| name | mcp-usage-monitoring |
| description | Use this skill when asked to monitor, audit, or analyze MCP (Model Context Protocol) server usage in the environment. Triggers on keywords like "MCP usage", "MCP server monitoring", "MCP activity", "Graph MCP", "Sentinel MCP", "Azure MCP", "AI agent monitoring", "MCP audit", "tool usage monitoring", "MCP breakdown", "who is using MCP", or when investigating AI agent access patterns, Graph API calls from MCP servers, or workspace query governance. This skill provides comprehensive MCP server telemetry analysis across Graph MCP, Sentinel MCP, and Azure MCP servers including usage trends, endpoint access patterns, user attribution, sensitive API detection, workspace query governance, and security risk assessment with inline and markdown file reporting. |
MCP Server Usage Monitoring — Instructions
Purpose
This skill monitors and audits Model Context Protocol (MCP) server usage across your Microsoft Sentinel and Defender XDR environment. MCP servers are AI-powered tools that enable language models to interact with Microsoft security services — and like any privileged access channel, they require monitoring.
What this skill tracks:
| MCP Server | Telemetry Source | Key Identifier |
|---|
| Microsoft Graph MCP Server | MicrosoftGraphActivityLogs | AppId = e8c77dc2-69b3-43f4-bc51-3213c9d915b4 |
| Sentinel Data Lake MCP | CloudAppEvents | RecordType 403, Interface = IMcpToolTemplate |
| Sentinel Triage MCP | MicrosoftGraphActivityLogs + SigninLogs | AppId = 7b7b3966-1961-47b5-b080-43ca5482e21c ("Microsoft Defender Mcp") — dedicated AppId with full user attribution via delegated cert auth |
| Azure MCP Server | AzureActivity | No dedicated AppId — uses DefaultAzureCredential |
| Sentinel Data Lake — Direct KQL | CloudAppEvents | RecordType 379, Operation = KQLQueryCompleted |
| Workspace Query Sources (Analytics Tier) | LAQueryLogs | All clients querying Log Analytics workspace |
What this skill detects:
- Graph API call volume, trends, and endpoint diversity via MCP
- Sensitive/high-risk Graph endpoint access (PIM, credentials, Identity Protection)
- Sentinel workspace query patterns by client application
- User vs. Service Principal vs. Agent Identity attribution across all MCP channels
- Entra Agent ID detection — distinguishes AI agent identities from standard SPNs and human users (see Agent Identity Detection)
- Azure ARM operations potentially originating from Azure MCP Server
- Non-MCP platform query sources for governance context (Sentinel Engine, Logic Apps)
- Sentinel Data Lake MCP tool usage — tool call breakdown (
query_lake, list_sentinel_workspaces, search_tables, etc.), success/failure rates, execution duration, tables accessed via CloudAppEvents (Purview unified audit)
- MCP-driven vs Direct KQL delineation — distinguishes Data Lake queries initiated via MCP tools (RecordType 403, Interface
IMcpToolTemplate) from direct KQL queries (RecordType 379) and Analytics tier queries (LAQueryLogs)
- Anomalous access patterns: new users, new endpoints, volume spikes, error surges
- MCP server usage as a proportion of total workspace activity
Extended landscape awareness: Beyond these four actively monitored MCP servers, Microsoft's MCP ecosystem includes 30+ additional servers (Copilot Studio built-in catalog, Power BI, Fabric RTI, Playwright, Security Copilot Agent Creation, and more). See Extended Microsoft MCP Server Landscape for the full catalog, telemetry surfaces, and monitoring expansion priorities.
📑 TABLE OF CONTENTS
- Critical Workflow Rules - Start here!
- Agent Identity Detection - Entra Agent ID vs SPN vs User
- Extended MCP Server Landscape - Full Microsoft MCP ecosystem catalog
- Output Modes - Inline chat vs. Markdown file
- Scalability & Token Management - Guidance for large environments
- Quick Start - 8-step investigation pattern
- MCP Usage Score Formula - Composite health & risk scoring
- Execution Workflow - Complete 6-phase process
- Sample KQL Queries - Validated query patterns
- Report Template - Output format specification
- Proactive Alerting — KQL Data Lake Jobs - Scheduled anomaly detection
- Known Pitfalls - Edge cases and false positives
- Error Handling - Troubleshooting guide
⚠️ CRITICAL WORKFLOW RULES - READ FIRST ⚠️
Before starting ANY MCP usage monitoring analysis:
- ALWAYS enforce Sentinel workspace selection (see Workspace Selection section below)
- ALWAYS ask the user for output mode if not specified: inline chat summary or markdown file report (or both)
- ALWAYS ask the user for time range if not specified: default to 30 days, configurable
- ALWAYS query all MCP telemetry surfaces — do not skip any MCP server type
- ALWAYS include non-MCP workspace context (Sentinel Engine, Logic Apps) for governance proportion analysis
- ALWAYS run independent queries in parallel for performance
- ALWAYS attribute activity to specific users — never present anonymous aggregates
- NEVER conflate non-MCP platform activity with MCP activity — clearly label categories
- ALWAYS check for Agent Identity (Entra Agent ID) callers — distinguish AI agents from human users and standard SPNs (see Agent Identity Detection)
- ALWAYS execute pre-authored queries from Sample KQL Queries EXACTLY as written — substitute only the time range parameter (e.g.,
ago(30d) → ago(90d)). These queries encode mitigations for schema pitfalls documented in Known Pitfalls. Writing equivalent queries from scratch is ❌ PROHIBITED
Agent Identity Detection
Microsoft Entra Agent ID (public preview) introduces a new first-class identity type for AI agents, distinct from traditional service principals and user accounts. MCP servers may be called by human users, standard SPNs, or Agent Identities — and the telemetry to distinguish them varies by table.
Reference: What are agent identities | Agent sign-in and audit logs | Agent OAuth protocols
Entra Identity Taxonomy
| Identity Category | Types | MCP Usage Pattern |
|---|
| Human identities | User accounts (workforce, external) | User signs into VS Code → MCP server acts on behalf of user (delegated) |
| Workload identities | App registrations, service principals, managed identities | Standard SPN authenticates to MCP (client credentials / app-only) |
| 🆕 Agent identities | Agent Identity, Agent Identity Blueprint, Agent User | AI agent uses MCP via Agent OBO, Autonomous App, or Agent User flow |
Agent ID Object Types
| Object | What It Is | Analogy |
|---|
| Agent Identity Blueprint | Reusable template defining a class of agent (e.g., "SOC Triage Agent") | Like an app registration |
| Agent Identity Blueprint Principal | SPN created when a blueprint is instantiated in a tenant | Like the SPN for an app registration |
| Agent Identity | Special SPN with subtype agent — represents a single agent instance | Like a service principal, but agent-specific |
| Agent User | Optional user account paired 1:1 with an agent identity (for mailbox, Teams, etc.) | Like a user account, but non-human |
Architectural detail: Agent identities are modeled as single-tenant service principals with an "agent" subtype. The objectId and appId always have the same value (unlike regular app registrations where they differ).
Agent Authentication Flows
| Flow | Pattern | When Used | Telemetry Impact |
|---|
| Agent On-Behalf-Of (OBO) | Delegated — agent acts on behalf of a signed-in user | User-initiated agents, copilots | UserId = human user, ServicePrincipalId = agent SPN |
| Autonomous App Flow | App-only — agent acts under its own authority (client_credentials) | Background agents, scheduled tasks | ServicePrincipalId = agent SPN, UserId empty |
| Agent User Flow | Agent uses its paired agent user account | Agents needing mailbox, Teams access | UserId = Agent User (non-human with UPN) |
How to Detect Agent Identities in Telemetry
⚠️ Known Limitation (Preview): MicrosoftGraphActivityLogs does NOT yet distinguish Agent IDs from regular SPNs. Requests from agent identities appear as regular applications with the agent identity in the AppId column. Requests from agent users appear as regular users with the agent user ID in UserId.
Detection Strategy:
| Telemetry Source | Detection Method | Reliability | Status |
|---|
Graph API /beta tags | Query /beta/servicePrincipals/{id}?$select=tags — check for AgenticApp, AIAgentBuilder, AgentCreatedBy:CopilotStudio tags | 🟢 Most reliable | ✅ Available now |
AuditLogs | Agent lifecycle CRUD operations — filter OperationName has "agent" or InitiatedBy = Power Virtual Agents Service | 🟢 High | ✅ Available now |
AADServicePrincipalSignInLogs | Agent sign-ins to resources like Bot Framework from Azure internal IPs (fd00:*) | 🟢 High | ✅ Available now |
MicrosoftGraphActivityLogs | Join with sign-in logs to identify agent callers by AppId/ServicePrincipalId | 🟡 Requires cross-ref | ⚠️ Workaround needed |
SigninLogs | New agentSignIn resource type; filter by agent/agentType | 🟡 Preview-dependent | ✅ Available in preview |
Graph API servicePrincipalType | GET /servicePrincipals?$filter=servicePrincipalType eq 'Agent' | 🔴 Not yet reliable — Copilot Studio agents still show "Application" | ⚠️ Preview gap |
🔵 Field-tested finding: The servicePrincipalType property does NOT yet show "Agent" for Copilot Studio-created agents — they still return "Application" on both /v1.0 and /beta. The tags array on /beta is currently the only reliable programmatic indicator. Key tags: AgenticApp, AIAgentBuilder, AgentCreatedBy:CopilotStudio, AgenticInstance.
