicated AppId — uses DefaultAzureCredential |
| Sentinel Data Lake — Direct KQL | CloudAppEvents | RecordType 379, Operation = KQLQueryCompleted |
| Workspace Query Sources (Analytics Tier) | LAQueryLogs | All clients querying Log Analytics workspace |
What this skill detects:
- Graph API call volume, trends, and endpoint diversity via MCP
- Sensitive/high-risk Graph endpoint access (PIM, credentials, Identity Protection)
- Sentinel workspace query patterns by client application
- User vs. Service Principal attribution across all MCP channels
- Cross-server user analysis — identifies users with broadest MCP footprint (multiple server types, highest call volume)
- Azure ARM operations potentially originating from Azure MCP Server
- Non-MCP platform query sources for governance context (Sentinel Engine, Logic Apps)
- Sentinel Data Lake MCP tool usage — tool call breakdown (
query_lake, list_sentinel_workspaces, search_tables, etc.), success/failure rates, execution duration, tables accessed via CloudAppEvents (Purview unified audit)
- MCP-driven vs Direct KQL delineation — distinguishes Data Lake queries initiated via MCP tools (RecordType 403, Interface
IMcpToolTemplate) from direct KQL queries (RecordType 379) and Analytics tier queries (LAQueryLogs)
- Anomalous access patterns: new users, new endpoints, volume spikes, error surges
- MCP server usage as a proportion of total workspace activity
Extended landscape awareness: Beyond these four actively monitored MCP servers, Microsoft's MCP ecosystem includes 30+ additional servers (Copilot Studio built-in catalog, Power BI, Fabric RTI, Playwright, Security Copilot Agent Creation, and more). See Extended Microsoft MCP Server Landscape for the full catalog, telemetry surfaces, and monitoring expansion priorities.
📑 TABLE OF CONTENTS
- Critical Workflow Rules - Start here!
- Extended MCP Server Landscape - Full Microsoft MCP ecosystem catalog
- Output Modes - Inline chat vs. Markdown file
- Scalability & Token Management - Guidance for large environments
- Quick Start - 10-step investigation pattern
- MCP Usage Score Formula - Composite health & risk scoring
- Execution Workflow - Complete 7-phase process
- Sample KQL Queries - Validated query patterns
- Report Template - Output format specification
- Proactive Alerting — KQL Data Lake Jobs - Scheduled anomaly detection
- Known Pitfalls - Edge cases and false positives
- Error Handling - Troubleshooting guide
- SVG Dashboard Generation - Visual dashboard from completed report
⚠️ CRITICAL WORKFLOW RULES - READ FIRST ⚠️
Before starting ANY MCP usage monitoring analysis:
- ALWAYS enforce Sentinel workspace selection (see Workspace Selection section below)
- ALWAYS ask the user for output mode if not specified: inline chat summary or markdown file report (or both)
- ALWAYS ask the user for time range if not specified: default to 30 days, configurable
- ALWAYS query all MCP telemetry surfaces — do not skip any MCP server type
- ALWAYS include non-MCP workspace context (Sentinel Engine, Logic Apps) for governance proportion analysis
- ALWAYS run independent queries in parallel for performance
- ALWAYS attribute activity to specific users — never present anonymous aggregates
- NEVER conflate non-MCP platform activity with MCP activity — clearly label categories
- ALWAYS execute pre-authored queries from Sample KQL Queries EXACTLY as written — substitute only the time range parameter (e.g.,
ago(30d) → ago(90d)). These queries encode mitigations for schema pitfalls documented in Known Pitfalls. Writing equivalent queries from scratch is ❌ PROHIBITED
Known AppIds Reference
MCP Servers & AI Agents
| AppId | Service | Telemetry Table | Notes |
|---|
e8c77dc2-69b3-43f4-bc51-3213c9d915b4 | Microsoft Graph MCP Server for Enterprise | MicrosoftGraphActivityLogs | Read-only Graph API proxy |
7b7b3966-1961-47b5-b080-43ca5482e21c | Sentinel Triage MCP ("Microsoft Defender Mcp") | MicrosoftGraphActivityLogs, SigninLogs, AADNonInteractiveUserSignInLogs | Microsoft first-party AppId, same across all tenants. Dedicated AppId — visible in MicrosoftGraphActivityLogs (API calls to /security/* endpoints) and SigninLogs/AADNonInteractiveUserSignInLogs (AppDisplayName = "Microsoft Defender Mcp"). Delegated auth with certificate (ClientAuthMethod=2), full user attribution. Scopes: SecurityAlert.Read.All, SecurityIncident.Read.All, ThreatHunting.Read.All. Target resources: Microsoft Graph, WindowsDefenderATP. No local SPN — display name only visible in SigninLogs. 🔴 Confirmed Feb 2026: Empirical telemetry investigation identified 7b7b3966 as the Triage MCP AppId via MicrosoftGraphActivityLogs + SigninLogs correlation. |
253895df-6bd8-4eaf-b101-1381ec4306eb | Sentinel Platform Services App Reg | SigninLogs | Sentinel-hosted MCP platform |
04b07795-8ddb-461a-bbee-02f9e1bf7b46 | Azure MCP Server (local stdio via DefaultAzureCredential → Azure CLI) | SigninLogs, AADNonInteractiveUserSignInLogs, LAQueryLogs | Shared AppId with Azure CLI. In LAQueryLogs, RequestClientApp is empty (not a unique fingerprint). Azure MCP appends \n| limit N to query text — the only query-level differentiator. Read-only ARM ops don't appear in AzureActivity. 🔄 Updated Feb 2026: Previously documented as AppId 1950a258 (AzurePowerShellCredential) with csharpsdk,LogAnalyticsPSClient — that fingerprint is obsolete; only 1 occurrence found in 30-day lookback. |
| (none — uses DefaultAzureCredential) | Azure MCP Server (local stdio) | AzureActivity | ARM write operations only; read ops not logged. Claims.appid = 04b07795. Inherits cred from Azure CLI/VS Code |
| (no AppId — Purview unified audit) | Sentinel Data Lake MCP | CloudAppEvents | RecordType 403; Interface IMcpToolTemplate; tools: query_lake, list_sentinel_workspaces, search_tables |
Sentinel MCP Collection Endpoints
| Endpoint URL | Collection | Monitored |
|---|
https://sentinel.microsoft.com/mcp/data-exploration | Data Exploration (Data Lake MCP) | ✅ Phase 3 |
https://sentinel.microsoft.com/mcp/triage | Triage (Triage MCP) | ✅ Phase 2 |
https://sentinel.microsoft.com/mcp/security-copilot-agent-creation | Security Copilot Agent Creation | ❌ See Landscape |
Client Applications
| AppId | Service | Telemetry Table | Notes |
|---|
aebc6443-996d-45c2-90f0-388ff96faa56 | Visual Studio Code | SigninLogs | VS Code as MCP client → Sentinel |
9ba5f2e4-6bbf-4df2-b19b-7f1bcb926818 | PowerPlatform-sentinelmcp-Connector | SigninLogs | Copilot Studio → Sentinel MCP |
04b07795-8ddb-461a-bbee-02f9e1bf7b46 | Azure CLI (DefaultAzureCredential) | SigninLogs, AADNonInteractiveUserSignInLogs, LAQueryLogs | Primary Azure MCP Server credential path (field-tested Feb 2026). RequestClientApp is empty in LAQueryLogs. Azure MCP appends \n| limit N to query text. Shared AppId with manual az CLI — disambiguate via query text pattern or session correlation. 🔄 Previously documented as 1950a258 (AzurePowerShellCredential) — that path is obsolete |
Portal & Platform Applications (Non-MCP — for context)
| AppId | Service | Telemetry Table | Notes |
|---|
80ccca67-54bd-44ab-8625-4b79c4dc7775 | M365 Security & Compliance Center (Sentinel Portal) | LAQueryLogs | ASI_Portal, ASI_Portal_Connectors — Sentinel Portal backend, NOT an MCP server |
95a5d94c-a1a0-40eb-ac6d-48c5bdee96d5 | Azure Portal — AppInsightsPortalExtension | LAQueryLogs | Azure Portal blade for Log Analytics Usage dashboards/workbooks. RequestClientApp = AppInsightsPortalExtension. Executes billing/usage queries (e.g., Usage | where IsBillable). NOT MCP, NOT VS Code — runs when user opens Workspace Usage Dashboard in browser. No SPN or app registration in tenant (platform-level first-party app). Not in merill/microsoft-info known apps list. |
de8c33bb-995b-4d4a-9d04-8d8af5d59601 | PowerPlatform-AzureMonitorLogs-Connector | AADNonInteractiveUserSignInLogs, LAQueryLogs | Logic Apps → Log Analytics (NOT MCP) |
fc780465-2017-40d4-a0c5-307022471b92 | Sentinel Engine (analytics rules, UEBA, Advanced Hunting backend) | LAQueryLogs | Built-in scheduled query engine (NOT MCP). Also serves as the execution backend for Advanced Hunting — RequestClientApp = "M365D_AdvancedHunting" indicates AH queries from Triage MCP, Defender portal, or Security Copilot that hit connected LA tables (see Query 7). Separate from analytics rules (RequestClientApp empty or other values). |
Extended Microsoft MCP Server Landscape (Reference)
Beyond the four MCP servers actively monitored by this skill, Microsoft's MCP ecosystem includes many additional servers. This section catalogs them for awareness, threat modeling, and future monitoring expansion.
