Merge pull request #308885 from poliveria/poliveria-logic-apps-12012025

Add guide for using Sentinel MCP tools in Logic Apps

Author: ttorble

articles/sentinel/TOC.yml

@@ -624,6 +624,8 @@
             href: datalake/sentinel-mcp-triage-tool.md
           - name: Create your own custom tool
             href: datalake/sentinel-mcp-create-custom-tool.md
+        - name: Build logic apps with Microsoft Sentinel MCP
+          href: datalake/sentinel-mcp-logic-apps.md
         - name: Troubleshooting
           href: datalake/troubleshoot-sentinel-mcp.md
         - name: Billing, limits, and availability

articles/sentinel/datalake/media/sentinel-mcp/logic-app-concurrency.png

@@ -4,7 +4,7 @@ titleSuffix: Microsoft Security
 description: Learn about the pricing, limits, and availability of using the different MCP collection of tools in Microsoft Sentinel 
 author: poliveria
 ms.topic: concept-article
-ms.date: 12/01/2025
+ms.date: 12/09/2025
 ms.author: pauloliveria
 ms.service: microsoft-sentinel
 ms.custom: references_regions
@@ -19,29 +19,35 @@ This article provides information on pricing, limits, and availability when sett
 
 ## Pricing and billing
 
-### Sentinel data lake tools
+### Microsoft Sentinel data lake tools
 
-Pricing in Microsoft Sentinel is based on the tier that you ingest data into. The **data lake tier** is a cost-effective option for ingesting secondary security data and querying security data over the long term. In this tier, Microsoft Sentinel's unified MCP server interface is offered **at no extra cost**. You pay for invoking tools that search and retrieve data by using Kusto Query Language (KQL) queries from Microsoft Sentinel data lake. With Microsoft Sentinel data lake's billing model, you pay as you go for queries that retrieve data. [Read more about Microsoft Sentinel data lake’s pricing here](../billing.md#data-lake-tier).
+Microsoft Sentinel pricing is based on the tier that you ingest data into. The **data lake tier** is a cost-effective option for ingesting secondary security data and querying security data over the long term. In this tier, Microsoft Sentinel's unified MCP server interface is offered **at no extra cost**. You pay for invoking tools that search and retrieve data by using Kusto Query Language (KQL) queries from Microsoft Sentinel data lake. With Microsoft Sentinel data lake's billing model, you pay as you go for queries that retrieve data. [Read more about Microsoft Sentinel data lake’s pricing here](../billing.md#data-lake-tier).
+
+### Microsoft Sentinel entity analyzer tool
+You pay for the KQL queries the [entity analyzer](sentinel-mcp-data-exploration-tool.md#entity-analyzer-preview)
+performs over the Microsoft Sentinel data lake. AI compute used by the analyzer to reason over this data doesn't incur any cost.
 
 ### Triage tool
 
-You can use the [triage tool collection](sentinel-mcp-triage-tool.md) at no extra cost, provided that you’re onboarded to the required products and services.
+You can use the [triage tool collection](sentinel-mcp-triage-tool.md) at no extra cost, if you're onboarded to the required products and services.
 
 ## Quotas and limits
 
-### Sentinel data lake tools
+### Microsoft Sentinel data lake tools
 
 All [service parameters and limits for Microsoft Sentinel data lake](sentinel-lake-service-limits.md#service-parameters-and-limits-for-tables-data-management-and-ingestion) also apply when you use Microsoft Sentinel's MCP collection of tools. 
 
-The following limits are specific to Sentinel data lake MCP tools:
+The following limits are specific to Microsoft Sentinel data lake MCP tools:
 
 | Feature | Limits | 
 |----------|----------|
 | MCP streaming | 120 seconds | 
 | Query window for tools | 800 characters |
 
-### Sentinel entity analyzer tool
-Each tenant can use the [entity analyzer](sentinel-mcp-data-exploration-tool.md#entity-analyzer-preview) MCP tool up to 100 times an hour and 250 times a day. 
+### Microsoft Sentinel entity analyzer tool
+Each tenant can use the entity analyzer MCP tool up to the following limits:
+- 100 total runs an hour
+- 250 total runs a day 
 
 ### Triage tool
 Regular API throttling applies to the tools in the triage tool collection. In addition, tools that call the advanced hunting API are bound by the existing advanced hunting quotas and service limits. [Learn more about advanced hunting quotas and usage parameters](/defender-xdr/advanced-hunting-limits#understand-advanced-hunting-quotas-and-usage-parameters)

articles/sentinel/datalake/media/sentinel-mcp/logic-app-incident-classification.png