Sign-in log filters for agents:
- Portal: Filter by Agent type =
Agent Identity or Agent ID user and Is Agent = Yes
- Graph API:
$filter=signInEventTypes/any(t: t eq 'servicePrincipal') and agent/agentType eq 'AgentIdentity'
MicrosoftGraphActivityLogs — User vs SPN vs Agent Attribution
The MicrosoftGraphActivityLogs table has two identity fields that determine "who" is calling Graph APIs:
| Field | Populated When | Identity Type |
|---|
UserId | A human user (or Agent User) made the request via delegated permissions | User / Agent User |
ServicePrincipalId | A service principal (or Agent Identity) made the request via app-only permissions | SPN / Agent Identity |
ClientAuthMethod | Always populated — indicates how the caller authenticated | 0 = public client (user), 1 = client secret (SPN), 2 = certificate (SPN) |
Roles | Populated when app-only (application permissions) | App-only flow indicator |
Scopes | Populated when delegated (user context) | Delegated flow indicator |
Decision tree for caller attribution:
IF ServicePrincipalId is populated AND UserId is empty:
→ App-only flow: SPN or Agent Identity is the autonomous caller
→ Check ClientAuthMethod: 1 = secret, 2 = certificate
→ Cross-reference ServicePrincipalId with Entra to determine if Agent Identity
IF UserId is populated AND ServicePrincipalId is populated:
→ Delegated flow: User (or Agent User) signed in, SPN is the client app
→ Agent OBO: Agent acts on behalf of user — both fields populated
IF UserId is populated AND ServicePrincipalId is empty:
→ Direct user-delegated flow (e.g., VS Code → Graph MCP)
→ Check if UserId maps to an Agent User (non-human account with UPN)
Products Already Using Agent ID
| Product | Agent ID Usage | Telemetry Fingerprint (Field-Tested) |
|---|
| Copilot Studio agents | Each created agent gets an SPN with agentic tags automatically. Initiated by Power Virtual Agents Service. Your user gets added as owner. | AuditLogs: InitiatedBy = Power Virtual Agents Service, TargetType = ServicePrincipal. SPN sign-ins to Bot Framework from Azure internal IPv6 (fd00:34f2:*). Tags: AgenticApp, AgentCreatedBy:CopilotStudio, AgenticInstance |
| Entra CA Optimization Agent | Microsoft first-party agent identity | May appear in tenant sign-in logs |
| Custom AI agents | Developers can register agents via Agent Identity Blueprint | Will appear as SPNs with agent subtype |
⚠️ Name ambiguity warning: An SPN named with "Agent" in its display name does NOT mean it's an Agent Identity. Example: "Contoso Agent Tools" is a standard GitCreatedApp with servicePrincipalType: Application and no agentic tags. Always verify via /beta tags — never rely on display name alone.
Impact on This Skill
When running MCP usage monitoring:
- Phase 1 (Graph MCP): Check BOTH
UserId and ServicePrincipalId in Query 1 results — if ServicePrincipalId is populated with a non-empty value, an SPN or Agent Identity is calling Graph MCP autonomously
- New Phase (Agent Detection): Run Query 17 to identify Agent Identities in the tenant and cross-reference against MCP callers
- Report section: Include a dedicated "Agent vs User Attribution" breakdown showing how many MCP calls originated from humans, standard SPNs, and Agent Identities
- Security flag: Agent Identities calling sensitive Graph endpoints autonomously (without user OBO context) should be flagged 🟠 — verify authorization
Known AppIds Reference
MCP Servers & AI Agents
| AppId | Service | Telemetry Table | Notes |
|---|
e8c77dc2-69b3-43f4-bc51-3213c9d915b4 | Microsoft Graph MCP Server for Enterprise | MicrosoftGraphActivityLogs | Read-only Graph API proxy |
7b7b3966-1961-47b5-b080-43ca5482e21c | Sentinel Triage MCP ("Microsoft Defender Mcp") | MicrosoftGraphActivityLogs, SigninLogs, AADNonInteractiveUserSignInLogs | Microsoft first-party AppId, same across all tenants. Dedicated AppId — visible in MicrosoftGraphActivityLogs (API calls to /security/* endpoints) and SigninLogs/AADNonInteractiveUserSignInLogs (AppDisplayName = "Microsoft Defender Mcp"). Delegated auth with certificate (ClientAuthMethod=2), full user attribution. Scopes: SecurityAlert.Read.All, SecurityIncident.Read.All, ThreatHunting.Read.All. Target resources: Microsoft Graph, WindowsDefenderATP. No local SPN — display name only visible in SigninLogs. 🔴 Confirmed Feb 2026: Empirical telemetry investigation identified 7b7b3966 as the Triage MCP AppId via MicrosoftGraphActivityLogs + SigninLogs correlation. |
253895df-6bd8-4eaf-b101-1381ec4306eb | Sentinel Platform Services App Reg | SigninLogs | Sentinel-hosted MCP platform |
04b07795-8ddb-461a-bbee-02f9e1bf7b46 | Azure MCP Server (local stdio via DefaultAzureCredential → Azure CLI) | SigninLogs, AADNonInteractiveUserSignInLogs, LAQueryLogs | Shared AppId with Azure CLI. In LAQueryLogs, RequestClientApp is empty (not a unique fingerprint). Azure MCP appends \n| limit N to query text — the only query-level differentiator. Read-only ARM ops don't appear in AzureActivity. 🔄 Updated Feb 2026: Previously documented as AppId 1950a258 (AzurePowerShellCredential) with csharpsdk,LogAnalyticsPSClient — that fingerprint is obsolete; only 1 occurrence found in 30-day lookback. |
| (none — uses DefaultAzureCredential) | Azure MCP Server (local stdio) | AzureActivity | ARM write operations only; read ops not logged. Claims.appid = 04b07795. Inherits cred from Azure CLI/VS Code |
| (no AppId — Purview unified audit) | Sentinel Data Lake MCP | CloudAppEvents | RecordType 403; Interface IMcpToolTemplate; tools: query_lake, list_sentinel_workspaces, search_tables |
Sentinel MCP Collection Endpoints
| Endpoint URL | Collection | Monitored |
|---|
https://sentinel.microsoft.com/mcp/data-exploration | Data Exploration (Data Lake MCP) | ✅ Phase 3 |
https://sentinel.microsoft.com/mcp/triage | Triage (Triage MCP) | ✅ Phase 2 |
https://sentinel.microsoft.com/mcp/security-copilot-agent-creation | Security Copilot Agent Creation | ❌ See Landscape |
Client Applications
| AppId | Service | Telemetry Table | Notes |
|---|
aebc6443-996d-45c2-90f0-388ff96faa56 | Visual Studio Code | SigninLogs | VS Code as MCP client → Sentinel |
9ba5f2e4-6bbf-4df2-b19b-7f1bcb926818 | PowerPlatform-sentinelmcp-Connector | SigninLogs | Copilot Studio → Sentinel MCP |
04b07795-8ddb-461a-bbee-02f9e1bf7b46 | Azure CLI (DefaultAzureCredential) | SigninLogs, AADNonInteractiveUserSignInLogs, LAQueryLogs | Primary Azure MCP Server credential path (field-tested Feb 2026). RequestClientApp is empty in LAQueryLogs. Azure MCP appends \n| limit N to query text. Shared AppId with manual az CLI — disambiguate via query text pattern or session correlation. 🔄 Previously documented as 1950a258 (AzurePowerShellCredential) — that path is obsolete |
Portal & Platform Applications (Non-MCP — for context)
| AppId | Service | Telemetry Table | Notes |
|---|
80ccca67-54bd-44ab-8625-4b79c4dc7775 | M365 Security & Compliance Center (Sentinel Portal) | LAQueryLogs | ASI_Portal, ASI_Portal_Connectors — Sentinel Portal backend, NOT an MCP server |
95a5d94c-a1a0-40eb-ac6d-48c5bdee96d5 | Azure Portal — AppInsightsPortalExtension | LAQueryLogs | Azure Portal blade for Log Analytics Usage dashboards/workbooks. RequestClientApp = AppInsightsPortalExtension. Executes billing/usage queries (e.g., Usage | where IsBillable). NOT MCP, NOT VS Code — runs when user opens Workspace Usage Dashboard in browser. No SPN or app registration in tenant (platform-level first-party app). Not in merill/microsoft-info known apps list. |
de8c33bb-995b-4d4a-9d04-8d8af5d59601 | PowerPlatform-AzureMonitorLogs-Connector | AADNonInteractiveUserSignInLogs, LAQueryLogs | Logic Apps → Log Analytics (NOT MCP) |
fc780465-2017-40d4-a0c5-307022471b92 | Sentinel Engine (analytics rules, UEBA, Advanced Hunting backend) | LAQueryLogs | Built-in scheduled query engine (NOT MCP). Also serves as the execution backend for Advanced Hunting — RequestClientApp = "M365D_AdvancedHunting" indicates AH queries from Triage MCP, Defender portal, or Security Copilot that hit connected LA tables (see Query 7b). Separate from analytics rules (RequestClientApp empty or other values). |
Extended Microsoft MCP Server Landscape (Reference)
Beyond the four MCP servers actively monitored by this skill, Microsoft's MCP ecosystem includes many additional servers. This section catalogs them for awareness, threat modeling, and future monitoring expansion.
Sentinel MCP Collections (Microsoft-Hosted)
Microsoft Sentinel exposes three official MCP collections, each at a distinct endpoint:
| Collection | Endpoint URL | Purpose | Monitored by This Skill |
|---|
| Data Exploration | https://sentinel.microsoft.com/mcp/data-exploration | query_lake, search_tables, list_sentinel_workspaces, entity analyzer | ✅ Phase 3 (CloudAppEvents) |
| Triage | https://sentinel.microsoft.com/mcp/triage | Incident triage, Advanced Hunting, entity investigation | ✅ Phase 2 (MicrosoftGraphActivityLogs + SigninLogs — AppId 7b7b3966) |
| Security Copilot Agent Creation | https://sentinel.microsoft.com/mcp/security-copilot-agent-creation | Create Microsoft Security Copilot agents for complex workflows | ❌ Not yet monitored |
Sentinel Custom MCP Tools: Organizations can create their own MCP tools by exposing saved KQL queries from Advanced Hunting as MCP tools. These execute through the same Sentinel MCP infrastructure and are audited in CloudAppEvents (RecordType 403) alongside built-in tools. See Create custom Sentinel MCP tools.
🔵 Monitoring note: Custom MCP tools appear in CloudAppEvents with the same RecordType 403 and IMcpToolTemplate interface as built-in tools. The ToolName field will show the custom tool name, making them visible in Query 21 without modification.