Sentinel MCP Collections (Microsoft-Hosted)
Microsoft Sentinel exposes three official MCP collections, each at a distinct endpoint:
| Collection | Endpoint URL | Purpose | Monitored by This Skill |
|---|
| Data Exploration | https://sentinel.microsoft.com/mcp/data-exploration | query_lake, search_tables, list_sentinel_workspaces, entity analyzer | ✅ Phase 3 (CloudAppEvents) |
| Triage | https://sentinel.microsoft.com/mcp/triage | Incident triage, Advanced Hunting, entity investigation | ✅ Phase 2 (MicrosoftGraphActivityLogs + SigninLogs — AppId 7b7b3966) |
| Security Copilot Agent Creation | https://sentinel.microsoft.com/mcp/security-copilot-agent-creation | Create Microsoft Security Copilot agents for complex workflows | ❌ Not yet monitored |
Sentinel Custom MCP Tools: Organizations can create their own MCP tools by exposing saved KQL queries from Advanced Hunting as MCP tools. These execute through the same Sentinel MCP infrastructure and are audited in CloudAppEvents (RecordType 403) alongside built-in tools. See Create custom Sentinel MCP tools.
🔵 Monitoring note: Custom MCP tools appear in CloudAppEvents with the same RecordType 403 and IMcpToolTemplate interface as built-in tools. The ToolName field will show the custom tool name, making them visible in Query 13 without modification.
Power BI MCP Servers
| Server | Type | Endpoint / Repo | Purpose | Telemetry Surface |
|---|
| Power BI Remote MCP | Microsoft-hosted | https://api.fabric.microsoft.com/v1/mcp/powerbi | Query Power BI datasets, reports, and workspaces remotely via SSE transport | 🟡 PowerBIActivity table (if ingested into Sentinel), Fabric audit logs |
| Power BI Modeling MCP | Local (stdio) | microsoft/powerbi-modeling-mcp | Local Power BI model operations (DAX queries, schema exploration) | ❌ Local only — no Azure telemetry |
⚠️ Data exfiltration risk: Power BI Remote MCP provides API-based access to organizational datasets. If an AI agent connects to this endpoint, it can query sensitive business data. Monitor PowerBIActivity for unusual access patterns if this table is available in your Sentinel workspace.
Fabric & Azure Data Explorer MCP Servers
| Server | Type | Endpoint / Repo | Purpose | Telemetry Surface |
|---|
| Fabric RTI MCP Server | Local (stdio) | microsoft/fabric-rti-mcp | Query Azure Data Explorer clusters and Fabric Real-Time Intelligence Eventhouses via KQL | 🟡 ADX audit logs, Fabric audit events |
| Azure MCP Server — Kusto namespace | Local (stdio) | Part of Azure MCP Server (azmcp --namespace kusto) | Manage ADX clusters, databases, tables, and queries via ARM | ✅ Already covered (Azure ARM operations — Phase 4) |
| Kusto Query MCP | Copilot Studio built-in | Copilot Studio catalog | KQL query execution from Copilot Studio agents | 🟡 CloudAppEvents (Copilot Studio workload) |
🔵 Note: The Fabric RTI MCP Server is open-source and runs locally. It authenticates to ADX/Eventhouse using the user's credentials. If your org uses ADX, queries from this MCP would appear in ADX audit logs (.show queries / diagnostic logs), NOT in Sentinel LAQueryLogs.
Developer & Productivity MCP Servers
| Server | Type | Repo | Purpose | Telemetry Surface |
|---|
| Playwright MCP | Local (stdio) | microsoft/playwright-mcp (26.9k ⭐) | Browser automation via accessibility tree — enables LLMs to interact with web pages | ❌ Local only — no Azure telemetry |
| GitHub MCP Server | Local (stdio) | github/github-mcp-server | GitHub repo operations (issues, PRs, code search) via PAT | ❌ GitHub audit logs only, not in Sentinel |
| Microsoft Learn Docs MCP | Cloud-hosted | Certified Copilot Studio connector | Search and fetch official Microsoft Learn documentation | ❌ Public docs, no security data |
Copilot Studio Built-in MCP Servers (19+ servers)
Microsoft Copilot Studio provides a catalog of built-in MCP servers for agent development. These are Microsoft-managed, cloud-hosted servers that agents can connect to.
Source: Built-in MCP servers catalog
| Category | MCP Servers | Security Relevance |
|---|
| Microsoft 365 | Outlook Mail, Outlook Calendar, 365 User Profile, Teams, Word, 365 Copilot (Search) | 🔴 High — email, calendar, user profile access |
| SharePoint & OneDrive | SharePoint and OneDrive, SharePoint Lists | 🟠 Medium — file and data access |
| Administration | 365 Admin Center | 🔴 High — administrative control plane |
| Dataverse | Dataverse MCP | 🟠 Medium — business data access |
| Dynamics 365 | Sales, Finance, Supply Chain, Service, ERP, Contact Center (6 sub-variants) | 🟡 Low-Medium — business application data |
| Fabric | Fabric MCP | 🟠 Medium — analytics data access |
| Office 365 Outlook | Contact Management, Email Management, Meeting Management | 🔴 High — email and contact data |
| Meta-Server | MCP Management MCP | 🟠 Medium — manages other MCP servers via Dataverse/Graph |
⚠️ Telemetry gap: Copilot Studio built-in MCP servers are NOT directly visible in LAQueryLogs or MicrosoftGraphActivityLogs. Their activity may appear in:
CloudAppEvents — under Copilot Studio workload (if Purview unified audit is configured)
- M365 unified audit log — as Copilot Studio agent actions
AuditLogs — service principal lifecycle events (creation, modification)
AADServicePrincipalSignInLogs — SPN sign-ins to Bot Framework from Azure internal IPs (fd00:*)
To monitor Copilot Studio agent activity, use the ai-agent-posture skill for comprehensive agent security auditing.
Azure MCP Server — Full Tool Surface
The Azure MCP Server (already tracked in Phase 4) has a much broader tool surface than just ARM operations. The complete namespace catalog:
| Category | Namespaces | Security-Relevant Tools |
|---|
| AI & ML | foundry, search, speech | AI Foundry model access, Search index queries |
| Identity | role | ⚠️ RBAC role assignments — view and manage |
| Security | keyvault, appconfig, confidentialledger | 🔴 Key Vault secrets/keys/certs, App Configuration |
| Databases | cosmos, mysql, postgres, redis, sql | Database access and management |
| Storage | storage, fileshares, storagesync, managedlustre | Blob, file, and storage account access |
| Compute | appservice, functionapp, aks | App Service, Functions, Kubernetes |
| Networking | eventhubs, servicebus, eventgrid, communication, signalr | Messaging and event services |
| DevOps | bicepschema, deploy, monitor, workbooks, grafana | Infrastructure deployment, monitoring |
| Governance | policy, quota, resourcehealth, cloudarchitect | Policy management, resource health |
| Other | marketplace, virtualdesktop, loadtesting, acr | VDI, container registry, load testing |
🔵 Key Vault access via MCP is particularly security-sensitive. The Azure MCP Server implements elicitation (user confirmation prompts) before returning secrets. However, this can be bypassed with the --insecure-disable-user-confirmation flag. Monitor AzureActivity for Key Vault operations correlated with MCP usage patterns.
Monitoring Expansion Priorities
If expanding this skill's coverage, prioritize based on data access risk:
| Priority | Server | Why | How to Monitor |
|---|
| 🔴 P1 | Copilot Studio built-in M365 MCPs | Email, Teams, admin center access | ai-agent-posture skill + CloudAppEvents |
| 🔴 P1 | Security Copilot Agent Creation | Creates autonomous security agents | CloudAppEvents for agent creation events |
| 🟠 P2 | Power BI Remote MCP | Dataset query access via API | PowerBIActivity table if available |
| 🟠 P2 | Sentinel Custom MCP Tools | User-defined tools, same audit surface | Already visible in Phase 3 CloudAppEvents |
| 🟡 P3 | Fabric RTI MCP | ADX/Eventhouse data access | ADX diagnostic logs |
| 🟡 P3 | Kusto Query MCP (Copilot Studio) | KQL from Copilot Studio agents | CloudAppEvents (Copilot Studio workload) |
| ⚪ P4 | Playwright, GitHub, Learn Docs MCPs | Local/public, minimal telemetry | Not monitorable from Sentinel |
Note: This catalog reflects the Microsoft MCP ecosystem as of February 2026. The Copilot Studio MCP catalog notes: "This list isn't exhaustive. New MCP connectors are added regularly."
⛔ MANDATORY: Sentinel Workspace Selection
This skill requires a Sentinel workspace to execute queries. Follow these rules STRICTLY:
When invoked from another skill (e.g., incident-investigation):
- Inherit the workspace selection from the parent investigation context
- If no workspace was selected in parent context: STOP and ask user to select
When invoked standalone (direct user request):
- ALWAYS call
list_sentinel_workspaces MCP tool FIRST
- If 1 workspace exists: Auto-select, display to user, proceed
- If multiple workspaces exist:
- Display all workspaces with Name and ID
- ASK: "Which Sentinel workspace should I use for this analysis?"
- ⛔ STOP AND WAIT for user response
- ⛔ DO NOT proceed until user explicitly selects
- If a query fails on the selected workspace:
- ⛔ DO NOT automatically try another workspace
- STOP and report the error, display available workspaces, ASK user to select
🔴 PROHIBITED ACTIONS:
- ❌ Selecting a workspace without user consent when multiple exist
- ❌ Switching to another workspace after a failure without asking
- ❌ Proceeding with analysis if workspace selection is ambiguous
Output Modes
This skill supports two output modes. ASK the user which they prefer if not explicitly specified. Both may be selected.
