Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Important
Some information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, expressed or implied, with respect to the information provided here.
This article provides information on pricing, limits, and availability when setting up and using Microsoft Sentinel's Model Context Protocol (MCP) collection of security tools.
Pricing and billing
Microsoft Sentinel data lake tools
Microsoft Sentinel pricing is based on the tier that you ingest data into. The data lake tier is a cost-effective option for ingesting secondary security data and querying security data over the long term. In this tier, Microsoft Sentinel's unified MCP server interface is offered at no extra cost. You pay for invoking tools that search and retrieve data by using Kusto Query Language (KQL) queries from Microsoft Sentinel data lake. With Microsoft Sentinel data lake's billing model, you pay as you go for queries that retrieve data. Read more about Microsoft Sentinel data lake’s pricing here.
Microsoft Sentinel entity analyzer tool
You pay for the KQL queries the entity analyzer performs over the Microsoft Sentinel data lake. You're charged for the Security Compute Units (SCUs) required to deliver the reasoned entity risk analysis based on prevalence, threat intelligence, and relationships.
Triage tool
You can use the triage tool collection at no extra cost, if you're onboarded to the required products and services.
Quotas and limits
Microsoft Sentinel data lake tools
All service parameters and limits for Microsoft Sentinel data lake also apply when you use Microsoft Sentinel's MCP collection of tools.
The following limits are specific to Microsoft Sentinel data lake MCP tools:
| Feature | Limits |
|---|---|
| MCP streaming | 120 seconds |
| Query window for tools | 800 characters |
Microsoft Sentinel entity analyzer tool
Each tenant can use the entity analyzer MCP tool up to the following limits:
- 200 total runs an hour
- 500 total runs a day
- Around 15 concurrent runs every five minutes (based on available service capacity)
Results generated by the entity analyzer are available for one hour. You need to run a new query after the tool's analysis expires.
Triage tool
Regular API throttling applies to the tools in the triage tool collection. In addition, tools that call the advanced hunting API are bound by the existing advanced hunting quotas and service limits. Learn more about advanced hunting quotas and usage parameters
Language and region availability
Microsoft Sentinel’s collection of MCP tools supports English prompts only. For optimal performance, customers located in the following countries and regions can use Microsoft Sentinel's collection of MCP tools:
- Australia
- Canada
- Europe
- India
- Japan
- Norway
- Southeast Asia
- Switzerland
- United Kingdom
- United States