Power BI MCP Servers
| Server | Type | Endpoint / Repo | Purpose | Telemetry Surface |
|---|
| Power BI Remote MCP | Microsoft-hosted | https://api.fabric.microsoft.com/v1/mcp/powerbi | Query Power BI datasets, reports, and workspaces remotely via SSE transport | 🟡 PowerBIActivity table (if ingested into Sentinel), Fabric audit logs |
| Power BI Modeling MCP | Local (stdio) | microsoft/powerbi-modeling-mcp | Local Power BI model operations (DAX queries, schema exploration) | ❌ Local only — no Azure telemetry |
⚠️ Data exfiltration risk: Power BI Remote MCP provides API-based access to organizational datasets. If an AI agent connects to this endpoint, it can query sensitive business data. Monitor PowerBIActivity for unusual access patterns if this table is available in your Sentinel workspace.
Fabric & Azure Data Explorer MCP Servers
| Server | Type | Endpoint / Repo | Purpose | Telemetry Surface |
|---|
| Fabric RTI MCP Server | Local (stdio) | microsoft/fabric-rti-mcp | Query Azure Data Explorer clusters and Fabric Real-Time Intelligence Eventhouses via KQL | 🟡 ADX audit logs, Fabric audit events |
| Azure MCP Server — Kusto namespace | Local (stdio) | Part of Azure MCP Server (azmcp --namespace kusto) | Manage ADX clusters, databases, tables, and queries via ARM | ✅ Already covered (Azure ARM operations — Phase 4) |
| Kusto Query MCP | Copilot Studio built-in | Copilot Studio catalog | KQL query execution from Copilot Studio agents | 🟡 CloudAppEvents (Copilot Studio workload) |
🔵 Note: The Fabric RTI MCP Server is open-source and runs locally. It authenticates to ADX/Eventhouse using the user's credentials. If your org uses ADX, queries from this MCP would appear in ADX audit logs (.show queries / diagnostic logs), NOT in Sentinel LAQueryLogs.
Developer & Productivity MCP Servers
| Server | Type | Repo | Purpose | Telemetry Surface |
|---|
| Playwright MCP | Local (stdio) | microsoft/playwright-mcp (26.9k ⭐) | Browser automation via accessibility tree — enables LLMs to interact with web pages | ❌ Local only — no Azure telemetry |
| GitHub MCP Server | Local (stdio) | github/github-mcp-server | GitHub repo operations (issues, PRs, code search) via PAT | ❌ GitHub audit logs only, not in Sentinel |
| Microsoft Learn Docs MCP | Cloud-hosted | Certified Copilot Studio connector | Search and fetch official Microsoft Learn documentation | ❌ Public docs, no security data |
Copilot Studio Built-in MCP Servers (19+ servers)
Microsoft Copilot Studio provides a catalog of built-in MCP servers for agent development. These are Microsoft-managed, cloud-hosted servers that agents can connect to.
Source: Built-in MCP servers catalog
| Category | MCP Servers | Security Relevance |
|---|
| Microsoft 365 | Outlook Mail, Outlook Calendar, 365 User Profile, Teams, Word, 365 Copilot (Search) | 🔴 High — email, calendar, user profile access |
| SharePoint & OneDrive | SharePoint and OneDrive, SharePoint Lists | 🟠 Medium — file and data access |
| Administration | 365 Admin Center | 🔴 High — administrative control plane |
| Dataverse | Dataverse MCP | 🟠 Medium — business data access |
| Dynamics 365 | Sales, Finance, Supply Chain, Service, ERP, Contact Center (6 sub-variants) | 🟡 Low-Medium — business application data |
| Fabric | Fabric MCP | 🟠 Medium — analytics data access |
| Office 365 Outlook | Contact Management, Email Management, Meeting Management | 🔴 High — email and contact data |
| Meta-Server | MCP Management MCP | 🟠 Medium — manages other MCP servers via Dataverse/Graph |
⚠️ Telemetry gap: Copilot Studio built-in MCP servers are NOT directly visible in LAQueryLogs or MicrosoftGraphActivityLogs. Their activity may appear in:
CloudAppEvents — under Copilot Studio workload (if Purview unified audit is configured)
- M365 unified audit log — as Copilot Studio agent actions
AuditLogs — agent identity lifecycle events (creation, modification via Power Virtual Agents Service)
AADServicePrincipalSignInLogs — agent SPN sign-ins to Bot Framework from Azure internal IPs (fd00:*)
To monitor Copilot Studio agent activity touching these MCP servers, use the Agent Identity Detection workflow (Phase 6) to identify agent SPNs, then trace their sign-in and audit activity.
Azure MCP Server — Full Tool Surface
The Azure MCP Server (already tracked in Phase 4) has a much broader tool surface than just ARM operations. The complete namespace catalog:
| Category | Namespaces | Security-Relevant Tools |
|---|
| AI & ML | foundry, search, speech | AI Foundry model access, Search index queries |
| Identity | role | ⚠️ RBAC role assignments — view and manage |
| Security | keyvault, appconfig, confidentialledger | 🔴 Key Vault secrets/keys/certs, App Configuration |
| Databases | cosmos, mysql, postgres, redis, sql | Database access and management |
| Storage | storage, fileshares, storagesync, managedlustre | Blob, file, and storage account access |
| Compute | appservice, functionapp, aks | App Service, Functions, Kubernetes |
| Networking | eventhubs, servicebus, eventgrid, communication, signalr | Messaging and event services |
| DevOps | bicepschema, deploy, monitor, workbooks, grafana | Infrastructure deployment, monitoring |
| Governance | policy, quota, resourcehealth, cloudarchitect | Policy management, resource health |
| Other | marketplace, virtualdesktop, loadtesting, acr | VDI, container registry, load testing |
🔵 Key Vault access via MCP is particularly security-sensitive. The Azure MCP Server implements elicitation (user confirmation prompts) before returning secrets. However, this can be bypassed with the --insecure-disable-user-confirmation flag. Monitor AzureActivity for Key Vault operations correlated with MCP usage patterns.
Monitoring Expansion Priorities
If expanding this skill's coverage, prioritize based on data access risk:
| Priority | Server | Why | How to Monitor |
|---|
| 🔴 P1 | Copilot Studio built-in M365 MCPs | Email, Teams, admin center access | Agent Identity Detection (Phase 6) + CloudAppEvents |
| 🔴 P1 | Security Copilot Agent Creation | Creates autonomous security agents | CloudAppEvents for agent creation events |
| 🟠 P2 | Power BI Remote MCP | Dataset query access via API | PowerBIActivity table if available |
| 🟠 P2 | Sentinel Custom MCP Tools | User-defined tools, same audit surface | Already visible in Phase 3 CloudAppEvents |
| 🟡 P3 | Fabric RTI MCP | ADX/Eventhouse data access | ADX diagnostic logs |
| 🟡 P3 | Kusto Query MCP (Copilot Studio) | KQL from Copilot Studio agents | CloudAppEvents (Copilot Studio workload) |
| ⚪ P4 | Playwright, GitHub, Learn Docs MCPs | Local/public, minimal telemetry | Not monitorable from Sentinel |
Note: This catalog reflects the Microsoft MCP ecosystem as of February 2026. The Copilot Studio MCP catalog notes: "This list isn't exhaustive. New MCP connectors are added regularly."
⛔ MANDATORY: Sentinel Workspace Selection
This skill requires a Sentinel workspace to execute queries. Follow these rules STRICTLY:
When invoked from another skill (e.g., incident-investigation):
- Inherit the workspace selection from the parent investigation context
- If no workspace was selected in parent context: STOP and ask user to select
When invoked standalone (direct user request):
- ALWAYS call
list_sentinel_workspaces MCP tool FIRST
- If 1 workspace exists: Auto-select, display to user, proceed
- If multiple workspaces exist:
- Display all workspaces with Name and ID
- ASK: "Which Sentinel workspace should I use for this analysis?"
- ⛔ STOP AND WAIT for user response
- ⛔ DO NOT proceed until user explicitly selects
- If a query fails on the selected workspace:
- ⛔ DO NOT automatically try another workspace
- STOP and report the error, display available workspaces, ASK user to select
🔴 PROHIBITED ACTIONS:
- ❌ Selecting a workspace without user consent when multiple exist
- ❌ Switching to another workspace after a failure without asking
- ❌ Proceeding with analysis if workspace selection is ambiguous
Output Modes
This skill supports two output modes. ASK the user which they prefer if not explicitly specified. Both may be selected.
Mode 1: Inline Chat Summary (Default)
- Render the full MCP usage analysis directly in the chat response
- Includes ASCII tables, trend charts, endpoint breakdowns, and security assessment
- Best for quick review and interactive follow-up questions
Mode 2: Markdown File Report
- Save a comprehensive report to
reports/mcp-usage/MCP_Usage_Report_<timestamp>.md
- All ASCII visualizations render correctly inside markdown code fences (
```)
- Includes all data from inline mode plus additional detail sections
- Use
create_file tool — NEVER use terminal commands for file output
- Filename pattern:
reports/mcp-usage/MCP_Usage_Report_YYYYMMDD_HHMMSS.md
Markdown Rendering Notes
- ✅ ASCII tables, box-drawing characters, and bar charts render perfectly in markdown code blocks
- ✅ Unicode block characters (▓░█) display correctly in monospaced fonts
- ✅ Emoji indicators (🔴🟢🟡⚠️✅) render natively in GitHub-flavored markdown
- ✅ Standard markdown tables (
| col |) render as formatted tables
- Tip: Wrap all ASCII art in triple-backtick code fences for consistent rendering
Scalability & Token Management
This skill was developed in a small lab environment (1–2 users, single workspace). In larger tenants with many users, MCP servers, and higher query volumes, the query complexity is not a concern — all queries use summarize, dcount, make_set(..., N), and take operators, so result sets remain bounded regardless of raw table size. Execution time will increase but output shape stays the same.