Mode 1: Inline Chat Summary (Default)
- Render the full MCP usage analysis directly in the chat response
- Includes ASCII tables, trend charts, endpoint breakdowns, and security assessment
- Best for quick review and interactive follow-up questions
Mode 2: Markdown File Report
- Save a comprehensive report to
reports/mcp-usage/MCP_Usage_Report_<timestamp>.md
- All ASCII visualizations render correctly inside markdown code fences (
```)
- Includes all data from inline mode plus additional detail sections
- Use
create_file tool — NEVER use terminal commands for file output
- Filename pattern:
reports/mcp-usage/MCP_Usage_Report_YYYYMMDD_HHMMSS.md
Markdown Rendering Notes
- ✅ ASCII tables, box-drawing characters, and bar charts render perfectly in markdown code blocks
- ✅ Unicode block characters (▓░█) display correctly in monospaced fonts
- ✅ Emoji indicators (🔴🟢🟡⚠️✅) render natively in GitHub-flavored markdown
- ✅ Standard markdown tables (
| col |) render as formatted tables
- Tip: Wrap all ASCII art in triple-backtick code fences for consistent rendering
Scalability & Token Management
This skill was developed in a small lab environment (1–2 users, single workspace). In larger tenants with many users, MCP servers, and higher query volumes, the query complexity is not a concern — all queries use summarize, dcount, make_set(..., N), and take operators, so result sets remain bounded regardless of raw table size. Execution time will increase but output shape stays the same.
The primary risk in large environments is LLM token exhaustion during report generation. All query results accumulate in conversation context before the report is written, and this skill file itself consumes significant context. In a large tenant, richer result sets (more users, endpoints, error categories, AppIds) can push past token limits before the report is complete.
Guardrails for Large Environments
1. Tighten result set limits in queries:
| Parameter | Small Env (default) | Large Env |
|---|
make_set(..., N) for users | 10 | 5 |
make_set(..., N) for endpoints | 20–30 | 10 |
make_set(..., N) for errors | 5 | 3 |
take on governance tables | 25 | 15 |
take on endpoint rankings | 25 | 15 |
take on error analysis | 50 | 20 |
2. Incremental file writes (markdown mode):
Instead of composing the entire report in memory and writing it in one create_file call:
- Write the report header and executive summary first with
create_file
- Append each section (Graph MCP, Sentinel Triage, Data Lake, etc.) using
replace_string_in_file to insert content at the end of the file
- This allows earlier query results to fall out of active context after being written
3. Two-pass approach for very large tenants:
- Pass 1 (Summary): Run all queries with aggressive limits (
take 10, make_set(..., 3)). Generate a summary report with top-level numbers only.
- Pass 2 (Drill-down): If the user wants detail on a specific section (e.g., "show me the full Data Lake error breakdown"), run targeted queries for that section only.
4. Parallel query batching:
Phases 1–5 contain independent queries — always run them in parallel. But avoid running all ~16 queries simultaneously; batch them into 2–3 groups of 5–6 queries. This balances throughput against context accumulation.
5. Omit raw query appendix for large reports:
The "Appendix: Query Details" section listing every KQL query used can be omitted in large environments to save tokens. The queries are documented in this skill file and don't need to be repeated in the report.
Indicators You're Hitting Token Limits
- Report generation starts but cuts off mid-section
- The agent switches to a new conversation turn unexpectedly during report writing
- Sections become progressively less detailed toward the end of the report
- The agent summarizes findings in chat instead of writing the full markdown file
If any of these occur, ask the agent to: "Continue writing the report from where you left off" — the incremental file write approach ensures partial progress is saved.
Quick Start (TL;DR)
When a user requests MCP usage monitoring:
- Select Workspace →
list_sentinel_workspaces, auto-select or ask
- Determine Output Mode → Ask if not specified: inline, markdown file, or both
- Determine Time Range → Ask if not specified; default 30 days
- Run Phase 1 (Graph MCP) → Daily usage summary, top endpoints, sensitive API access
- Run Phase 2 (Sentinel Triage MCP) → API calls via AppId
7b7b3966, auth events, AH downstream queries
- Run Phase 3 (Sentinel Data Lake MCP) → CloudAppEvents tool usage, error analysis, MCP vs Direct KQL
- Run Phase 4 (Azure MCP & ARM) → ARM operations, resource provider breakdown
- Run Phase 5 (Workspace Governance) → All query sources (Analytics + Data Lake tiers), MCP proportion
- Run Phase 6 (Cross-Server User Analysis) → Top MCP users by server breadth, power user identification
- Run Phase 7 (Assessment) → Compute MCP Usage Score, security assessment, render report
Parallel execution: Phases 1-5 contain independent queries — run all of them in parallel for performance. Phases 6-7 depend on results from 1-5.
MCP Usage Score Formula
The MCP Usage Score is a composite health and risk indicator that summarizes MCP server activity. Unlike the Drift Score (which is a ratio), this is an absolute assessment based on multiple dimensions.
Scoring Dimensions
$$
\text{MCPUsageScore} = \sum_{i} \text{DimensionScore}_i
$$
Each dimension contributes 0–20 points to a maximum of 100:
| Dimension | Max Points | Green (0-5) | Yellow (6-12) | Red (13-20) |
|---|
| User Diversity | 20 | 1-2 known users | 3-5 users or 1 unknown | >5 users or unknown users |
| Endpoint Sensitivity | 20 | 0% sensitive endpoints | 1-30% sensitive | >30% calls to sensitive APIs |
| Error Rate | 20 | <1% errors | 1-5% errors | >5% errors |
| Volume Anomaly | 20 | Within ±50% of daily avg | 50-200% spike | >200% spike vs avg |
| Off-Hours Activity | 20 | <5% off-hours | 5-20% off-hours | >20% calls outside business hours |
Interpretation Scale
| Score | Meaning | Action |
|---|
| 0–25 | Healthy | ✅ Normal MCP usage, no concerns |
| 26–50 | Elevated | 🟡 Review — minor anomalies detected |
| 51–75 | Concerning | 🟠 Investigate — multiple risk signals present |
| 76–100 | Critical | 🔴 Immediate review — significant security risk |
Sensitivity Classification
Sensitive Graph API endpoints — flag any MCP calls to these patterns:
roleManagement, roleAssignments, roleEligibility,
authentication/methods, identityProtection, riskyUsers,
riskDetections, conditionalAccess, servicePrincipals,
appRoleAssignments, oauth2PermissionGrants,
auditLogs, directoryRoles, privilegedAccess,
security/alerts, security/incidents
Off-Hours Definition
Business hours: 08:00–18:00 local time (derive from user's primary sign-in timezone, or use UTC if unknown). Weekends count as off-hours for all 24 hours.
Execution Workflow
Phase 1: Graph MCP Server Analysis
Data source: MicrosoftGraphActivityLogs
Filter: AppId == "e8c77dc2-69b3-43f4-bc51-3213c9d915b4"
Collect:
- Execute Query 1 (Unified Daily MCP Activity Trend) via
RunAdvancedHuntingQuery — returns daily Server | Day | Calls | Errors | ErrorRate for ALL 4 MCP servers in one pass. Run this ONCE here; do NOT re-run in Phases 2–4. Feeds the SVG dashboard Row 5 line chart and volume anomaly detection.
- Execute Query 2 (Endpoint & Activity Summary) via
RunAdvancedHuntingQuery — returns per-endpoint rows with call counts, sensitivity flag, off-hours metrics, error rates, and user sets. Replaces former Q2 + Q3 + Q11. Derive: top endpoints (order by CallCount), sensitive APIs (where IsSensitive), off-hours % (sum(OffHoursCalls)/sum(CallCount)).
Phase 2: Sentinel Triage MCP Analysis
Data sources: MicrosoftGraphActivityLogs, SigninLogs, AADNonInteractiveUserSignInLogs
Filter: AppId = 7b7b3966-1961-47b5-b080-43ca5482e21c ("Microsoft Defender Mcp")
Detection Method (Confirmed Feb 2026):
The Sentinel Triage MCP has a dedicated AppId (7b7b3966-1961-47b5-b080-43ca5482e21c) that appears in both MicrosoftGraphActivityLogs and SigninLogs/AADNonInteractiveUserSignInLogs. This enables definitive attribution of Triage MCP calls — no heuristics or shared-surface estimation needed.
Key characteristics:
- AppDisplayName: "Microsoft Defender Mcp" (visible in SigninLogs)
- Auth type: Delegated + certificate (ClientAuthMethod=2) — user identity always available
- Scopes:
SecurityAlert.Read.All, SecurityIncident.Read.All, ThreatHunting.Read.All
- Target resources: Microsoft Graph, WindowsDefenderATP
- API endpoints: POST
/v1.0/security/runHuntingQuery/, GET /security/incidents/, GET /security/alerts_v2/
- No local SPN: Microsoft first-party app — display name only visible in SigninLogs, not in Graph API SPN lookup
🔵 MicrosoftGraphActivityLogs retention varies by environment (depends on Log Analytics workspace configuration and diagnostic settings). Do not assume a fixed retention period — check with a baseline row count query first.
Collect:
- Execute Query 3 to get authentication events by client app (VS Code, Copilot Studio, browser) with user, IP, OS, country
- Execute Query 4 to get client app usage breakdown with distinct user counts and last-seen timestamps
- Execute Query 5 to get Triage MCP API usage from
MicrosoftGraphActivityLogs — filter by AppId 7b7b3966 for exact Triage MCP calls with endpoint/method/user breakdown
- Execute Query 6 to get Triage MCP authentication events from
SigninLogs/AADNonInteractiveUserSignInLogs — sign-in frequency, user attribution, IP, OS, country
- Execute Query 7 to get LAQueryLogs for Advanced Hunting downstream queries via
fc780465 / M365D_AdvancedHunting. Captures queries from any RunAdvancedHuntingQuery consumer (Triage MCP, Defender portal, Security Copilot) that hit connected LA tables. XDR-native tables (DeviceEvents, EmailEvents) don't appear here.
Phase 3: Sentinel Data Lake MCP Analysis
Data source: CloudAppEvents (Purview unified audit log)
Execution tool: RunAdvancedHuntingQuery preferred (30-day lookback, free for Analytics-tier tables). CloudAppEvents uses Timestamp in AH (not TimeGenerated). Fall back to mcp_sentinel-data_query_lake (uses TimeGenerated, 90d retention) only if lookback > 30 days or AH returns errors.
