Ask Downloads
Domain 3 β€” Module 6 of 6 100%
28 of 28 overall
Domain 3: Perform Threat Hunting Free ⏱ ~10 min read

Notebooks & the Sentinel MCP Server

For advanced hunting, step beyond KQL. Learn how to use Jupyter notebooks in Sentinel for complex analysis and connect to the Sentinel MCP Server for AI-assisted hunting.

Beyond KQL: when notebooks shine

Simple explanation

KQL is your everyday tool. Notebooks are your power tool.

Sometimes a hunt requires more than KQL can offer: machine learning on entity behaviour, statistical analysis across months of data, integration with external threat intel APIs, or custom visualisations that go beyond Sentinel’s built-in charts.

Jupyter notebooks in Sentinel let you combine KQL queries with Python code, creating advanced investigation and hunting workflows. The Sentinel MCP Server (Model Context Protocol) takes this further β€” it lets AI tools (like Copilot) connect directly to your Sentinel data for AI-assisted hunting.

Sentinel notebooks

What notebooks add over KQL

CapabilityKQL AloneKQL + Notebook
Statistical analysisBasic (percentile, variance)Full Python stats (scipy, numpy)
Machine learningLimited (anomaly rules)Scikit-learn, custom models
VisualisationBasic chartsMatplotlib, Plotly, interactive maps
External APIsNot supportedCall VirusTotal, Shodan, AbuseIPDB
Data manipulationKQL operatorsPandas DataFrames for complex transforms
Workflow automationRun query, get resultsMulti-step investigation with conditional logic

Common notebook use cases

Use CaseWhat the Notebook Does
Entity behaviour profilingQuery 90 days of sign-in data, build a statistical profile of β€œnormal” for each user, flag deviations
Threat intel enrichmentTake IP addresses from an incident, query VirusTotal and Shodan APIs, merge results with Sentinel data
Geospatial analysisMap IP addresses to locations, visualise attack origins on an interactive world map
Timeline reconstructionQuery multiple tables, merge into a unified timeline, render as an interactive visualisation
Anomaly scoringApply machine learning models to identify entities with unusual behaviour patterns

How notebooks work in Sentinel

  1. Launch from the Sentinel Notebooks page or from an incident
  2. Connect to your Sentinel workspace using the msticpy library
  3. Query data using KQL through the notebook connector
  4. Analyse with Python β€” transform, enrich, model
  5. Visualise results with charts, graphs, and maps
  6. Document findings in the notebook (code + output + markdown = reproducible investigation)
Scenario: Zoe helps Tyler with a notebook investigation

Tyler at CipherStack suspects a slow-and-low data exfiltration over DNS. KQL finds long DNS queries, but Tyler needs to determine if the domain patterns are truly encoded data or just legitimate CDN subdomains.

Tyler asks Zoe (data scientist) to help:

Zoe creates a notebook that:

  1. Queries 30 days of DNS events from Sentinel
  2. Extracts subdomain strings from each query
  3. Calculates entropy of each subdomain (encoded data has higher entropy than normal names)
  4. Uses a machine learning classifier trained on known DNS tunnelling patterns
  5. Scores each domain on a 0-1 scale of tunnelling probability

Results: 4 domains score above 0.9 β€” confirmed DNS tunnelling from a compromised developer machine. The notebook evidence is saved and attached to the incident.

The Sentinel MCP Server

What is MCP?

Model Context Protocol (MCP) is a standardised protocol that allows AI tools to connect to data sources. The Sentinel MCP Server exposes your Sentinel workspace to AI assistants, enabling them to:

  • Run KQL queries against your data
  • List available tables and schemas
  • Execute hunting queries
  • Retrieve incident and entity information
  • Analyse results using AI reasoning

Why MCP matters for hunting

Without MCPWith MCP
AI tools cannot access your security dataAI tools query Sentinel directly
You copy-paste data between toolsAI assistants work with live data
Investigation is manual and slowAI chains multiple queries automatically
Each analyst works in isolationAI can surface patterns across the team’s data

Connecting to the Sentinel MCP Server

  1. Enable the MCP Server in your Sentinel workspace settings
  2. Configure access permissions (which AI tools can connect, with what scope)
  3. Connect from an AI assistant (e.g., Copilot, a custom agent) using the MCP endpoint
  4. The AI can now query your Sentinel data as part of its reasoning process
Exam tip: MCP is new but tested

The Sentinel MCP Server is a recent addition to the exam (April 2026 update). The exam tests:

  • What it is β€” a protocol for AI tools to connect to Sentinel data
  • What it enables β€” AI-assisted hunting, automated query execution, live data access
  • Where it connects β€” to Jupyter notebooks and external AI assistants

You do NOT need to know MCP protocol details. Focus on the use case: enabling AI tools to hunt in your Sentinel data.

Course complete: Domain 3 summary

You have completed all three domains of SC-200:

DomainWeightModulesKey Skills
1. Manage a Security Operations Environment40-45%12Sentinel workspace, data connectors, MDE, automation, detections, MITRE
2. Respond to Security Incidents35-40%10Triage, investigation across Defender products, Copilot, complex attacks, endpoint response
3. Perform Threat Hunting20-25%6KQL, Advanced Hunting, Sentinel hunting, threat analytics, Data lake, notebooks
Exam strategy: final review checklist

Before the exam, ensure you can:

  • Write KQL β€” table selection, operators, cross-table joins
  • Choose the right detection type β€” NRT vs scheduled vs TI vs anomaly
  • Trace an attack chain β€” initial access through exfiltration
  • Know role boundaries β€” Reader vs Responder vs Contributor vs Playbook Operator
  • Distinguish products β€” which product detects which threat (Entra vs MDI vs MDCA vs MDE)
  • Understand automation levels β€” Full vs Semi vs No automation
  • Use the right investigation tool β€” timeline vs live response vs investigation package
  • Handle Data lake β€” search jobs for historical queries, summary rules for ongoing aggregation

Good luck with SC-200!

Question

When should you use a Sentinel notebook instead of a KQL query?

Click or press Enter to reveal answer

Answer

Use notebooks when you need: machine learning (anomaly scoring, classification), external API enrichment (VirusTotal, Shodan), advanced visualisations (interactive maps, complex charts), statistical analysis (entropy calculation, profiling), or multi-step automated investigation workflows.

Click to flip back
Question

What is the Sentinel MCP Server?

Click or press Enter to reveal answer

Answer

A Model Context Protocol server that exposes your Sentinel workspace to AI tools. It allows AI assistants (like Copilot) to run KQL queries, list tables, retrieve incidents, and analyse results using live Sentinel data. It enables AI-assisted hunting without manual data transfer.

Click to flip back
Question

What Python library does Sentinel use for notebook integration?

Click or press Enter to reveal answer

Answer

msticpy β€” Microsoft Threat Intelligence Python Security Tools. It provides connectors to query Sentinel data, entity enrichment functions, visualisation helpers, and integration with external threat intelligence APIs.

Click to flip back
Knowledge Check

Tyler wants to determine if long DNS queries from a developer machine are DNS tunnelling or legitimate CDN traffic. KQL alone cannot make this distinction. What tool should he use?
Knowledge Check

An AI assistant needs to query Pacific Meridian's Sentinel workspace to assist with hunting. What Sentinel feature enables this?

Congratulations! You have completed all 28 modules of the SC-200 study guide. Time to practise with exam-style questions and review any areas where you felt less confident. Good luck with your certification!