The primary risk in large environments is LLM token exhaustion during report generation. All query results accumulate in conversation context before the report is written, and this skill file itself consumes significant context. In a large tenant, richer result sets (more users, endpoints, error categories, AppIds) can push past token limits before the report is complete.
Guardrails for Large Environments
1. Tighten result set limits in queries:
| Parameter | Small Env (default) | Large Env |
|---|
make_set(..., N) for users | 10 | 5 |
make_set(..., N) for endpoints | 20–30 | 10 |
make_set(..., N) for errors | 5 | 3 |
take on governance tables | 25 | 15 |
take on endpoint rankings | 25 | 15 |
take on error analysis | 50 | 20 |
2. Incremental file writes (markdown mode):
Instead of composing the entire report in memory and writing it in one create_file call:
- Write the report header and executive summary first with
create_file
- Append each section (Graph MCP, Sentinel Triage, Data Lake, etc.) using
replace_string_in_file to insert content at the end of the file
- This allows earlier query results to fall out of active context after being written
3. Two-pass approach for very large tenants:
- Pass 1 (Summary): Run all queries with aggressive limits (
take 10, make_set(..., 3)). Generate a summary report with top-level numbers only.
- Pass 2 (Drill-down): If the user wants detail on a specific section (e.g., "show me the full Data Lake error breakdown"), run targeted queries for that section only.
4. Parallel query batching:
Phases 1–5 contain independent queries — always run them in parallel. But avoid running all ~16 queries simultaneously; batch them into 2–3 groups of 5–6 queries. This balances throughput against context accumulation.
5. Omit raw query appendix for large reports:
The "Appendix: Query Details" section listing every KQL query used can be omitted in large environments to save tokens. The queries are documented in this skill file and don't need to be repeated in the report.
Indicators You're Hitting Token Limits
- Report generation starts but cuts off mid-section
- The agent switches to a new conversation turn unexpectedly during report writing
- Sections become progressively less detailed toward the end of the report
- The agent summarizes findings in chat instead of writing the full markdown file
If any of these occur, ask the agent to: "Continue writing the report from where you left off" — the incremental file write approach ensures partial progress is saved.
Quick Start (TL;DR)
When a user requests MCP usage monitoring:
- Select Workspace →
list_sentinel_workspaces, auto-select or ask
- Determine Output Mode → Ask if not specified: inline, markdown file, or both
- Determine Time Range → Ask if not specified; default 30 days
- Run Phase 1 (Graph MCP) → Daily usage summary, top endpoints, sensitive API access
- Run Phase 2 (Sentinel Triage MCP) → API calls via AppId
7b7b3966, auth events, AH downstream queries
- Run Phase 3 (Sentinel Data Lake MCP) → CloudAppEvents tool usage, error analysis, MCP vs Direct KQL
- Run Phase 4 (Azure MCP & ARM) → ARM operations, resource provider breakdown
- Run Phase 5 (Workspace Governance) → All query sources (Analytics + Data Lake tiers), MCP proportion
- Run Phase 6 (Agent Identity) → Entra Agent ID detection, caller attribution
- Run Phase 7 (Assessment) → Compute MCP Usage Score, security assessment, render report
Parallel execution: Phases 1-5 contain independent queries — run all of them in parallel for performance. Phases 6-7 depend on results from 1-5.
MCP Usage Score Formula
The MCP Usage Score is a composite health and risk indicator that summarizes MCP server activity. Unlike the Drift Score (which is a ratio), this is an absolute assessment based on multiple dimensions.
Scoring Dimensions
$$
\text{MCPUsageScore} = \sum_{i} \text{DimensionScore}_i
$$
Each dimension contributes 0–20 points to a maximum of 100:
| Dimension | Max Points | Green (0-5) | Yellow (6-12) | Red (13-20) |
|---|
| User Diversity | 20 | 1-2 known users | 3-5 users or 1 unknown | >5 users or unknown users |
| Endpoint Sensitivity | 20 | 0% sensitive endpoints | 1-30% sensitive | >30% calls to sensitive APIs |
| Error Rate | 20 | <1% errors | 1-5% errors | >5% errors |
| Volume Anomaly | 20 | Within ±50% of daily avg | 50-200% spike | >200% spike vs avg |
| Off-Hours Activity | 20 | <5% off-hours | 5-20% off-hours | >20% calls outside business hours |
Interpretation Scale
| Score | Meaning | Action |
|---|
| 0–25 | Healthy | ✅ Normal MCP usage, no concerns |
| 26–50 | Elevated | 🟡 Review — minor anomalies detected |
| 51–75 | Concerning | 🟠 Investigate — multiple risk signals present |
| 76–100 | Critical | 🔴 Immediate review — significant security risk |
Sensitivity Classification
Sensitive Graph API endpoints — flag any MCP calls to these patterns:
roleManagement, roleAssignments, roleEligibility,
authentication/methods, identityProtection, riskyUsers,
riskDetections, conditionalAccess, servicePrincipals,
appRoleAssignments, oauth2PermissionGrants,
auditLogs, directoryRoles, privilegedAccess,
security/alerts, security/incidents
Off-Hours Definition
Business hours: 08:00–18:00 local time (derive from user's primary sign-in timezone, or use UTC if unknown). Weekends count as off-hours for all 24 hours.
Execution Workflow
Phase 1: Graph MCP Server Analysis
Data source: MicrosoftGraphActivityLogs
Filter: AppId == "e8c77dc2-69b3-43f4-bc51-3213c9d915b4"
Collect:
- Execute Query 1 to get daily usage summary with user count, success/error breakdown, avg duration
- Execute Query 2 to get top 25 Graph API endpoints accessed with call counts and last-used timestamps
- Execute Query 3 to get sensitive/high-risk endpoint access with user and scope details
- Execute Query 4 to discover all distinct AppIds calling Graph API for MCP identification
Phase 2: Sentinel Triage MCP Analysis
Data sources: MicrosoftGraphActivityLogs, SigninLogs, AADNonInteractiveUserSignInLogs
Filter: AppId = 7b7b3966-1961-47b5-b080-43ca5482e21c ("Microsoft Defender Mcp")
Detection Method (Confirmed Feb 2026):
The Sentinel Triage MCP has a dedicated AppId (7b7b3966-1961-47b5-b080-43ca5482e21c) that appears in both MicrosoftGraphActivityLogs and SigninLogs/AADNonInteractiveUserSignInLogs. This enables definitive attribution of Triage MCP calls — no heuristics or shared-surface estimation needed.
Key characteristics:
- AppDisplayName: "Microsoft Defender Mcp" (visible in SigninLogs)
- Auth type: Delegated + certificate (ClientAuthMethod=2) — user identity always available
- Scopes:
SecurityAlert.Read.All, SecurityIncident.Read.All, ThreatHunting.Read.All
- Target resources: Microsoft Graph, WindowsDefenderATP
- API endpoints: POST
/v1.0/security/runHuntingQuery/, GET /security/incidents/, GET /security/alerts_v2/
- No local SPN: Microsoft first-party app — display name only visible in SigninLogs, not in Graph API SPN lookup
🔵 MicrosoftGraphActivityLogs retention varies by environment (depends on Log Analytics workspace configuration and diagnostic settings). Do not assume a fixed retention period — check with a baseline row count query first.
Collect:
- Execute Query 5 to get authentication events by client app (VS Code, Copilot Studio, browser) with user, IP, OS, country
- Execute Query 6 to get client app usage breakdown with distinct user counts and last-seen timestamps
- Execute Query 7 to get Triage MCP API usage from
MicrosoftGraphActivityLogs — filter by AppId 7b7b3966 for exact Triage MCP calls with endpoint/method/user breakdown
- Execute Query 7a to get Triage MCP authentication events from
SigninLogs/AADNonInteractiveUserSignInLogs — sign-in frequency, user attribution, IP, OS, country
- Execute Query 7b to get LAQueryLogs for Advanced Hunting downstream queries via
fc780465 / M365D_AdvancedHunting. Captures queries from any RunAdvancedHuntingQuery consumer (Triage MCP, Defender portal, Security Copilot) that hit connected LA tables. XDR-native tables (DeviceEvents, EmailEvents) don't appear here.
- Execute Query 7c to get portal/platform query volume from LAQueryLogs for governance context
Phase 3: Sentinel Data Lake MCP Analysis
Data source: CloudAppEvents (Purview unified audit log)
Execution tool: mcp_sentinel-data_query_lake — queries use TimeGenerated (Data Lake column). CloudAppEvents is available on both Data Lake (90d retention) and Advanced Hunting (30d, uses Timestamp). Always try Data Lake first for full retention coverage.
Filter: ActionType contains "Sentinel" or ActionType contains "KQL". RecordType is inside RawEventData (not a top-level column) — extract with parse_json(tostring(RawEventData)).RecordType. RecordType 403 = MCP tools, 379 = Direct KQL.
⚠️ MANDATORY: Execute Query 20 against query_lake before reporting any gap. If the query returns 0 results or table-not-found, THEN report the gap. Do NOT skip this phase based on assumptions about E5 licensing or Purview configuration — the table may be populated even without explicit Purview setup.
Audit Path: Sentinel Data Lake MCP tools are NOT audited via LAQueryLogs — they are tracked through Purview unified audit log, surfaced in the CloudAppEvents table. RecordType 403 (inside RawEventData) = Sentinel AI Tool activities, RecordType 379 = KQL activities.