Filter: ActionType contains "Sentinel" or ActionType contains "KQL". RecordType is inside RawEventData (not a top-level column) — extract with parse_json(tostring(RawEventData)).RecordType. RecordType 403 = MCP tools, 379 = Direct KQL.
⚠️ MANDATORY: Execute Query 10 against query_lake before reporting any gap. If the query returns 0 results or table-not-found, THEN report the gap. Do NOT skip this phase based on assumptions about E5 licensing or Purview configuration — the table may be populated even without explicit Purview setup.
Audit Path: Sentinel Data Lake MCP tools are NOT audited via LAQueryLogs — they are tracked through Purview unified audit log, surfaced in the CloudAppEvents table. RecordType 403 (inside RawEventData) = Sentinel AI Tool activities, RecordType 379 = KQL activities.
MCP vs Direct KQL Delineation:
| Access Pattern | RecordType | Interface | Operation | What It Represents |
|---|
| MCP Server-driven | 403 | IMcpToolTemplate | SentinelAIToolRunStarted, SentinelAIToolRunCompleted | Tool calls via Sentinel Data Lake MCP (e.g., query_lake, list_sentinel_workspaces, search_tables) |
| Direct KQL | 379 | Microsoft.SentinelGraph.AIPrimitives.Core.Services.KqsService | KQLQueryCompleted | KQL queries executed directly via Sentinel Graph / Data Lake Explorer (no MCP intermediary) |
⚠️ Known Limitation (Discovered Mar 2026): RecordType 403 (SentinelAIToolRunCompleted / IMcpToolTemplate) may not be emitted by the Data Lake MCP server. In verified testing, all Data Lake MCP tool calls (query_lake, search_tables) appeared as RecordType 379 with Interface = "InterfaceNotProvided" — NOT as RecordType 403. When RecordType 403 returns 0 results:
- Do NOT report "0 MCP activity" — the audit pipeline has a gap, not the usage.
- Fallback: Use Interface breakdown within RecordType 379.
InterfaceNotProvided contains MCP-driven queries. Cross-reference users in InterfaceNotProvided with known Sentinel MCP users from Q4/Q6 (SigninLogs). Known portal interfaces: msglakeexplorer@msec-msg (Portal Data Lake Explorer), msgjobmanagement@msec-msg (scheduled jobs), ipykernel_launcher.py (Jupyter), PowerBIConnector (Power BI), Microsoft.Medeina.Server (Security Copilot).
- Report as "Probable MCP" — clearly note the attribution is based on proxy signal (user overlap), not definitive RecordType 403 classification.
Key RawEventData Fields:
| Field | Description | Example |
|---|
ToolName | MCP tool invoked | query_lake, list_sentinel_workspaces, search_tables, analyze_url_entity |
Interface | Execution interface — distinguishes MCP from direct | IMcpToolTemplate (MCP) vs KqsService (direct) |
ExecutionDuration | Duration in seconds (as string) | "2.4731712" |
FailureReason | Error message if failed | "SemanticError: 'DeviceDetail' column does not exist" |
TablesRead | Tables accessed by the query | "SigninLogs" |
DatabasesRead | Log Analytics workspace name | "la-yourworkspace" |
TotalRows | Rows returned | 100 |
InputParameters | Full tool input including KQL query text and workspaceId | JSON string with query and workspaceId keys |
Collect:
- Execute Query 10 to get Data Lake MCP access pattern summary (tool/table/workspace inventory with MCP vs Direct KQL delineation)
- Execute Query 11 to get tool-level breakdown with call counts and avg execution duration
- Execute Query 12 to get error analysis for failed Data Lake MCP tool calls
Phase 4: Azure MCP Server Authentication & Queries
Data sources: SigninLogs, AADNonInteractiveUserSignInLogs, LAQueryLogs
Filter: AppId = 04b07795-8ddb-461a-bbee-02f9e1bf7b46 (sign-in logs, LAQueryLogs)
Collect:
- Execute Query 13 to get Azure MCP Server authentication events from SigninLogs/AADNonInteractiveUserSignInLogs — filter by AppId
04b07795 (Azure CLI credential, field-tested Feb 2026). 🔄 Previously documented as AppId 1950a258 (AzurePowerShellCredential) — that path is obsolete.
- Execute Query 14 to get Azure MCP Server workspace queries from LAQueryLogs — filter by AADClientId
04b07795. RequestClientApp is empty (not a unique fingerprint). Azure MCP appends \n| limit N to query text — use query text pattern as differentiator.
Detection Method (🔄 Updated Feb 2026):
The Azure MCP Server runs as a local .NET process (stdio mode) and authenticates via DefaultAzureCredential. Field-tested Feb 2026: The credential chain now resolves to Azure CLI credential (04b07795-8ddb-461a-bbee-02f9e1bf7b46), NOT AzurePowerShellCredential (1950a258) as previously documented.
Previous fingerprint (OBSOLETE): AppId 1950a258 + RequestClientApp = csharpsdk,LogAnalyticsPSClient. Only 1 occurrence found in 30-day lookback. The Azure MCP Server SDK path has changed.
Current fingerprint (field-tested Feb 2026):
| Signal | Azure MCP Server (Current) | Azure CLI (Manual) | Notes |
|---|
| AppId (SigninLogs) | 04b07795 | 04b07795 | Shared — not a unique differentiator |
| AADClientId (LAQueryLogs) | 04b07795 | 04b07795 | Shared |
| RequestClientApp (LAQueryLogs) | Empty ("") | Empty ("") | Shared — not a unique differentiator. Empty RequestClientApp is also used by 4+ other AADClientIds |
| Query text pattern (LAQueryLogs) | Appends \n| limit N to all queries | No standard suffix | ✅ Best differentiator — Azure MCP monitor_workspace_log_query always appends a limit operator |
| AzureActivity (Claims.appid) | 04b07795 (write ops only) | 04b07795 | Shared; read ops not logged. Use Q14 HasLimitSuffix for query-level differentiation |
🚨 Key change from previous documentation:
- ❌
RequestClientApp = "csharpsdk,LogAnalyticsPSClient" — OBSOLETE, no longer produced by Azure MCP Server
- ❌ AppId
1950a258 (AzurePowerShellCredential) — OBSOLETE credential path
- ✅ AppId
04b07795 (Azure CLI) — current credential path
- ✅
RequestClientApp is empty — shared with Azure CLI and other tools
- ✅ Query text containing
\n| limit — most reliable query-level differentiator
Disambiguation challenges:
- Azure MCP Server queries are difficult to isolate from manual Azure CLI queries in LAQueryLogs because both share the same AppId AND empty
RequestClientApp
- The
\n| limit N suffix appended by monitor_workspace_log_query is the best heuristic but is not guaranteed to be unique
- In SigninLogs, UserAgent containing
azsdk-net-Identity with OS Microsoft Windows may still help if the credential chain includes Azure Identity SDK components
- Consider correlating query timing with known MCP session activity for attribution
Authentication Sequence Observed (Current):
- Azure MCP Server acquires token via Azure CLI cached credential
- Token is reused for subsequent operations within its lifetime
- If MFA claim is missing → interactive browser prompt (rare with CLI credential)
- Subsequent calls reuse the cached token until expiry
🔴 Token Caching Behavior (Field-Tested Feb 2026):
- Sign-in events appear at token acquisition time, NOT at each individual API call time
- Once a token is cached, subsequent Azure MCP calls (list resources, get configs, etc.) do NOT generate new sign-in events
- You will see 1-3 sign-in events per token lifecycle, not one per API call
- To count actual API calls, correlate with AzureActivity (write ops) or LAQueryLogs (
monitor_workspace_log_query calls)
- The ~1hr token lifetime means at most ~24 sign-in event clusters per day of continuous use
AzureActivity visibility: Only ARM write/action/delete operations appear in AzureActivity (Administrative category). Azure MCP Server read-only operations (list subscriptions, list resource groups, list clusters) do NOT appear. Claims.appid = 04b07795 when write operations do occur.
Note: Azure MCP Server is difficult to isolate from manual Azure CLI usage because they share the same AppId and both produce empty RequestClientApp. The \n| limit N query text suffix is the best heuristic for LAQueryLogs. In SigninLogs, the shared AppId means Azure MCP authenticated as Azure CLI — there is no unique sign-in fingerprint. Present findings as "Azure MCP Server / Azure CLI (shared AppId 04b07795)" in reports.
Phase 5: Workspace Query Governance
Data source: LAQueryLogs (Analytics tier), CloudAppEvents (Data Lake tier)
Filter: All AADClientIds (LAQueryLogs), All Sentinel operations (CloudAppEvents)
Collect:
- Execute Query 8 to get all clients querying the Analytics tier workspace with query counts, user counts, CPU usage
- Data Lake tier query volume from Phase 3 results (Queries 10-12)
- MCP proportion calculation: combined MCP query volume (Analytics + Data Lake tiers) / total query volume
Phase 6: Cross-Server User Analysis
Data sources: MicrosoftGraphActivityLogs, CloudAppEvents, SigninLogs, AADNonInteractiveUserSignInLogs
Collect:
- Execute Query 9 to get Graph MCP caller attribution — User vs SPN breakdown
- Execute Query 15 to get top MCP users ranked by cross-server breadth — identifies which users span the most MCP servers and their total call volume
Note: Query 15 joins user activity across all 4 MCP channels (Graph MCP, Triage MCP, Data Lake MCP, Azure CLI/MCP) and resolves UserIds to UPNs via SigninLogs. Data Lake MCP attribution uses InterfaceNotProvided proxy signal when RecordType 403 is unavailable.