@@ -4,7 +4,7 @@ titleSuffix: Microsoft Security
 description: Learn about the different tools available in the Data exploration collection in Microsoft Sentinel 
 author: poliveria
 ms.topic: how-to
-ms.date: 11/24/2025
+ms.date: 12/12/2025
 ms.author: pauloliveria
 ms.service: microsoft-sentinel
 
@@ -30,7 +30,7 @@ To access the data exploration tool collection, you need the following prerequis
 
 ## Add the data exploration collection
 
-To add the data exploration collection, you must first set up add Microsoft Sentinel's unified MCP server interface. Follow the step-by-step instructions for compatible [AI-powered code editors and agent-building platforms](sentinel-mcp-get-started.md#add-microsoft-sentinels-collection-of-mcp-tools).
+To add the data exploration collection, first set up Microsoft Sentinel's unified MCP server interface. Follow the step-by-step instructions for compatible [AI-powered code editors and agent-building platforms](sentinel-mcp-get-started.md#add-microsoft-sentinels-collection-of-mcp-tools).
 
 The data exploration collection is hosted at the following URL:
 ```
@@ -67,7 +67,7 @@ This tool lists all Microsoft Sentinel data lake workspace name and ID pairs ava
 
 These tools use AI to analyze your organization's data in the Microsoft Sentinel data lake. They provide a verdict and detailed insights on URLs, domains, and user entities. They help eliminate the need for manual data collection and complex integrations typically required for enriching and investigating entities.
 
-For example, `analyze_user_entity` reasons over the user's authentication patterns, behavioral anomalies, activity within your organization, and more to provide a verdict and analysis. Meanwhile, `analyze_url_entity` reasons over threat intelligence from Microsoft, your custom threat intelligence in Sentinel threat intelligence platform (TIP), click, email, or connection activity on the URL within your organization, and presence in Sentinel watchlists, among others to similarly provide a verdict and analysis.
+For example, `analyze_user_entity` reasons over the user's authentication patterns, behavioral anomalies, activity within your organization, and more to provide a verdict and analysis. Meanwhile, `analyze_url_entity` reasons over threat intelligence from Microsoft, your custom threat intelligence in Microsoft Sentinel threat intelligence platform (TIP), click, email, or connection activity on the URL within your organization, and presence in Microsoft Sentinel watchlists, among others to similarly provide a verdict and analysis.
 
 Entity analysis tools might require a few minutes to generate results, so there are tools to start analysis for each entity and another one that polls for the analysis results.
 
@@ -76,7 +76,8 @@ Entity analysis tools might require a few minutes to generate results, so there
 | Parameters | Required? | Description | 
 |----------|----------|----------|
 | Microsoft Entra object ID or URL| Yes |This parameter takes in the user or URL you want to analyze. |
-| Lookback time| No |This parameter takes in the lookback time. Default is seven days. |
+| `startTime`| Yes |This parameter takes in the start time of the analysis window.  |
+| `endTime`| Yes |This parameter takes in the end time of the analysis window.  |
 | `workspaceId`| No |This parameter takes in a workspace identifier to limit the search to a single connected Microsoft Sentinel data lake workspace. |
 
 These tools return an identifier value that you can provide to the retrieve analysis tool as input.
@@ -101,7 +102,7 @@ While this tool automatically polls for a few minutes until results are ready, i
     - [CloudAppEvents](../connect-microsoft-365-defender.md)
     - [IdentityInfo](/defender-xdr/advanced-hunting-identityinfo-table) (Available only for tenants with Microsoft Defender for Identity, Microsoft Defender for Cloud Apps, or Microsoft Defender for Endpoint P2 licensing)
 
-    If you don't have any of these required tables, `analyze_user_entity` generates an error message that lists the tables you didn't onboard, along with links to their corresponding onboarding documentation: 
+    If you don't have any of these required tables, `analyze_user_entity` generates an error message that lists the tables you didn't onboard, along with links to their corresponding onboarding documentation.
 
 - `analyze_user_entity` works best when the following table is also present in the data lake, but continues to work and assess risk, even if the said table is unavailable:
     - [AADNonInteractiveUserSignInLogs](../connect-azure-active-directory.md)
@@ -113,7 +114,9 @@ While this tool automatically polls for a few minutes until results are ready, i
     - [Watchlist](../watchlists-create.md)
     - [DeviceNetworkEvents](../connect-microsoft-365-defender.md)
 
-    If you don't have any of these tables, `analyze_url_entity` generates a response with a disclaimer that lists the tables you didn't onboard, along with links to their corresponding onboarding documentation:
+    If you don't have any of these tables, `analyze_url_entity` generates a response with a disclaimer that lists the tables you didn't onboard, along with links to their corresponding onboarding documentation.
+
+- Running multiple instances of the entity analyzer at the same time can increase latency for each run. To prevent timeouts, start by running a maximum of five analyses at once and then adjust this number as needed based on how the analyzer runs in your organization.
 
 ## Sample prompts
 
@@ -128,9 +131,9 @@ The following sample prompts demonstrate what you can do with the data explorati
 
 ## How Microsoft Sentinel MCP tools work alongside your agent
 
-Let's take a deeper look into how an agent answers a prompt by dynamically orchestrating over our tools.
+Let's take a deeper look into how an agent answers a prompt by dynamically orchestrating over the tools.
 
-**Sample prompt:** `Find the top three users that are at risk and explain why they are at risk.` 
+**Sample prompt:** `Find the top three users that are at risk and explain why they're at risk.` 
 
 **Typical response (GitHub Copilot using Claude Sonnet 4):**
 
@@ -147,7 +150,7 @@ Let's take a deeper look into how an agent answers a prompt by dynamically orche
 
      :::image type="content" source="media/sentinel-mcp/mcp-tool-search-table.png" alt-text="Screenshot of the agent searching for relevant tables that contain user risk and security information." lightbox="media/sentinel-mcp/mcp-tool-search-table.png"::: 
 
-- The agent does another search using the **Semantic search on table catalog** (`search_tables`) tool, this time with broader terms, to find other tables that it should query data from to influence its reasoning.
+- The agent does another search by using the **Semantic search on table catalog** (`search_tables`) tool, this time with broader terms, to find other tables that it should query data from to influence its reasoning.
 
     :::image type="content" source="media/sentinel-mcp/mcp-tool-semantic-search.png" alt-text="Screenshot of the agent searching using broader terms." lightbox="media/sentinel-mcp/mcp-tool-semantic-search.png"::: 
 

articles/sentinel/datalake/media/sentinel-mcp/logic-app-incident-recommendation.png

@@ -0,0 +1,116 @@
+---
+title: Build Azure Logic Apps with Microsoft Sentinel MCP tools
+titleSuffix: Microsoft Security  
+description: Learn how to set up an Azure Logic App using Microsoft Sentinel's collection of Model Context Protocol (MCP) tools  
+author: poliveria
+ms.topic: how-to
+ms.date: 12/12/2025
+ms.author: pauloliveria
+ms.service: microsoft-sentinel
+
+#customer intent: As a security analyst, I want to build Azure Logic Apps using Microsoft Sentinel MCP tools.
+---
+
+# Build logic apps with Microsoft Sentinel MCP tools (preview)
+
+> [!IMPORTANT]
+> This information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, expressed or implied, with respect to the information provided here.
+
+You can access the value of Microsoft Sentinel's collection of Model Context Protocol (MCP) tools in [Azure Logic Apps](../../logic-apps/logic-apps-overview.md), starting with the [entity analyzer tool](sentinel-mcp-data-exploration-tool.md#entity-analyzer-preview). Security analysts and automation engineers often spend significant time creating complex Security Orchestration, Automation, and Response (SOAR) templates to enrich entities and reach verdicts.
+
+The entity analyzer tool, built on Microsoft Sentinel data lake data, offers a single action that combines multiple data points to deliver a verdict for the entity. It supports user and URL entities, and you can easily access it through templates or integrate it into preexisting playbooks.
+
+## Prerequisites to building a logic app
+
+If you're new to using logic apps, see [Automate Threat Response with Playbooks in Microsoft Sentinel](../automation/automate-responses-with-playbooks.md) to get started with building them before proceeding to adding the entity analyzer tool.
+
+
+## Add entity analyzer tool to a logic app
+
+You have two options for adding the entity analyzer tool to your logic app:
+- [Use an existing logic app template](#use-an-existing-logic-app-template)
+- [Add to an existing logic app](#add-to-an-existing-logic-app)
+
+### Use an existing logic app template 
+You can use a logic app template for an easy and quick implementation of the entity analyzer tool. The following screenshot shows how one of the available templates (Incident Trigger Entity Analyzer) takes all users and URLs in an incident, enriches them by using the entity analyzer tool, and sends that analysis as a comment to the original incident:
+
+:::image type="content" source="media/sentinel-mcp/logic-app-template.png" alt-text="Screenshot of the entity analyzer tool added to logic app template." lightbox="media/sentinel-mcp/logic-app-template.png":::
+
+>[!IMPORTANT]
+> Make sure that you have the **Sentinel SOAR Essentials** solution installed and up-to-date before installing a preexisting logic app template for entity analyzer. From the Microsoft Defender portal navigation menu, go to **Microsoft Sentinel** > **Content management** > **Content hub** to check and install or update.
+