MCP vs Direct KQL Delineation:
| Access Pattern | RecordType | Interface | Operation | What It Represents |
|---|
| MCP Server-driven | 403 | IMcpToolTemplate | SentinelAIToolRunStarted, SentinelAIToolRunCompleted | Tool calls via Sentinel Data Lake MCP (e.g., query_lake, list_sentinel_workspaces, search_tables) |
| Direct KQL | 379 | Microsoft.SentinelGraph.AIPrimitives.Core.Services.KqsService | KQLQueryCompleted | KQL queries executed directly via Sentinel Graph / Data Lake Explorer (no MCP intermediary) |
Key RawEventData Fields:
| Field | Description | Example |
|---|
ToolName | MCP tool invoked | query_lake, list_sentinel_workspaces, search_tables, analyze_url_entity |
Interface | Execution interface — distinguishes MCP from direct | IMcpToolTemplate (MCP) vs KqsService (direct) |
ExecutionDuration | Duration in seconds (as string) | "2.4731712" |
FailureReason | Error message if failed | "SemanticError: 'DeviceDetail' column does not exist" |
TablesRead | Tables accessed by the query | "SigninLogs" |
DatabasesRead | Log Analytics workspace name | "la-yourworkspace" |
TotalRows | Rows returned | 100 |
InputParameters | Full tool input including KQL query text and workspaceId | JSON string with query and workspaceId keys |
Collect:
- Execute Query 20 to get Data Lake MCP tool usage summary with success/failure breakdown
- Execute Query 21 to get tool-level breakdown with call counts and avg execution duration
- Execute Query 22 to get error analysis for failed Data Lake MCP tool calls
- Execute Query 23 to get daily activity trend across MCP and Direct KQL
- Execute Query 24 to get MCP vs Direct KQL delineation summary
Phase 4: Azure MCP Server & ARM Operations
Data sources: AzureActivity, SigninLogs, AADNonInteractiveUserSignInLogs, LAQueryLogs
Filter: Caller = user UPN (AzureActivity), AppId = 04b07795-8ddb-461a-bbee-02f9e1bf7b46 (sign-in logs, LAQueryLogs)
Collect:
- Execute Query 8 to get ARM operations by hour/IP with operation counts and resource provider sets
- Execute Query 9 to get resource provider breakdown with top operations per provider
- Execute Query 25 to get Azure MCP Server authentication events from SigninLogs/AADNonInteractiveUserSignInLogs — filter by AppId
04b07795 (Azure CLI credential, field-tested Feb 2026). 🔄 Previously documented as AppId 1950a258 (AzurePowerShellCredential) — that path is obsolete.
- Execute Query 26 to get Azure MCP Server workspace queries from LAQueryLogs — filter by AADClientId
04b07795. RequestClientApp is empty (not a unique fingerprint). Azure MCP appends \n| limit N to query text — use query text pattern as differentiator.
Detection Method (🔄 Updated Feb 2026):
The Azure MCP Server runs as a local .NET process (stdio mode) and authenticates via DefaultAzureCredential. Field-tested Feb 2026: The credential chain now resolves to Azure CLI credential (04b07795-8ddb-461a-bbee-02f9e1bf7b46), NOT AzurePowerShellCredential (1950a258) as previously documented.
Previous fingerprint (OBSOLETE): AppId 1950a258 + RequestClientApp = csharpsdk,LogAnalyticsPSClient. Only 1 occurrence found in 30-day lookback. The Azure MCP Server SDK path has changed.
Current fingerprint (field-tested Feb 2026):
| Signal | Azure MCP Server (Current) | Azure CLI (Manual) | Notes |
|---|
| AppId (SigninLogs) | 04b07795 | 04b07795 | Shared — not a unique differentiator |
| AADClientId (LAQueryLogs) | 04b07795 | 04b07795 | Shared |
| RequestClientApp (LAQueryLogs) | Empty ("") | Empty ("") | Shared — not a unique differentiator. Empty RequestClientApp is also used by 4+ other AADClientIds |
| Query text pattern (LAQueryLogs) | Appends \n| limit N to all queries | No standard suffix | ✅ Best differentiator — Azure MCP monitor_workspace_log_query always appends a limit operator |
| AzureActivity (Claims.appid) | 04b07795 (write ops only) | 04b07795 | Shared; read ops not logged |
🚨 Key change from previous documentation:
- ❌
RequestClientApp = "csharpsdk,LogAnalyticsPSClient" — OBSOLETE, no longer produced by Azure MCP Server
- ❌ AppId
1950a258 (AzurePowerShellCredential) — OBSOLETE credential path
- ✅ AppId
04b07795 (Azure CLI) — current credential path
- ✅
RequestClientApp is empty — shared with Azure CLI and other tools
- ✅ Query text containing
\n| limit — most reliable query-level differentiator
Disambiguation challenges:
- Azure MCP Server queries are difficult to isolate from manual Azure CLI queries in LAQueryLogs because both share the same AppId AND empty
RequestClientApp
- The
\n| limit N suffix appended by monitor_workspace_log_query is the best heuristic but is not guaranteed to be unique
- In SigninLogs, UserAgent containing
azsdk-net-Identity with OS Microsoft Windows may still help if the credential chain includes Azure Identity SDK components
- Consider correlating query timing with known MCP session activity for attribution
Authentication Sequence Observed (Current):
- Azure MCP Server acquires token via Azure CLI cached credential
- Token is reused for subsequent operations within its lifetime
- If MFA claim is missing → interactive browser prompt (rare with CLI credential)
- Subsequent calls reuse the cached token until expiry
🔴 Token Caching Behavior (Field-Tested Feb 2026):
- Sign-in events appear at token acquisition time, NOT at each individual API call time
- Once a token is cached, subsequent Azure MCP calls (list resources, get configs, etc.) do NOT generate new sign-in events
- You will see 1-3 sign-in events per token lifecycle, not one per API call
- To count actual API calls, correlate with AzureActivity (write ops) or LAQueryLogs (
monitor_workspace_log_query calls)
- The ~1hr token lifetime means at most ~24 sign-in event clusters per day of continuous use
AzureActivity visibility: Only ARM write/action/delete operations appear in AzureActivity (Administrative category). Azure MCP Server read-only operations (list subscriptions, list resource groups, list clusters) do NOT appear. Claims.appid = 04b07795 when write operations do occur.
Note: Azure MCP Server is difficult to isolate from manual Azure CLI usage because they share the same AppId and both produce empty RequestClientApp. The \n| limit N query text suffix is the best heuristic for LAQueryLogs. In SigninLogs, the shared AppId means Azure MCP authenticated as Azure CLI — there is no unique sign-in fingerprint. Present findings as "Azure MCP Server / Azure CLI (shared AppId 04b07795)" in reports.
Phase 5: Workspace Query Governance
Data source: LAQueryLogs (Analytics tier), CloudAppEvents (Data Lake tier)
Filter: All AADClientIds (LAQueryLogs), All Sentinel operations (CloudAppEvents)
Collect:
- Execute Query 10 to get all clients querying the Analytics tier workspace with query counts, user counts, CPU usage
- Data Lake tier query volume from Phase 3 results (Queries 20-24)
- MCP proportion calculation: combined MCP query volume (Analytics + Data Lake tiers) / total query volume
- Execute Query 14 to get non-MCP platform context (Sentinel Engine, Logic Apps, Sentinel Portal volumes)
Phase 6: Agent Identity Detection
Data sources: MicrosoftGraphActivityLogs, AADServicePrincipalSignInLogs, AuditLogs, Microsoft Graph API
Collect:
- Execute Query 17 to get Graph MCP caller attribution — User vs SPN vs Agent breakdown
- Agent Identity inventory via Graph API —
GET /servicePrincipals?$filter=servicePrincipalType eq 'Agent' (via Graph MCP microsoft_graph_suggest_queries → microsoft_graph_get)
- Execute Query 18 to get Agent Identity sign-in events from
AADServicePrincipalSignInLogs where applicable
- Execute Query 19 to get Agent Identity CRUD operations from
AuditLogs — creation, modification, deletion of agent identities
Note: This phase depends on Entra Agent ID (preview) being available in the tenant. If no agent identities exist, report: "✅ No Entra Agent Identities detected in tenant — all MCP callers are standard users or service principals." and skip Queries 18-19.
Phase 7: Score Computation & Report Generation
- Compute per-dimension scores from Phase 1-6 data:
- User Diversity: Count distinct users AND distinct Agent Identities across all MCP channels
- Endpoint Sensitivity: % of Graph MCP calls to sensitive patterns (Phase 1 Query 3 vs Query 1)
- Error Rate: % of non-2xx responses across all MCP channels
- Volume Anomaly: Compare most recent day vs rolling average (Phase 1 Query 1 daily data)
- Off-Hours Activity: % of MCP calls outside 08:00-18:00 (derive from TimeGenerated)
- Sum dimension scores for composite MCP Usage Score
- Include Agent Identity attribution in report if any agent callers detected (Phase 6)
- Generate security assessment with emoji-coded findings
- Render output in the user's selected mode
Sample KQL Queries
🔴 MANDATORY: Execute these queries EXACTLY as written. Substitute only the time range parameter (e.g., ago(30d) → ago(90d)) and entity-specific values where indicated. These queries are schema-verified and encode mitigations for pitfalls documented in Known Pitfalls. Rewriting, paraphrasing, or constructing "equivalent" queries from scratch risks hitting the exact schema issues these queries were designed to avoid.