Phase 7: Score Computation & Report Generation
- Compute per-dimension scores from Phase 1-6 data:
- User Diversity: Count distinct users across all MCP channels (use Query 15 cross-server results)
- Endpoint Sensitivity: % of Graph MCP calls to sensitive patterns (Phase 1 Query 2
IsSensitive column)
- Error Rate: % of non-2xx responses across all MCP channels
- Volume Anomaly: Compare most recent day vs rolling average (Phase 1 Query 1 daily data)
- Off-Hours Activity: % of MCP calls outside 08:00-18:00 (Phase 1 Query 2
OffHoursCalls column)
- Sum dimension scores for composite MCP Usage Score
- Include Top MCP Users table in report (Phase 6 — Query 15 cross-server results)
- Generate security assessment with emoji-coded findings
- Render output in the user's selected mode
- Validate report completeness — after composing the report, run the Report Completeness Checklist below. Cross-check every required section against the template before saving/presenting. Fix any missing sections before finalizing.
Sample KQL Queries
🔴 MANDATORY: Execute these queries EXACTLY as written. Substitute only the time range parameter (e.g., ago(30d) → ago(90d)) and entity-specific values where indicated. These queries are schema-verified and encode mitigations for pitfalls documented in Known Pitfalls. Rewriting, paraphrasing, or constructing "equivalent" queries from scratch risks hitting the exact schema issues these queries were designed to avoid.
| Action | Status |
|---|
| Rewriting a pre-authored query from scratch | ❌ PROHIBITED |
Removing parse_json() / tostring() wrappers from queries | ❌ PROHIBITED |
| Substituting column names without schema verification | ❌ PROHIBITED |
Using has instead of contains for CamelCase fields | ❌ PROHIBITED |
| Executing a query not from this section without completing the Pre-Flight Checklist | ❌ PROHIBITED |
Query 1: Unified Daily MCP Activity Trend
Note: Consolidates former Q1 (Graph MCP daily), Q7d (Triage MCP daily), Q23 (Data Lake MCP daily), Q25a (Azure MCP daily) into a single union query.
Feeds: SVG dashboard Row 5 line chart (daily_mcp_trend) — all 4 series in one query.
Tool: mcp_sentinel-data_query_lake (union of SigninLogs + AADNonInteractiveUserSignInLogs fails in AH when AADNonInteractiveUserSignInLogs is on Data Lake tier — common in customer environments).
⚠️ Timestamp: All tables use TimeGenerated in Data Lake (unlike AH where CloudAppEvents uses Timestamp).
// Unified Daily MCP Activity Trend — all 4 MCP servers in one pass
// Configurable: replace 30d with desired lookback (max 30d for AH)
let lookback = 30d;
// --- Graph MCP (AppId e8c77dc2) ---
let graph_mcp = MicrosoftGraphActivityLogs
| where TimeGenerated >= ago(lookback)
| where AppId == "e8c77dc2-69b3-43f4-bc51-3213c9d915b4"
| summarize Calls = count(),
Errors = countif(ResponseStatusCode >= 400)
by Day = bin(TimeGenerated, 1d)
| extend Server = "Graph MCP";
// --- Triage MCP (AppId 7b7b3966) ---
let triage_mcp = MicrosoftGraphActivityLogs
| where TimeGenerated >= ago(lookback)
| where AppId == "7b7b3966-1961-47b5-b080-43ca5482e21c"
| summarize Calls = count(),
Errors = countif(ResponseStatusCode >= 400)
by Day = bin(TimeGenerated, 1d)
| extend Server = "Triage MCP";
// --- Data Lake MCP (CloudAppEvents RecordType 379 + InterfaceNotProvided) ---
let data_lake_mcp = CloudAppEvents
| where TimeGenerated >= ago(lookback)
| where ActionType contains "Sentinel" or ActionType contains "KQL"
| extend RawData = parse_json(tostring(RawEventData))
| extend RecordType = toint(RawData.RecordType),
Interface = tostring(RawData.Interface),
FailureReason = tostring(RawData.FailureReason)
| where RecordType == 379 and (Interface == "InterfaceNotProvided" or isempty(Interface))
| summarize Calls = count(),
Errors = countif(isnotempty(FailureReason) and FailureReason != "")
by Day = bin(TimeGenerated, 1d)
| extend Server = "Data Lake MCP";
// --- Azure MCP/CLI (AppId 04b07795 — shared with Azure CLI) ---
let azure_interactive = SigninLogs
| where TimeGenerated >= ago(lookback)
| where AppId == "04b07795-8ddb-461a-bbee-02f9e1bf7b46"
| project TimeGenerated, ResultType;
let azure_noninteractive = AADNonInteractiveUserSignInLogs
| where TimeGenerated >= ago(lookback)
| where AppId == "04b07795-8ddb-461a-bbee-02f9e1bf7b46"
| project TimeGenerated, ResultType;
let azure_mcp = union azure_interactive, azure_noninteractive
| summarize Calls = count(),
Errors = countif(ResultType != "0" and ResultType != "")
by Day = bin(TimeGenerated, 1d)
| extend Server = "Azure MCP/CLI";
// --- Union all servers ---
union graph_mcp, triage_mcp, data_lake_mcp, azure_mcp
| extend ErrorRate = iff(Calls > 0, round(100.0 * Errors / Calls, 1), 0.0)
| project Server, Day, Calls, Errors, ErrorRate
| order by Day asc, Server asc
Query 2: Graph MCP — Endpoint & Activity Summary
Replaces: former Q2 (Top Endpoints), Q3 (Sensitive API Access), Q11 (Off-Hours Activity).
Tool: RunAdvancedHuntingQuery
Report derivation: Top endpoints = all rows by CallCount desc. Sensitive endpoints = where IsSensitive. Off-hours % = sum(OffHoursCalls) / sum(CallCount) across all rows.
// Graph MCP — single-pass endpoint analysis with sensitivity + off-hours enrichment
let sensitive_patterns = dynamic([
"roleManagement", "roleAssignments", "roleEligibility",
"authentication/methods", "identityProtection", "riskyUsers",
"riskDetections", "conditionalAccess", "servicePrincipals",
"appRoleAssignments", "oauth2PermissionGrants",
"auditLogs", "directoryRoles", "privilegedAccess",
"security/alerts", "security/incidents"
]);
MicrosoftGraphActivityLogs
| where TimeGenerated >= ago(30d)
| where AppId == "e8c77dc2-69b3-43f4-bc51-3213c9d915b4"
| extend Endpoint = tostring(split(RequestUri, "?")[0])
| extend HourOfDay = datetime_part("hour", TimeGenerated)
| extend DayOfWeek = dayofweek(TimeGenerated) / 1d
| extend IsOffHours = HourOfDay < 8 or HourOfDay >= 18 or DayOfWeek >= 5
| extend IsSensitive = RequestUri has_any (sensitive_patterns)
| summarize
CallCount = count(),
DistinctUsers = dcount(UserId),
ErrorCount = countif(ResponseStatusCode >= 400),
AvgDurationMs = round(avg(DurationMs), 0),
OffHoursCalls = countif(IsOffHours),
Methods = make_set(RequestMethod, 5),
Users = make_set(UserId, 10),
LastUsed = max(TimeGenerated)
by Endpoint, IsSensitive
| extend
ErrorRate = round(100.0 * ErrorCount / CallCount, 1),
OffHoursPct = round(100.0 * OffHoursCalls / CallCount, 1)
| order by CallCount desc
| take 50
Query 3: Sentinel MCP — Authentication Events
Tool: RunAdvancedHuntingQuery (30-day lookback, free for Analytics-tier tables). Fall back to mcp_sentinel-data_query_lake only if lookback > 30 days.
⚠️ Pitfall-aware: Uses parse_json(Status) and parse_json(DeviceDetail) wrappers — required for Data Lake (string columns) and safe in AH. Uses = syntax (not as) in project — see project as Keyword Fails in Advanced Hunting.
// Who is authenticating to Sentinel MCP (via VS Code, Copilot Studio, browser)
SigninLogs
| where TimeGenerated >= ago(30d)
| where ResourceDisplayName =~ "Sentinel Platform Services"
| project TimeGenerated, UserPrincipalName, AppDisplayName, AppId,
ResourceDisplayName, IPAddress,
ErrorCode = tostring(parse_json(Status).errorCode),
ConditionalAccessStatus, AuthenticationRequirement, ClientAppUsed,
OS = tostring(parse_json(DeviceDetail).operatingSystem),
Country = tostring(parse_json(LocationDetails).countryOrRegion)
| order by TimeGenerated desc
Query 4: Sentinel MCP — Client App Breakdown
Tool: RunAdvancedHuntingQuery (30-day lookback, free for Analytics-tier tables).
// Which client apps (VS Code, Copilot Studio, browser) are accessing Sentinel MCP
SigninLogs
| where TimeGenerated >= ago(30d)
| where ResourceDisplayName =~ "Sentinel Platform Services"
| summarize
SignInCount = count(),
DistinctUsers = dcount(UserPrincipalName),
Users = make_set(UserPrincipalName, 10),
LastSeen = max(TimeGenerated)
by AppDisplayName, AppId, ClientAppUsed
| order by SignInCount desc
Query 5: Sentinel Triage MCP — API Call Activity (Dedicated AppId)
// Measure Sentinel Triage MCP API calls via its dedicated AppId in MicrosoftGraphActivityLogs.
// AppId 7b7b3966 = "Microsoft Defender Mcp" — the Triage MCP server's own identity.
// This gives DEFINITIVE attribution of Triage MCP calls — no shared-surface estimation needed.
//
// Confirmed Feb 2026: AppId 7b7b3966 appears in MicrosoftGraphActivityLogs with delegated
// auth (certificate), full UserId attribution, and scopes SecurityAlert.Read.All,
// SecurityIncident.Read.All, ThreatHunting.Read.All.