+To install a preexisting logic app template:
+
+1. From the Microsoft Defender portal navigation menu, go to **Microsoft Sentinel** > **Configuration** > **Automation**.
+1. Select **Playbook templates**, then search for **Entity Analyzer**.
+1. Choose any of the following playbooks:
+    - Incident Trigger Entity Analyzer
+    - Url Trigger Entity Analyzer
+    - HTTP Trigger Entity Analyzer
+1. Select **Create playbook**.
+
+When you create and run a playbook, insights from the entity analyzer appear as comments within an incident's details:
+
+- The following screenshot shows the analyzer's top-level classification that a user account is compromised along with its supporting evidence, starting with the series of alerts and their associated [MITRE ATT&CK techniques](https://attack.mitre.org/), a list of malicious IP addresses the user signed in from, and a few suspicious user agents the user's activity originated from. (The IP addresses have been redacted.)
+
+    :::image type="content" source="media/sentinel-mcp/logic-app-incident-classification.png" alt-text="Screenshot of the entity analyzer tool incident classification and evidence added to incident comments." lightbox="media/sentinel-mcp/logic-app-incident-classification.png":::
+
+- The following screenshot shows the rest of the supporting evidence (the remaining suspicious user agents and a list of anomalous behavior). By providing these pieces of evidence, the analyzer can make security analysts, who typically have to query and analyze these themselves, feel more comfortable trusting its classification. The analyzer also gives recommendations to remediate the account compromise, and a list of data sources it used during analysis.
+
+    :::image type="content" source="media/sentinel-mcp/logic-app-incident-recommendation.png" alt-text="Screenshot of the entity analyzer tool evidence and recommendations added to incident comments." lightbox="media/sentinel-mcp/logic-app-incident-recommendation.png":::
+
+
+### Add to an existing logic app
+
+To add the entity analyzer tool by using an existing logic app:
+
+1. Access your logic app.
+1. Select **Add a new action** and then search for **New Action**. 
+1. Search for `entity analyzer` and choose the action listed under **Microsoft Sentinel MCP tools connector**.
+
+    ![Screenshot of entity analyzer as listed under Microsoft Sentinel MCP tools connector.](media/sentinel-mcp/logic-app-existing.png)
+
+1. Provide the following required information: 
+    - **Analyze Entity Request Workspace ID** - Microsoft Sentinel data lake workspace ID (GUID) 
+    - **Analyze Entity Request Look Back Days** - How far back this tool searches (depending on your use case)
+    - **Analyze Entity Request Properties** - Any of the following options:
+        - For URL entity:
+            ```
+            {
+            "entityType": "Url",
+            "url": "[URL]"
+            }
+            ```
+        - For user entity 
+            ```
+            {
+            "entityType": "User",
+            "userId": "[Microsoft Entra object ID]"
+            }
+            ```
+        You can enter these properties either manually or as dynamic values from previous actions.
+
+The following screenshot is an example output you receive from the action in the logic app:
+
+:::image type="content" source="media/sentinel-mcp/logic-app-output.png" alt-text="Screenshot of a sample output received from the action in the logic app." lightbox="media/sentinel-mcp/logic-app-output.png":::
+
+For more information about the specific input and output in the Connector, see [Microsoft Sentinel MCP](/connectors/sentinelmcp/).
+
+## Authenticate to the connector
+Every logic app connector requires an authentication connection. This new action type supports Microsoft Entra ID, service principals, and managed identities. As is the case with the MCP server, the logic app's identity requires **Security reader** to operate.
+
+## Additional information
+
+Running multiple instances of the entity analyzer at the same time can increase latency for each run. This issue is especially important when you use a **For each** loop in your entity analyzer logic apps, because it can queue multiple analyses at once (for example, multiple users in an incident, multiple incidents triggered at once). 
+
+To prevent timeouts from too many analyses running at once, turn on the **Concurrency control** in the **For each** action. Start by setting the **Degree of parallelism** to `5` and then adjust it as needed based on how the analyzer runs in your organization.
+
+:::image type="content" source="media/sentinel-mcp/logic-app-concurrency.png" alt-text="Screenshot of the logic app loop settings." lightbox="media/sentinel-mcp/logic-app-concurrency.png":::
+
+
+For more information about loops, see [Add loops to repeat actions in workflows for Azure Logic Apps](../../logic-apps/logic-apps-control-flow-loops.md).
+
+ 
+## Related content
+- [Get started with Microsoft Sentinel MCP server](sentinel-mcp-get-started.md)
+- [Tool collection in Microsoft Sentinel MCP server](sentinel-mcp-tools-overview.md)