| Action | Status |
|---|
| Rewriting a pre-authored query from scratch | ❌ PROHIBITED |
Removing parse_json() / tostring() wrappers from queries | ❌ PROHIBITED |
| Substituting column names without schema verification | ❌ PROHIBITED |
Using has instead of contains for CamelCase fields | ❌ PROHIBITED |
| Executing a query not from this section without completing the Pre-Flight Checklist | ❌ PROHIBITED |
Query 1: Graph MCP — Daily Usage Summary
// Graph MCP daily usage trend with success/error breakdown
// Configurable: replace ago(30d) with desired lookback
MicrosoftGraphActivityLogs
| where TimeGenerated >= ago(30d)
| where AppId == "e8c77dc2-69b3-43f4-bc51-3213c9d915b4"
| summarize
Requests = count(),
DistinctUsers = dcount(UserId),
SuccessCount = countif(ResponseStatusCode >= 200 and ResponseStatusCode < 300),
ErrorCount = countif(ResponseStatusCode >= 400),
AvgDurationMs = avg(DurationMs)
by bin(TimeGenerated, 1d)
| extend ErrorRate = round(100.0 * ErrorCount / Requests, 1)
| order by TimeGenerated desc
Query 2: Graph MCP — Top Endpoints Accessed
// Most-called Graph API endpoints via MCP, with user and recency info
MicrosoftGraphActivityLogs
| where TimeGenerated >= ago(30d)
| where AppId == "e8c77dc2-69b3-43f4-bc51-3213c9d915b4"
| extend Endpoint = tostring(split(RequestUri, "?")[0])
| summarize
CallCount = count(),
DistinctUsers = dcount(UserId),
LastUsed = max(TimeGenerated),
Methods = make_set(RequestMethod, 5)
by Endpoint
| order by CallCount desc
| take 25
Query 3: Graph MCP — Sensitive API Access
// Flag MCP calls to high-risk Graph endpoints (PIM, credentials, Identity Protection)
let sensitive_patterns = dynamic([
"roleManagement", "roleAssignments", "roleEligibility",
"authentication/methods", "identityProtection", "riskyUsers",
"riskDetections", "conditionalAccess", "servicePrincipals",
"appRoleAssignments", "oauth2PermissionGrants",
"auditLogs", "directoryRoles", "privilegedAccess",
"security/alerts", "security/incidents"
]);
MicrosoftGraphActivityLogs
| where TimeGenerated >= ago(30d)
| where AppId == "e8c77dc2-69b3-43f4-bc51-3213c9d915b4"
| where RequestUri has_any (sensitive_patterns)
| project TimeGenerated, UserId, RequestMethod, RequestUri,
ResponseStatusCode, IPAddress, Scopes
| order by TimeGenerated desc
Query 4: All Graph API AppIds — Discovery
// Discover all apps calling Graph APIs — find unknown MCP servers or AI agents
MicrosoftGraphActivityLogs
| where TimeGenerated >= ago(30d)
| summarize
RequestCount = count(),
DistinctUsers = dcount(UserId),
FirstSeen = min(TimeGenerated),
LastSeen = max(TimeGenerated),
SampleEndpoints = make_set(tostring(split(RequestUri, "?")[0]), 3)
by AppId
| order by RequestCount desc
Query 5: Sentinel MCP — Authentication Events
⚠️ Pitfall-aware: Uses parse_json(Status) and parse_json(DeviceDetail) wrappers — see SigninLogs Status Field Needs parse_json(). Direct dot-notation fails in Data Lake.
// Who is authenticating to Sentinel MCP (via VS Code, Copilot Studio, browser)
SigninLogs
| where TimeGenerated >= ago(30d)
| where ResourceDisplayName =~ "Sentinel Platform Services"
| project TimeGenerated, UserPrincipalName, AppDisplayName, AppId,
ResourceDisplayName, IPAddress,
tostring(parse_json(Status).errorCode) as ErrorCode,
ConditionalAccessStatus, AuthenticationRequirement, ClientAppUsed,
tostring(parse_json(DeviceDetail).operatingSystem) as OS,
tostring(parse_json(LocationDetails).countryOrRegion) as Country
| order by TimeGenerated desc
Query 6: Sentinel MCP — Client App Breakdown
// Which client apps (VS Code, Copilot Studio, browser) are accessing Sentinel MCP
SigninLogs
| where TimeGenerated >= ago(30d)
| where ResourceDisplayName =~ "Sentinel Platform Services"
| summarize
SignInCount = count(),
DistinctUsers = dcount(UserPrincipalName),
Users = make_set(UserPrincipalName, 10),
LastSeen = max(TimeGenerated)
by AppDisplayName, AppId, ClientAppUsed
| order by SignInCount desc
Query 7: Sentinel Triage MCP — API Call Activity (Dedicated AppId)
// Measure Sentinel Triage MCP API calls via its dedicated AppId in MicrosoftGraphActivityLogs.
// AppId 7b7b3966 = "Microsoft Defender Mcp" — the Triage MCP server's own identity.
// This gives DEFINITIVE attribution of Triage MCP calls — no shared-surface estimation needed.
//
// Confirmed Feb 2026: AppId 7b7b3966 appears in MicrosoftGraphActivityLogs with delegated
// auth (certificate), full UserId attribution, and scopes SecurityAlert.Read.All,
// SecurityIncident.Read.All, ThreatHunting.Read.All.
//
// Known API endpoints:
// - POST /v1.0/security/runHuntingQuery/ (Advanced Hunting)
// - GET /security/incidents/ (ListIncidents, GetIncidentById)
// - GET /security/alerts_v2/ (ListAlerts, GetAlertById)
let triage_mcp_appid = "7b7b3966-1961-47b5-b080-43ca5482e21c";
MicrosoftGraphActivityLogs
| where TimeGenerated >= ago(30d)
| where AppId == triage_mcp_appid
| extend Endpoint = extract(@"/v\d\.\d/(.+?)(\?|$)", 1, RequestUri)
| summarize
Calls = count(),
DistinctUsers = dcount(UserId),
Users = make_set(UserId, 10),
FirstSeen = min(TimeGenerated),
LastSeen = max(TimeGenerated)
by RequestMethod, Endpoint
| order by Calls desc
| take 25
Query 7a: Sentinel Triage MCP — Authentication Events (SigninLogs)
// Triage MCP authentication events from SigninLogs + AADNonInteractiveUserSignInLogs.
// AppId 7b7b3966 = "Microsoft Defender Mcp" — delegated auth with certificate.
// Uses parse_json() wrappers for DeviceDetail/LocationDetails (Data Lake string columns).
let triage_mcp_appid = "7b7b3966-1961-47b5-b080-43ca5482e21c";
let signinlogs_interactive = SigninLogs
| where TimeGenerated >= ago(30d)
| where AppId == triage_mcp_appid
| extend SignInType = "Interactive"
| project TimeGenerated, UserPrincipalName, AppDisplayName, AppId,
ResourceDisplayName, IPAddress,
ResultType = tostring(ResultType),
ResultDescription = tostring(ResultDescription),
SignInType,
OS = tostring(parse_json(DeviceDetail).operatingSystem),
Browser = tostring(parse_json(DeviceDetail).browser),
Country = tostring(parse_json(LocationDetails).countryOrRegion),
City = tostring(parse_json(LocationDetails).city);
let signinlogs_noninteractive = AADNonInteractiveUserSignInLogs
| where TimeGenerated >= ago(30d)
| where AppId == triage_mcp_appid
| extend SignInType = "NonInteractive"
| project TimeGenerated, UserPrincipalName, AppDisplayName, AppId,
ResourceDisplayName, IPAddress,
ResultType = tostring(ResultType),
ResultDescription = tostring(ResultDescription),
SignInType,
OS = tostring(parse_json(DeviceDetail).operatingSystem),
Browser = tostring(parse_json(DeviceDetail).browser),
Country = tostring(parse_json(LocationDetails).countryOrRegion),
City = tostring(parse_json(LocationDetails).city);
union signinlogs_interactive, signinlogs_noninteractive
| summarize
SignIns = count(),
DistinctUsers = dcount(UserPrincipalName),
Users = make_set(UserPrincipalName, 10),
IPs = make_set(IPAddress, 10),
Countries = make_set(Country, 10),
LastSeen = max(TimeGenerated)
by AppDisplayName, SignInType, ResourceDisplayName
| order by SignIns desc
Query 7b: LAQueryLogs — Advanced Hunting Downstream Queries (Supplementary Signal)
// SUPPLEMENTARY detection: Advanced Hunting queries (from Triage MCP, Defender portal,
// Security Copilot, or any RunAdvancedHuntingQuery consumer) that hit connected
// Log Analytics workspace tables.
//
// AH downstream queries appear under fc780465 (Sentinel Engine) with
// RequestClientApp "M365D_AdvancedHunting" — full user attribution (AADEmail populated).
//
// This is a DOWNSTREAM signal — it only fires when RunAdvancedHuntingQuery targets
// Sentinel-connected LA tables (SigninLogs, AuditLogs, SecurityAlert, etc.).
// Queries hitting XDR-native tables (DeviceEvents, EmailEvents, etc.) stay in the
// Defender XDR backend and never appear here.
//
// Use alongside Query 7 (MicrosoftGraphActivityLogs) for complete Triage MCP coverage:
// - Query 7 = PRIMARY: Triage MCP API calls filtered by dedicated AppId 7b7b3966
// - Query 7b = SUPPLEMENTARY: downstream query execution when AH hits LA tables
//
// ATTRIBUTION LIMITATION: Cannot distinguish Triage MCP AH queries from Defender portal
// AH queries or Security Copilot AH queries — all appear as M365D_AdvancedHunting.
LAQueryLogs
| where TimeGenerated >= ago(30d)
| where AADClientId == "fc780465-2017-40d4-a0c5-307022471b92" and RequestClientApp == "M365D_AdvancedHunting"
| summarize
QueryCount = count(),
DistinctUsers = dcount(AADEmail),
Users = make_set(AADEmail, 10),
AvgCPUMs = avg(StatsCPUTimeMs),
TotalRowsReturned = sum(ResponseRowCount),
FirstSeen = min(TimeGenerated),
LastSeen = max(TimeGenerated)
by AADClientId, RequestClientApp
| order by QueryCount desc
Query 7c: LAQueryLogs — Portal & Platform Query Volume (Non-MCP Governance)
// Query volume for Portal/Platform AppIds in LAQueryLogs (governance context).
// NOTE: These are NOT MCP servers — included for workspace query governance baseline.