//
// Known API endpoints:
// - POST /v1.0/security/runHuntingQuery/ (Advanced Hunting)
// - GET /security/incidents/ (ListIncidents, GetIncidentById)
// - GET /security/alerts_v2/ (ListAlerts, GetAlertById)
let triage_mcp_appid = "7b7b3966-1961-47b5-b080-43ca5482e21c";
MicrosoftGraphActivityLogs
| where TimeGenerated >= ago(30d)
| where AppId == triage_mcp_appid
| extend Endpoint = extract(@"/v\d\.\d/(.+?)(\?|$)", 1, RequestUri)
| summarize
Calls = count(),
DistinctUsers = dcount(UserId),
Users = make_set(UserId, 10),
FirstSeen = min(TimeGenerated),
LastSeen = max(TimeGenerated)
by RequestMethod, Endpoint
| order by Calls desc
| take 25
Query 6: Sentinel Triage MCP — Authentication Events (SigninLogs)
Tool: mcp_sentinel-data_query_lake (union of SigninLogs + AADNonInteractiveUserSignInLogs fails in AH when AADNonInteractiveUserSignInLogs is on Data Lake tier — common in customer environments).
⚠️ Pitfall-aware: Uses parse_json() wrappers on DeviceDetail/LocationDetails — required for Data Lake (string columns). Uses = syntax (not as) in project.
// Triage MCP authentication events from SigninLogs + AADNonInteractiveUserSignInLogs.
// AppId 7b7b3966 = "Microsoft Defender Mcp" — delegated auth with certificate.
// Uses parse_json() wrappers for DeviceDetail/LocationDetails (safe in both AH and Data Lake).
let triage_mcp_appid = "7b7b3966-1961-47b5-b080-43ca5482e21c";
let signinlogs_interactive = SigninLogs
| where TimeGenerated >= ago(30d)
| where AppId == triage_mcp_appid
| extend SignInType = "Interactive"
| project TimeGenerated, UserPrincipalName, AppDisplayName, AppId,
ResourceDisplayName, IPAddress,
ResultType = tostring(ResultType),
ResultDescription = tostring(ResultDescription),
SignInType,
OS = tostring(parse_json(DeviceDetail).operatingSystem),
Browser = tostring(parse_json(DeviceDetail).browser),
Country = tostring(parse_json(LocationDetails).countryOrRegion),
City = tostring(parse_json(LocationDetails).city);
let signinlogs_noninteractive = AADNonInteractiveUserSignInLogs
| where TimeGenerated >= ago(30d)
| where AppId == triage_mcp_appid
| extend SignInType = "NonInteractive"
| project TimeGenerated, UserPrincipalName, AppDisplayName, AppId,
ResourceDisplayName, IPAddress,
ResultType = tostring(ResultType),
ResultDescription = tostring(ResultDescription),
SignInType,
OS = tostring(parse_json(DeviceDetail).operatingSystem),
Browser = tostring(parse_json(DeviceDetail).browser),
Country = tostring(parse_json(LocationDetails).countryOrRegion),
City = tostring(parse_json(LocationDetails).city);
union signinlogs_interactive, signinlogs_noninteractive
| summarize
SignIns = count(),
DistinctUsers = dcount(UserPrincipalName),
Users = make_set(UserPrincipalName, 10),
IPs = make_set(IPAddress, 10),
Countries = make_set(Country, 10),
LastSeen = max(TimeGenerated)
by AppDisplayName, SignInType, ResourceDisplayName
| order by SignIns desc
Query 7: LAQueryLogs — Advanced Hunting Downstream Queries (Supplementary Signal)
// SUPPLEMENTARY detection: Advanced Hunting queries (from Triage MCP, Defender portal,
// Security Copilot, or any RunAdvancedHuntingQuery consumer) that hit connected
// Log Analytics workspace tables.
//
// AH downstream queries appear under fc780465 (Sentinel Engine) with
// RequestClientApp "M365D_AdvancedHunting" — full user attribution (AADEmail populated).
//
// This is a DOWNSTREAM signal — it only fires when RunAdvancedHuntingQuery targets
// Sentinel-connected LA tables (SigninLogs, AuditLogs, SecurityAlert, etc.).
// Queries hitting XDR-native tables (DeviceEvents, EmailEvents, etc.) stay in the
// Defender XDR backend and never appear here.
//
// Use alongside Query 5 (MicrosoftGraphActivityLogs) for complete Triage MCP coverage:
// - Query 5 = PRIMARY: Triage MCP API calls filtered by dedicated AppId 7b7b3966
// - Query 7 = SUPPLEMENTARY: downstream query execution when AH hits LA tables
//
// ATTRIBUTION LIMITATION: Cannot distinguish Triage MCP AH queries from Defender portal
// AH queries or Security Copilot AH queries — all appear as M365D_AdvancedHunting.
LAQueryLogs
| where TimeGenerated >= ago(30d)
| where AADClientId == "fc780465-2017-40d4-a0c5-307022471b92" and RequestClientApp == "M365D_AdvancedHunting"
| summarize
QueryCount = count(),
DistinctUsers = dcount(AADEmail),
Users = make_set(AADEmail, 10),
AvgCPUMs = avg(StatsCPUTimeMs),
TotalRowsReturned = sum(ResponseRowCount),
FirstSeen = min(TimeGenerated),
LastSeen = max(TimeGenerated)
by AADClientId, RequestClientApp
| order by QueryCount desc
Query 8: All Workspace Query Sources — Complete Governance View
// Every client querying the workspace — MCP and non-MCP combined
LAQueryLogs
| where TimeGenerated >= ago(30d)
| summarize
QueryCount = count(),
DistinctUsers = dcount(AADEmail),
AvgCPUMs = avg(StatsCPUTimeMs),
TotalRowsReturned = sum(ResponseRowCount)
by AADClientId
| order by QueryCount desc
Query 9: Graph MCP — Caller Attribution (User vs SPN)
// Attribute Graph MCP calls to User, Service Principal, or SPN subtype
// Key: UserId populated = delegated (user), ServicePrincipalId populated = app-only (SPN)
// ClientAuthMethod: 0 = public client (user), 1 = client secret (SPN), 2 = certificate (SPN)
MicrosoftGraphActivityLogs
| where TimeGenerated >= ago(30d)
| where AppId == "e8c77dc2-69b3-43f4-bc51-3213c9d915b4"
| extend CallerType = case(
isnotempty(ServicePrincipalId) and isempty(UserId), "ServicePrincipal/Agent (App-Only)",
isnotempty(UserId) and isnotempty(ServicePrincipalId), "Delegated (User+SPN/Agent OBO)",
isnotempty(UserId) and isempty(ServicePrincipalId), "User (Delegated)",
"Unknown")
| extend AuthMethod = case(
ClientAuthMethod == 0, "Public Client",
ClientAuthMethod == 1, "Client Secret",
ClientAuthMethod == 2, "Client Certificate",
"Unknown")
| summarize
CallCount = count(),
DistinctEndpoints = dcount(tostring(split(RequestUri, "?")[0])),
SuccessRate = round(100.0 * countif(ResponseStatusCode >= 200 and ResponseStatusCode < 300) / count(), 1),
SampleEndpoints = make_set(tostring(split(RequestUri, "?")[0]), 5),
IPs = make_set(IPAddress, 5)
by CallerType, AuthMethod, UserId, ServicePrincipalId
| order by CallCount desc
Post-processing: For any rows where CallerType = "ServicePrincipal/Agent (App-Only)", cross-reference the ServicePrincipalId with Entra via Graph API:
- Primary method (most reliable): Query
/beta/servicePrincipals/{id}?$select=id,appId,displayName,servicePrincipalType,tags — check tags array for agentic indicators:
AgenticApp — confirms this is an agent application
AIAgentBuilder — agent was created by an AI agent builder platform
AgentCreatedBy:CopilotStudio — specifically created by Copilot Studio
AgenticInstance — runtime instance of an agent
power-virtual-agents-* — Copilot Studio internal tracking tag
- Fallback: Check
servicePrincipalType — if it equals "Agent", it is a registered Agent Identity. Note: as of Feb 2026, Copilot Studio agents still show "Application" here despite being true agents.
- Name-based filtering is UNRELIABLE — SPNs with "Agent" in display name may be standard app registrations (e.g., "Contoso Agent Tools" =
GitCreatedApp).
Use microsoft_graph_suggest_queries → microsoft_graph_get for the Graph API calls. Query multiple SPNs in one call: /beta/servicePrincipals?$count=true&$filter=id in ('id1','id2')&$select=id,appId,displayName,servicePrincipalType,tags.
Query 10: Data Lake MCP — Access Pattern Summary
Note: Consolidates former Q20 (Tool Usage Summary) + Q24 (MCP vs Direct KQL Delineation) into a single query.
Tool: RunAdvancedHuntingQuery (uses Timestamp for CloudAppEvents).
⚠️ Pitfall-aware: Uses contains (not has) for ActionType/Operation — see CloudAppEvents CamelCase Matching. Uses parse_json(tostring(RawEventData)) — see CloudAppEvents RawEventData Parsing. Filters on SentinelAIToolRunCompleted only — see CloudAppEvents Double-Counting Prevention.
// Data Lake MCP — single-pass access pattern delineation + tool/table/workspace inventory
// Combines former Q20 (summary) and Q24 (delineation) into one query
CloudAppEvents
| where Timestamp >= ago(30d)
| where ActionType contains "Sentinel" or ActionType contains "KQL"
| extend RawData = parse_json(tostring(RawEventData))
| extend
Operation = tostring(RawData.Operation),
RecordType = toint(RawData.RecordType),
ToolName = tostring(RawData.ToolName),
Interface = tostring(RawData.Interface),
ExecutionDuration = todouble(RawData.ExecutionDuration),
FailureReason = tostring(RawData.FailureReason),
TablesRead = tostring(RawData.TablesRead),
DatabasesRead = tostring(RawData.DatabasesRead),
TotalRows = toint(RawData.TotalRows),
UserId_raw = tostring(RawData.UserId),
InputParams = tostring(RawData.InputParameters)
| extend
AccessPattern = case(
RecordType == 403 and Interface == "IMcpToolTemplate", "MCP Server-Driven",
RecordType == 379 and (Interface == "InterfaceNotProvided" or isempty(Interface)), "MCP-Driven (Probable)",
RecordType == 379 and Interface has "msglakeexplorer", "Portal (Data Lake Explorer)",
RecordType == 379 and Interface has "msgjobmanagement", "Scheduled Jobs",
RecordType == 379, "Other Direct KQL",
"Other"),
IsSuccess = isempty(FailureReason) or FailureReason == "",
HasKQLQuery = InputParams has "query"
| where Operation contains "Completed" or RecordType == 379 // 'contains' not 'has' — CamelCase
| summarize
TotalCalls = count(),
SuccessCount = countif(IsSuccess),
FailureCount = countif(not(IsSuccess)),
DistinctTools = dcount(ToolName),
Tools = make_set(ToolName, 20),
DistinctTables = dcount(TablesRead),
Tables = make_set(TablesRead, 30),
Workspaces = make_set(DatabasesRead, 5),
AvgDurationSec = round(avg(ExecutionDuration), 2),
TotalRowsReturned = sum(TotalRows),
DistinctUsers = dcount(UserId_raw),
Users = make_set(UserId_raw, 10),
KQLQueryCount = countif(HasKQLQuery),
FirstSeen = min(Timestamp),
LastSeen = max(Timestamp)
by AccessPattern
| extend ErrorRate = round(100.0 * FailureCount / TotalCalls, 1)
| order by TotalCalls desc
Post-processing for Query 10:
- If
MCP Server-Driven (RecordType 403) has results → use it directly as the definitive MCP count.
- If
MCP Server-Driven returns 0 rows but MCP-Driven (Probable) has results → report the probable count with the audit gap caveat. Cross-reference users with Q4/Q6 SigninLogs to validate.
Portal (Data Lake Explorer) = msglakeexplorer@msec-msg interface, Scheduled Jobs = msgjobmanagement@msec-msg.
- Combine with Query 8 (Analytics tier LAQueryLogs — all workspace sources) for a complete two-tier governance view:
| Tier | Data Source | MCP Sources | Non-MCP Sources |
|---|
| Analytics Tier | LAQueryLogs | AH backend fc780465 / M365D_AdvancedHunting (captures AH queries from Triage MCP, Defender portal, Security Copilot that hit connected LA tables; shared surface, see Query 7) | Sentinel Portal (80ccca67), Sentinel Engine analytics (fc780465, non-AH), Logic Apps (de8c33bb) |
| Data Lake Tier | CloudAppEvents | Data Lake MCP (RecordType 403, IMcpToolTemplate) | Direct KQL (RecordType 379, KqsService) |
| Graph API | MicrosoftGraphActivityLogs | Graph MCP (e8c77dc2) | — |
| Azure MCP | SigninLogs, AADNonInteractiveUserSignInLogs, LAQueryLogs | Azure MCP Server (04b07795, empty RequestClientApp, query text `\n | limit N` suffix) |
Query 11: Data Lake MCP — Interface Breakdown
Tool: RunAdvancedHuntingQuery (uses Timestamp for CloudAppEvents).
⚠️ Pitfall-aware: Uses contains/parse_json(tostring()) pattern — see Query 10 pitfall notes. Uses todouble(ExecutionDuration) — see Data Lake MCP ExecutionDuration Format. When RecordType 403 is present, groups by ToolName; when absent, falls back to Interface field.
// Breakdown of Data Lake access by Interface — identifies MCP vs Portal vs Jobs
// PRIMARY: Uses RecordType 403 / ToolName when available (MCP audit events)
// FALLBACK: When RecordType 403 absent, groups by Interface field from RecordType 379
// - InterfaceNotProvided = probable MCP-driven (cross-ref with Q4/Q6 SigninLogs)
// - msglakeexplorer@msec-msg = Sentinel Portal Data Lake Explorer
// - msgjobmanagement@msec-msg = Scheduled/job-based queries
// - ipykernel_launcher.py = Jupyter Notebook
// - PowerBIConnector = Power BI
// - Microsoft.Medeina.Server = Security Copilot
CloudAppEvents
| where Timestamp >= ago(30d)
| where ActionType contains "Sentinel" or ActionType contains "KQL"
| extend RawData = parse_json(tostring(RawEventData))
| extend
Operation = tostring(RawData.Operation),
RecordType = toint(RawData.RecordType),
ToolName = tostring(RawData.ToolName),
Interface = tostring(RawData.Interface),
ExecutionDuration = todouble(RawData.ExecutionDuration),
FailureReason = tostring(RawData.FailureReason),
TablesRead = tostring(RawData.TablesRead),
UserId_raw = tostring(RawData.UserId)
| where Operation contains "Completed" or RecordType == 379
| extend
// When RecordType 403 exists, ToolName is the grouping key; otherwise use Interface
GroupKey = iff(RecordType == 403, coalesce(ToolName, "unknown_tool"), coalesce(Interface, "InterfaceNotProvided")),
IsSuccess = isempty(FailureReason) or FailureReason == "",
Source = iff(RecordType == 403, "MCP Tool (RecordType 403)", "Interface (RecordType 379)")
| summarize
CallCount = count(),
SuccessCount = countif(IsSuccess),
FailureCount = countif(not(IsSuccess)),
AvgDurationSec = round(avg(ExecutionDuration), 2),
MaxDurationSec = round(max(ExecutionDuration), 2),
TablesAccessed = make_set(TablesRead, 20),
DistinctUsers = dcount(UserId_raw),
Users = make_set(UserId_raw, 10),
FirstSeen = min(Timestamp),
LastSeen = max(Timestamp)
by GroupKey, Source
| extend ErrorRate = round(100.0 * FailureCount / CallCount, 1)
| order by CallCount desc
Query 12: Data Lake MCP — Error Analysis
Tool: RunAdvancedHuntingQuery (uses Timestamp for CloudAppEvents).
⚠️ Pitfall-aware: Uses contains/parse_json(tostring()) pattern — see Query 10 pitfall notes. Now groups errors by both AccessPattern (MCP vs Portal vs Jobs) and ErrorCategory for richer diagnostics.
// Analyze failed Data Lake queries — identify schema errors, permission issues, etc.
// PRIMARY: Filters on ActionType contains "SentinelAITool" (RecordType 403) when available
// FALLBACK: When RecordType 403 absent, analyzes all failed RecordType 379 events grouped by Interface
CloudAppEvents
| where Timestamp >= ago(30d)
| where ActionType contains "Sentinel" or ActionType contains "KQL"
| extend RawData = parse_json(tostring(RawEventData))
| extend
Operation = tostring(RawData.Operation),
RecordType = toint(RawData.RecordType),
ToolName = tostring(RawData.ToolName),
Interface = tostring(RawData.Interface),
FailureReason = tostring(RawData.FailureReason),
TablesRead = tostring(RawData.TablesRead),
UserId_raw = tostring(RawData.UserId)
| where Operation contains "Completed" or RecordType == 379
| where isnotempty(FailureReason) and FailureReason != ""
| extend
AccessPattern = case(
RecordType == 403 and Interface == "IMcpToolTemplate", "MCP Server-Driven",
RecordType == 379 and (Interface == "InterfaceNotProvided" or isempty(Interface)), "MCP-Driven (Probable)",
RecordType == 379 and Interface has "msglakeexplorer", "Portal (Data Lake Explorer)",
RecordType == 379 and Interface has "msgjobmanagement", "Scheduled Jobs",
RecordType == 379, "Other Direct KQL",
"Other"),
ErrorCategory = case(
FailureReason has "SemanticError", "Schema/Semantic Error",
FailureReason has "SyntaxError", "KQL Syntax Error",
FailureReason has "Unauthorized" or FailureReason has "403", "Permission Denied",
FailureReason has "Timeout", "Query Timeout",
FailureReason has "NotFound", "Table/Resource Not Found",
"Other Error")
| summarize
ErrorCount = count(),
Tools = make_set(ToolName, 10),
Tables = make_set(TablesRead, 10),
Users = make_set(UserId_raw, 10),
SampleErrors = make_set(substring(FailureReason, 0, 150), 5),
FirstSeen = min(Timestamp),
LastSeen = max(Timestamp)
by AccessPattern, ErrorCategory
| order by AccessPattern asc, ErrorCount desc
Query 13: Azure MCP Server — Authentication Events (SigninLogs)
Tool: mcp_sentinel-data_query_lake (90d lookback exceeds AH 30d limit).
⚠️ Pitfall-aware: Uses parse_json(Status)/parse_json(DeviceDetail) wrappers — see SigninLogs Status Field Needs parse_json(). Uses extend SignInType to avoid Type pseudo-column — see Type Column Unavailable in Data Lake Union Contexts.
// Detect Azure MCP Server authentication events via Azure CLI AppId.
//
// 🔄 UPDATED Feb 2026: Azure MCP Server now uses Azure CLI credential (04b07795),
// NOT AzurePowerShellCredential (1950a258) as previously documented.
// The old AppId 1950a258 + UserAgent 'azsdk-net-Identity' fingerprint is OBSOLETE.
//
// ⚠️ SHARED APPID: 04b07795 is the Azure CLI AppId — shared with manual 'az' CLI usage.
// There is NO unique sign-in fingerprint for Azure MCP Server vs manual Azure CLI.
// This query returns ALL Azure CLI sign-ins. Correlate with LAQueryLogs (Query 14)
// for query-level attribution via the '\n| limit N' text pattern.
//
// NOTE: Sign-in events represent TOKEN ACQUISITIONS, not individual API calls.
// A cached token serves many Azure MCP calls with no additional sign-in events.