// 80ccca67 = M365 Security & Compliance Center (Sentinel Portal backend)
// 95a5d94c = Azure Portal AppInsightsPortalExtension (Usage dashboards)
let portal_appids = dynamic([
"80ccca67-54bd-44ab-8625-4b79c4dc7775", // M365 Security & Compliance Center (Sentinel Portal)
"95a5d94c-a1a0-40eb-ac6d-48c5bdee96d5" // Azure Portal — AppInsightsPortalExtension (Usage dashboards)
]);
LAQueryLogs
| where TimeGenerated >= ago(30d)
| where AADClientId in (portal_appids)
| extend Category = "Portal/Platform"
| summarize
QueryCount = count(),
DistinctUsers = dcount(AADEmail),
AvgCPUMs = avg(StatsCPUTimeMs),
AvgRowsPerQuery = avg(ResponseRowCount),
TotalRowsReturned = sum(ResponseRowCount),
FirstSeen = min(TimeGenerated),
LastSeen = max(TimeGenerated)
by AADClientId, Category
| order by QueryCount desc
Query 8: Azure MCP — ARM Operations
// Azure ARM operations (may include Azure MCP Server — no dedicated AppId)
// Substitute <UPN> with the user's UPN
AzureActivity
| where TimeGenerated >= ago(30d)
| where Caller =~ '<UPN>'
| where CategoryValue == "Administrative"
| summarize
OperationCount = count(),
DistinctOperations = dcount(OperationNameValue),
ResourceProviders = make_set(ResourceProviderValue, 10)
by bin(TimeGenerated, 1d), CallerIpAddress
| order by TimeGenerated desc
Query 9: Azure MCP — Resource Provider Breakdown
// Azure resource types being accessed — detect unexpected resource access
// Substitute <UPN> with the user's UPN
AzureActivity
| where TimeGenerated >= ago(30d)
| where Caller =~ '<UPN>'
| where CategoryValue == "Administrative"
| summarize
CallCount = count(),
Operations = make_set(OperationNameValue, 5),
DistinctResources = dcount(ResourceGroup)
by ResourceProviderValue
| order by CallCount desc
Query 10: All Workspace Query Sources — Complete Governance View
// Every client querying the workspace — MCP and non-MCP combined
LAQueryLogs
| where TimeGenerated >= ago(30d)
| summarize
QueryCount = count(),
DistinctUsers = dcount(AADEmail),
AvgCPUMs = avg(StatsCPUTimeMs),
TotalRowsReturned = sum(ResponseRowCount)
by AADClientId
| order by QueryCount desc
Query 11: Graph MCP — Off-Hours Activity Detection
// Identify MCP calls outside business hours (08:00-18:00 UTC)
MicrosoftGraphActivityLogs
| where TimeGenerated >= ago(30d)
| where AppId == "e8c77dc2-69b3-43f4-bc51-3213c9d915b4"
| extend HourOfDay = datetime_part("hour", TimeGenerated)
| extend DayOfWeek = dayofweek(TimeGenerated) / 1d
| extend IsOffHours = HourOfDay < 8 or HourOfDay >= 18 or DayOfWeek >= 5
| summarize
TotalCalls = count(),
OffHoursCalls = countif(IsOffHours),
BusinessHoursCalls = countif(not(IsOffHours)),
OffHoursUsers = make_set_if(UserId, IsOffHours, 10)
by bin(TimeGenerated, 1d)
| extend OffHoursPct = round(100.0 * OffHoursCalls / TotalCalls, 1)
| order by TimeGenerated desc
Query 12: Graph MCP — New User Detection (Baseline Comparison)
// Detect users who started using Graph MCP in the recent window but weren't in baseline
let baselineStart = ago(60d);
let baselineEnd = ago(7d);
let recentStart = ago(7d);
let baseline_users = MicrosoftGraphActivityLogs
| where TimeGenerated between (baselineStart .. baselineEnd)
| where AppId == "e8c77dc2-69b3-43f4-bc51-3213c9d915b4"
| distinct UserId;
MicrosoftGraphActivityLogs
| where TimeGenerated >= recentStart
| where AppId == "e8c77dc2-69b3-43f4-bc51-3213c9d915b4"
| where UserId !in (baseline_users)
| summarize
CallCount = count(),
FirstSeen = min(TimeGenerated),
Endpoints = make_set(tostring(split(RequestUri, "?")[0]), 10),
IPs = make_set(IPAddress, 5)
by UserId
| order by CallCount desc
Query 13: Sentinel MCP — Query Content Audit
// Audit actual KQL queries executed by MCP servers and Portal/Platform apps (sample)
let mcp_server_appids = dynamic([
"7b7b3966-1961-47b5-b080-43ca5482e21c" // Sentinel Triage MCP ("Microsoft Defender Mcp")
]);
let portal_appids = dynamic([
"80ccca67-54bd-44ab-8625-4b79c4dc7775", // M365 Security & Compliance Center (Sentinel Portal)
"95a5d94c-a1a0-40eb-ac6d-48c5bdee96d5" // Azure Portal — AppInsightsPortalExtension (Usage dashboards)
]);
LAQueryLogs
| where TimeGenerated >= ago(7d)
| where AADClientId in (mcp_server_appids) or AADClientId in (portal_appids)
| extend Category = case(
AADClientId in (mcp_server_appids), "MCP Server",
"Portal/Platform")
| project TimeGenerated, AADEmail, AADClientId, Category,
QueryTextTruncated = substring(QueryText, 0, 200),
ResponseCode, ResponseRowCount, StatsCPUTimeMs
| order by TimeGenerated desc
| take 50
Query 14: Unified MCP + Non-MCP Dashboard
// Combined MCP vs non-MCP view for workspace governance (Analytics tier)
let mcp_graph = MicrosoftGraphActivityLogs
| where TimeGenerated >= ago(30d)
| where AppId == "e8c77dc2-69b3-43f4-bc51-3213c9d915b4"
| summarize Count = count() by Source = "Graph MCP", Category = "MCP", bin(TimeGenerated, 1d);
let mcp_triage = MicrosoftGraphActivityLogs
| where TimeGenerated >= ago(30d)
| where AppId == "7b7b3966-1961-47b5-b080-43ca5482e21c"
| summarize Count = count() by Source = "Sentinel Triage MCP (Microsoft Defender Mcp)", Category = "MCP", bin(TimeGenerated, 1d);
let sentinel_portal = LAQueryLogs
| where TimeGenerated >= ago(30d)
| where AADClientId == "80ccca67-54bd-44ab-8625-4b79c4dc7775"
| summarize Count = count() by Source = "Sentinel Portal", Category = "Portal", bin(TimeGenerated, 1d);
let portal_appinsights = LAQueryLogs
| where TimeGenerated >= ago(30d)
| where AADClientId == "95a5d94c-a1a0-40eb-ac6d-48c5bdee96d5"
| summarize Count = count() by Source = "Azure Portal (AppInsightsPortalExtension)", Category = "Portal", bin(TimeGenerated, 1d);
let platform_logic_apps = LAQueryLogs
| where TimeGenerated >= ago(30d)
| where AADClientId == "de8c33bb-995b-4d4a-9d04-8d8af5d59601"
| summarize Count = count() by Source = "Logic Apps Connector", Category = "Platform", bin(TimeGenerated, 1d);
let platform_sentinel_engine = LAQueryLogs
| where TimeGenerated >= ago(30d)
| where AADClientId == "fc780465-2017-40d4-a0c5-307022471b92"
| summarize Count = count() by Source = "Sentinel Engine", Category = "Platform", bin(TimeGenerated, 1d);
union mcp_graph, mcp_triage, sentinel_portal, portal_appinsights, platform_logic_apps, platform_sentinel_engine
| summarize TotalQueries = sum(Count) by Source, Category, bin(TimeGenerated, 1d)
| order by TimeGenerated desc
Note: This query covers the Analytics tier (LAQueryLogs + MicrosoftGraphActivityLogs). For Data Lake tier query governance, combine with Query 24 results from CloudAppEvents.
Query 15: Sentinel Audit — Configuration Changes
// Sentinel workspace configuration changes (analytics rules, connectors, etc.)
SentinelAudit
| where TimeGenerated >= ago(30d)
| summarize
ChangeCount = count(),
OperationTypes = make_set(OperationName)
by SentinelResourceType
| order by ChangeCount desc
Query 16: Logic Apps — Non-MCP Query Monitoring
// Track automated queries from Logic Apps (standard connector, NOT MCP)
LAQueryLogs
| where TimeGenerated >= ago(30d)
| where AADClientId == "de8c33bb-995b-4d4a-9d04-8d8af5d59601"
| summarize
QueryCount = count(),
DistinctQueries = dcount(QueryText),
AvgCPUMs = avg(StatsCPUTimeMs),
TotalRows = sum(ResponseRowCount),
FirstSeen = min(TimeGenerated),
LastSeen = max(TimeGenerated)
by AADEmail, RequestClientApp
| order by QueryCount desc
Query 17: Graph MCP — Caller Attribution (User vs SPN vs Agent)
// Attribute Graph MCP calls to User, Service Principal, or Agent Identity
// Key: UserId populated = delegated (user), ServicePrincipalId populated = app-only (SPN/Agent)
// ClientAuthMethod: 0 = public client (user), 1 = client secret (SPN), 2 = certificate (SPN)
MicrosoftGraphActivityLogs
| where TimeGenerated >= ago(30d)
| where AppId == "e8c77dc2-69b3-43f4-bc51-3213c9d915b4"
| extend CallerType = case(
isnotempty(ServicePrincipalId) and isempty(UserId), "ServicePrincipal/Agent (App-Only)",
isnotempty(UserId) and isnotempty(ServicePrincipalId), "Delegated (User+SPN/Agent OBO)",
isnotempty(UserId) and isempty(ServicePrincipalId), "User (Delegated)",
"Unknown")
| extend AuthMethod = case(
ClientAuthMethod == 0, "Public Client",
ClientAuthMethod == 1, "Client Secret",
ClientAuthMethod == 2, "Client Certificate",
"Unknown")
| summarize
CallCount = count(),
DistinctEndpoints = dcount(tostring(split(RequestUri, "?")[0])),
SuccessRate = round(100.0 * countif(ResponseStatusCode >= 200 and ResponseStatusCode < 300) / count(), 1),
SampleEndpoints = make_set(tostring(split(RequestUri, "?")[0]), 5),
IPs = make_set(IPAddress, 5)
by CallerType, AuthMethod, UserId, ServicePrincipalId
| order by CallCount desc
Post-processing: For any rows where CallerType = "ServicePrincipal/Agent (App-Only)", cross-reference the ServicePrincipalId with Entra via Graph API:
- Primary method (most reliable): Query
/beta/servicePrincipals/{id}?$select=id,appId,displayName,servicePrincipalType,tags — check tags array for agentic indicators:
AgenticApp — confirms this is an agent application
AIAgentBuilder — agent was created by an AI agent builder platform
AgentCreatedBy:CopilotStudio — specifically created by Copilot Studio
AgenticInstance — runtime instance of an agent
power-virtual-agents-* — Copilot Studio internal tracking tag
- Fallback: Check
servicePrincipalType — if it equals "Agent", it is a registered Agent Identity. Note: as of Feb 2026, Copilot Studio agents still show "Application" here despite being true agents.
- Name-based filtering is UNRELIABLE — SPNs with "Agent" in display name may be standard app registrations (e.g., "Contoso Agent Tools" =
GitCreatedApp).
Use microsoft_graph_suggest_queries → microsoft_graph_get for the Graph API calls. Query multiple SPNs in one call: /beta/servicePrincipals?$count=true&$filter=id in ('id1','id2')&$select=id,appId,displayName,servicePrincipalType,tags.
Query 18: Agent Identity Sign-In Events
// Agent Identity sign-ins — look for Copilot Studio agent SPNs
// Field-tested: Copilot Studio agents sign in to "Bot Framework" from Azure internal IPv6 (fd00:34f2:*)
// Also check for Graph, Sentinel resources in case agents expand scope
// Cross-reference ServicePrincipalId values from Query 19 AuditLogs results
// Substitute <AGENT_SPN_IDS> with confirmed agent SPN IDs (or remove filter for broad discovery)
AADServicePrincipalSignInLogs
| where TimeGenerated >= ago(30d)
// Uncomment the next line if you have confirmed agent SPN IDs from Query 19 / Graph API:
// | where ServicePrincipalId in (<AGENT_SPN_IDS>)
| where ResourceDisplayName has_any ("Graph", "Sentinel", "Microsoft Graph", "Bot Framework")
| summarize
SignInCount = count(),
SuccessCount = countif(ResultType == "0" or ResultType == 0),
FailCount = countif(ResultType != "0" and ResultType != 0),
DistinctResources = dcount(ResourceDisplayName),
Resources = make_set(ResourceDisplayName, 10),
IPs = make_set(IPAddress, 5),
Locations = make_set(Location, 5),
FirstSeen = min(TimeGenerated),
LastSeen = max(TimeGenerated)
by ServicePrincipalName, ServicePrincipalId, AppId
| order by SignInCount desc
Telemetry patterns for Copilot Studio agents (field-tested):
- Resource:
Bot Framework (NOT Microsoft Graph — agents talk to Bot Framework runtime)
- IP addresses: Azure internal IPv6 (
fd00:34f2:*) — these are Azure infrastructure IPs, not user IPs
- Sign-in volume: Low (single-digit sign-ins typical for idle agents)
- Correlation: Match
ServicePrincipalId here with TargetId from Query 19 AuditLogs to confirm the same agent
Query 19: Agent Identity CRUD Operations in AuditLogs
// Track creation, modification, and deletion of Agent Identities
// These operations indicate agent lifecycle management in the tenant
// Key insight: Copilot Studio agents are created by "Power Virtual Agents Service"
// and have display names like "Agent (Microsoft Copilot Studio)" or "<Name> (Microsoft Copilot Studio)"
AuditLogs
| where TimeGenerated >= ago(30d)
| where OperationName has_any ("agent", "Agent")
or Category == "AgentIdentity"
or (OperationName has_any ("service principal") and (
tostring(TargetResources) has "agent"
or tostring(TargetResources) has "Copilot Studio"
or tostring(InitiatedBy) has "Power Virtual Agents"
))
| project TimeGenerated, OperationName, Result,
InitiatedBy = coalesce(
tostring(parse_json(tostring(InitiatedBy)).user.userPrincipalName),
tostring(parse_json(tostring(InitiatedBy)).app.displayName)),
TargetName = tostring(parse_json(tostring(parse_json(tostring(TargetResources))[0])).displayName),
TargetId = tostring(parse_json(tostring(parse_json(tostring(TargetResources))[0])).id),
TargetType = tostring(parse_json(tostring(parse_json(tostring(TargetResources))[0])).type)
| extend IsAgenticSPN = iff(
InitiatedBy == "Power Virtual Agents Service"
or TargetName has "Copilot Studio"
or TargetName has "AgenticApp", true, false)
| order by TimeGenerated desc
| take 50
Interpreting results:
InitiatedBy = Power Virtual Agents Service → Copilot Studio created/modified this agent SPN automatically
InitiatedBy = user@domain.com → Human manually created/modified this SPN (may or may not be an agent)
OperationName = Hard delete service principal shortly after Add service principal → Testing/experimentation pattern
- Multiple operations (
Add SPN → Add owner → Update SPN) within seconds → Copilot Studio automated provisioning sequence
Query 20: Data Lake MCP — Tool Usage Summary
⚠️ Pitfall-aware: Uses contains (not has) for ActionType/Operation — see CloudAppEvents CamelCase Matching. Uses parse_json(tostring(RawEventData)) — see CloudAppEvents RawEventData Parsing. Filters on SentinelAIToolRunCompleted only — see CloudAppEvents Double-Counting Prevention.
// Sentinel Data Lake MCP tool usage from CloudAppEvents (Purview unified audit)
// RecordType 403 = Sentinel AI Tool activities (MCP), RecordType 379 = KQL activities (direct)
// IMPORTANT: Use 'contains' (not 'has') for ActionType — CamelCase values have no word boundaries
CloudAppEvents
| where TimeGenerated >= ago(30d)
| where ActionType contains "Sentinel" or ActionType contains "KQL"
| extend RawData = parse_json(tostring(RawEventData))
| extend
Operation = tostring(RawData.Operation),
RecordType = toint(RawData.RecordType),
ToolName = tostring(RawData.ToolName),
Interface = tostring(RawData.Interface),
ExecutionDuration = todouble(RawData.ExecutionDuration),
FailureReason = tostring(RawData.FailureReason),
TablesRead = tostring(RawData.TablesRead),
DatabasesRead = tostring(RawData.DatabasesRead),
TotalRows = toint(RawData.TotalRows),
UserId_raw = tostring(RawData.UserId)
| extend
AccessPattern = case(
RecordType == 403 and Interface == "IMcpToolTemplate", "MCP Server-Driven",
RecordType == 379, "Direct KQL",
"Other"),
IsSuccess = isempty(FailureReason) or FailureReason == ""
| where Operation contains "Completed" or RecordType == 379 // Focus on completed events; use 'contains' not 'has' — CamelCase has no word boundaries
| summarize
TotalCalls = count(),
SuccessCount = countif(IsSuccess),
FailureCount = countif(not(IsSuccess)),
DistinctTools = dcount(ToolName),
DistinctTables = dcount(TablesRead),
AvgDurationSec = round(avg(ExecutionDuration), 2),
TotalRowsReturned = sum(TotalRows),
DistinctUsers = dcount(UserId_raw),
Users = make_set(UserId_raw, 10)
by AccessPattern
| extend ErrorRate = round(100.0 * FailureCount / TotalCalls, 1)
| order by TotalCalls desc
Query 21: Data Lake MCP — Tool Breakdown
⚠️ Pitfall-aware: Uses contains/parse_json(tostring()) pattern — see Query 20 pitfall notes. Uses todouble(ExecutionDuration) — see Data Lake MCP ExecutionDuration Format.
// Breakdown of individual MCP tool usage from CloudAppEvents
// Shows which Data Lake MCP tools are being called most frequently
CloudAppEvents
| where TimeGenerated >= ago(30d)
| where ActionType contains "SentinelAITool"
| extend RawData = parse_json(tostring(RawEventData))
| extend
Operation = tostring(RawData.Operation),
ToolName = tostring(RawData.ToolName),
ExecutionDuration = todouble(RawData.ExecutionDuration),
FailureReason = tostring(RawData.FailureReason),
TablesRead = tostring(RawData.TablesRead)
| where Operation == "SentinelAIToolRunCompleted" // Only count completions to avoid double-counting
| extend IsSuccess = isempty(FailureReason) or FailureReason == ""
| summarize
CallCount = count(),
SuccessCount = countif(IsSuccess),
FailureCount = countif(not(IsSuccess)),
AvgDurationSec = round(avg(ExecutionDuration), 2),
MaxDurationSec = round(max(ExecutionDuration), 2),
TablesAccessed = make_set(TablesRead, 20),
FirstSeen = min(TimeGenerated),
LastSeen = max(TimeGenerated)
by ToolName
| extend ErrorRate = round(100.0 * FailureCount / CallCount, 1)
| order by CallCount desc
Query 22: Data Lake MCP — Error Analysis
⚠️ Pitfall-aware: Uses contains/parse_json(tostring()) pattern — see Query 20 pitfall notes.
// Analyze failed Data Lake MCP tool calls — identify schema errors, permission issues, etc.
CloudAppEvents
| where TimeGenerated >= ago(30d)
| where ActionType contains "SentinelAITool"
| extend RawData = parse_json(tostring(RawEventData))
| extend
Operation = tostring(RawData.Operation),
ToolName = tostring(RawData.ToolName),
FailureReason = tostring(RawData.FailureReason),
TablesRead = tostring(RawData.TablesRead),
UserId_raw = tostring(RawData.UserId)
| where Operation == "SentinelAIToolRunCompleted"
| where isnotempty(FailureReason) and FailureReason != ""
| extend ErrorCategory = case(
FailureReason has "SemanticError", "Schema/Semantic Error",
FailureReason has "SyntaxError", "KQL Syntax Error",
FailureReason has "Unauthorized" or FailureReason has "403", "Permission Denied",
FailureReason has "Timeout", "Query Timeout",
FailureReason has "NotFound", "Table/Resource Not Found",
"Other Error")
| summarize
ErrorCount = count(),
Tools = make_set(ToolName, 10),
Tables = make_set(TablesRead, 10),
Users = make_set(UserId_raw, 10),
SampleErrors = make_set(substring(FailureReason, 0, 150), 5),
FirstSeen = min(TimeGenerated),
LastSeen = max(TimeGenerated)
by ErrorCategory
| order by ErrorCount desc
Query 23: Data Lake MCP — Daily Activity Trend