// FIX (Feb 2026): Explicit tostring() casts on ResultType, ResultDescription,
// ConditionalAccessStatus, AuthenticationRequirement to prevent union type mismatches
// between SigninLogs and AADNonInteractiveUserSignInLogs. Removed ResourceId (inconsistent
// across tables). Use parse_json() wrapper on DeviceDetail and LocationDetails — these
// columns may be stored as string (not dynamic) in Data Lake workspaces, causing
// SemanticError on dot-notation access without parse_json().
let azure_mcp_appid = "04b07795-8ddb-461a-bbee-02f9e1bf7b46";
let signinlogs_interactive = SigninLogs
| where TimeGenerated >= ago(90d)
| where AppId == azure_mcp_appid
| extend SignInType = "Interactive"
| project TimeGenerated, UserPrincipalName, AppDisplayName, AppId,
ResourceDisplayName, IPAddress,
ResultType = tostring(ResultType),
ResultDescription = tostring(ResultDescription),
UserAgent, SignInType,
ConditionalAccessStatus = tostring(ConditionalAccessStatus),
AuthenticationRequirement = tostring(AuthenticationRequirement),
OS = tostring(parse_json(DeviceDetail).operatingSystem),
Country = tostring(parse_json(LocationDetails).countryOrRegion);
let signinlogs_noninteractive = AADNonInteractiveUserSignInLogs
| where TimeGenerated >= ago(90d)
| where AppId == azure_mcp_appid
| extend SignInType = "Non-Interactive"
| project TimeGenerated, UserPrincipalName, AppDisplayName, AppId,
ResourceDisplayName, IPAddress,
ResultType = tostring(ResultType),
ResultDescription = tostring(ResultDescription),
UserAgent, SignInType,
ConditionalAccessStatus = tostring(ConditionalAccessStatus),
AuthenticationRequirement = tostring(AuthenticationRequirement),
OS = tostring(parse_json(DeviceDetail).operatingSystem),
Country = tostring(parse_json(LocationDetails).countryOrRegion);
union signinlogs_interactive, signinlogs_noninteractive
| order by TimeGenerated desc
Query 14: Azure MCP Server — Workspace Queries (LAQueryLogs)
Tool: mcp_sentinel-data_query_lake (90d lookback exceeds AH 30d limit).
// Detect Azure MCP Server workspace queries via LAQueryLogs.
//
// 🔄 UPDATED Feb 2026: Azure MCP Server now uses Azure CLI credential (04b07795).
// RequestClientApp is EMPTY (not 'csharpsdk,LogAnalyticsPSClient' as previously documented).
//
// ⚠️ SHARED FINGERPRINT: Empty RequestClientApp + AppId 04b07795 is shared with manual
// Azure CLI and 4+ other AADClientIds. This query returns ALL queries from AppId 04b07795
// with empty RequestClientApp. To isolate Azure MCP Server queries, look for the
// '\n| limit N' suffix that monitor_workspace_log_query always appends to query text.
//
// 30-day pattern analysis (Feb 2026) showed 11 distinct RequestClientApp values:
// - Empty ("") = 417 queries across 5 AADClientIds (Azure MCP, Sentinel DL MCP, Portal, etc.)
// - "csharpsdk,LogAnalyticsPSClient" = only 1 query ever (obsolete fingerprint)
// - "M365D_AdvancedHunting" = Advanced Hunting backend
// - "ASI_Portal" / "ASI_Portal_Connectors" = Sentinel Portal
// - Others: AppInsightsPortalExtension, LogicApps, PSClient, etc.
let azure_cli_appid = "04b07795-8ddb-461a-bbee-02f9e1bf7b46";
LAQueryLogs
| where TimeGenerated >= ago(90d)
| where AADClientId == azure_cli_appid
| extend HasLimitSuffix = QueryText has "\n| limit" or QueryText has "\r\n| limit"
| project TimeGenerated, AADEmail, AADClientId,
RequestClientApp,
QueryTextTruncated = substring(QueryText, 0, 300),
ResponseCode, ResponseRowCount,
StatsCPUTimeMs,
RequestTarget,
HasLimitSuffix
| order by TimeGenerated desc
Post-processing: Rows with HasLimitSuffix = true are highly likely Azure MCP Server queries (the monitor_workspace_log_query command always appends | limit N). Rows without the suffix may be manual Azure CLI or other tools using the same credential.
Query 15: Top MCP Users — Cross-Server Breadth
Tool: RunAdvancedHuntingQuery (7-day lookback default, all tables on Analytics tier).
Purpose: Identifies users with the broadest MCP footprint — ranking by how many distinct MCP server types they use and their total call volume across all channels. Feeds the Top MCP Users report section and SVG dashboard widget.
let lookback = 7d;
let graph_mcp = MicrosoftGraphActivityLogs
| where TimeGenerated > ago(lookback)
| where AppId == "e8c77dc2-69b3-43f4-bc51-3213c9d915b4"
| where isnotempty(UserId)
| summarize Calls = count() by UserId
| project UserId, Server = "Graph MCP", Calls;
let triage_mcp = MicrosoftGraphActivityLogs
| where TimeGenerated > ago(lookback)
| where AppId == "7b7b3966-1961-47b5-b080-43ca5482e21c"
| where isnotempty(UserId)
| summarize Calls = count() by UserId
| project UserId, Server = "Triage MCP", Calls;
let datalake_mcp = CloudAppEvents
| where Timestamp > ago(lookback)
| where ActionType contains "Sentinel" or ActionType contains "KQL"
| extend RawData = parse_json(tostring(RawEventData))
| where tostring(RawData.Interface) == "InterfaceNotProvided" or isempty(tostring(RawData.Interface))
| where isnotempty(AccountObjectId)
| summarize Calls = count() by UserId = AccountObjectId
| project UserId, Server = "Data Lake MCP", Calls;
let azure_mcp = union SigninLogs, AADNonInteractiveUserSignInLogs
| where TimeGenerated > ago(lookback)
| where AppId == "04b07795-8ddb-461a-bbee-02f9e1bf7b46"
| where isnotempty(UserId)
| summarize Calls = count() by UserId
| project UserId, Server = "Azure CLI/MCP", Calls;
let upn_map = union SigninLogs, AADNonInteractiveUserSignInLogs
| where TimeGenerated > ago(lookback)
| where isnotempty(UserPrincipalName)
| summarize arg_max(TimeGenerated, UserPrincipalName) by UserId
| project UserId, UPN = UserPrincipalName;
union graph_mcp, triage_mcp, datalake_mcp, azure_mcp
| summarize Servers = make_set(Server), ServerCount = dcount(Server), TotalCalls = sum(Calls) by UserId
| join kind=leftouter upn_map on UserId
| project UPN = coalesce(UPN, UserId), ServerCount, Servers, TotalCalls
| sort by ServerCount desc, TotalCalls desc
| take 25
⚠️ Pitfall-aware:
- Data Lake MCP leg: Uses
ActionType contains (not has) per the CamelCase pitfall. Parses RawEventData once and filters on Interface field for the InterfaceNotProvided proxy signal when RecordType 403 is unavailable (see Phase 3 Known Limitation).
- Azure CLI/MCP leg: Uses shared AppId
04b07795 — includes both Azure MCP Server and manual az CLI sign-ins. Cannot distinguish at this level.
- UPN resolution: Joins with SigninLogs to resolve
UserId GUIDs to human-readable UPNs. Users with no recent sign-ins will show their GUID instead.
- CloudAppEvents timestamp: Uses
Timestamp (not TimeGenerated) since this runs via Advanced Hunting.
- AADNonInteractiveUserSignInLogs tier: If this table is on Data Lake/Basic tier, the
union SigninLogs, AADNonInteractiveUserSignInLogs legs may fail in AH. Fall back to mcp_sentinel-data_query_lake if needed (switch Timestamp → TimeGenerated for the CloudAppEvents leg).
Post-processing:
- Render as a ranked table in the report:
| Rank | User (UPN) | Servers Used | MCP Servers | Total Calls |
- Users spanning 3+ servers represent the broadest MCP adoption — highlight them.
- Cross-reference top users with the sensitive endpoint data from Q2 to flag users with both breadth AND sensitive access.
Report Template
Inline Chat Report Structure
The inline report MUST include these sections in order:
- Header — Workspace, analysis period, data sources checked, MCP servers detected
- Executive Summary — 2-3 sentence overview of MCP usage posture
- MCP Footprint Summary (SVG-critical: provides consolidated KPIs for dashboard Row 2 + Row 3)
- Graph MCP Server Analysis
- Daily usage trend (ASCII bar chart showing requests/day — from Query 1 unified trend, Graph MCP series)
- Top endpoints table (endpoint, call count, % of total, last used)
- Sensitive API access summary with user attribution
- Caller attribution (User vs SPN vs Agent — from Query 9)
- Sentinel Triage MCP Analysis
- Triage MCP API calls from
MicrosoftGraphActivityLogs — filtered by dedicated AppId 7b7b3966 ("Microsoft Defender Mcp")
- Daily usage trend (ASCII bar chart showing calls/day — from Query 1 unified trend, Triage MCP series)
- Triage MCP authentication events from
SigninLogs/AADNonInteractiveUserSignInLogs — sign-in frequency, user attribution, IP, country
- User attribution table with sign-in type breakdown
- Sentinel Data Lake MCP Analysis
- MCP tool usage summary (success/failure, avg duration)
- Tool breakdown table (query_lake, list_sentinel_workspaces, search_tables, etc.)
- Error analysis with error categories and sample failure reasons
- Daily activity trend (ASCII bar chart — from Query 1 unified trend, Data Lake MCP series)
- MCP vs Direct KQL delineation table
- Azure MCP & ARM Analysis
- Azure MCP Server authentication events (detected via AppId
04b07795 — Azure CLI credential, shared AppId)
- Daily auth trend (ASCII bar chart showing events/day — from Query 1 unified trend, Azure MCP/CLI series)
- Azure MCP Server workspace queries from LAQueryLogs (detected via AADClientId
04b07795 + empty RequestClientApp + \n| limit N query text suffix)