Sentinel MCP Watchlist Builder from Threat Intel
On a schedule, the flow ingests threat-intel indicators (feed/email/Dataverse), asks the Sentinel MCP (Preview) to validate and de-duplicate them against existing data, and updates a Sentinel watchlist, reporting additions to Teams. Keeps Sentinel watchlists current from external intel automatically.
Provided as-is, without warranty of any kind. Review and test each pattern in a non-production environment before deploying it to live automations. See our Terms.
Overview
This flow keeps a Microsoft Sentinel watchlist current from external threat intelligence. On a 3-hour schedule it pulls IOC indicators from a threat-intel feed (HTTP), asks the Sentinel MCP (Preview) to validate and de-duplicate them against existing watchlist data, upserts the new IOCs into the target Sentinel watchlist via the Azure Resource Manager REST API, and reports the additions to a SOC Teams channel.
Why it matters: Manually maintaining watchlists is slow and error-prone. MCP-assisted validation keeps them clean, current, and timely, and the whole pipeline is traceable end-to-end via a correlation ID.
Status: Built and shipped Off (demo). Going live requires only connection authorization and environment-variable configuration - no logic changes.
Use Case
A SOC enriches its detections with Sentinel watchlists and wants those watchlists fed automatically from external intel rather than maintained by hand. This flow ingests indicators on a schedule, uses the Sentinel MCP to keep the list clean (validated, de-duplicated, high-confidence), and notifies the team of what changed.
Flow Architecture
Every_3_Hours
Recurrence (Hour/3)Schedule the intel pull
Initialize variables
Initialize Variable x14Mint a correlation ID and load all env-var-backed config (feed URL/key, watchlist alias, ARM base, subscription/RG/workspace, MCP tool name, Teams group/channel, ARM OAuth tenant/client/secret)
Fetch_Indicators
HTTP GETPull the latest IOCs from the external threat-intel feed (non-connectorized REST; key in the Authorization header)
Init_MCP_Session
Sentinel MCP invokemcpknowledgeobjectsOpen an MCP session (JSON-RPC initialize); Mcp-Session-Id read from the response header
MCP_Validate_Indicators
Sentinel MCP invokemcpknowledgeobjectsJSON-RPC tools/call validate and de-duplicate the indicators, returning only new IOCs
Foreach_New_Indicator -> Add_Watchlist_Item
Apply to each -> HTTP PUT (ARM, ActiveDirectoryOAuth)Upsert each IOC as a Sentinel watchlist item via Microsoft.SecurityInsights/watchlists/{alias}/watchlistItems
Report_To_Teams
Teams PostMessageToConversationPost a summary (watchlist, count, correlation ID) to the SOC channel
Environment Variables
| Schema name | Type | Default | Description |
|---|---|---|---|
| flowlibs_TiFeedUrl | String | https://intel.example.com/api/v1/indicators?since=last24h | Threat-intel feed endpoint |
| flowlibs_TiApiKey | String | REPLACE_WITH_TI_FEED_KEY | Feed auth key (store real value in Key Vault) |
| flowlibs_WatchlistAlias | String | ThreatIntel-IOCs | Target Sentinel watchlist alias |
| flowlibs_SentinelResourceGroup | String | rg-sentinel | Resource group of the Log Analytics workspace |
| flowlibs_SentinelWorkspaceName | String | law-sentinel | Log Analytics workspace name |
| flowlibs_SentinelMcpToolName | String | (reused) | Sentinel MCP tool to call for validate/dedupe |
| flowlibs_ArmBaseUrl | String | https://management.azure.com | ARM base URL (ports to sovereign clouds) |
| flowlibs_AzureSubscriptionId | String | <configure> | Subscription hosting Sentinel |
| flowlibs_AzureTenantId | String | <your-tenant-id> | Entra tenant for ARM OAuth |
| flowlibs_AzureClientId |
Connectors & Connections
| Connector | API name | Actions used |
|---|---|---|
| Microsoft Sentinel MCP (Preview) | shared_sentinelmcp | invokemcpknowledgeobjects |
| Microsoft Teams | shared_teams | PostMessageToConversation |
Note — All connections are referenced as solution connection references; the flow is portable between environments as long as a connection is mapped at import time.
Customization Guide
Almost every realistic variant of this flow can be implemented by changing environment variable values. A few cases require small edits inside the flow definition — those are called out explicitly below.
- Expiry
- Age out stale indicators (add a scheduled prune of old watchlist items, or set TTL metadata on each item).
- Confidence filter
- Instruct the MCP tool (or a Filter array) to keep only high-confidence IOCs before writing.
- Multi-feed
- Initialize several feed URLs and merge their results before the MCP validate step.
- Feed shape
- Adjust Fetch_Indicators headers/auth and Compose_New_Indicators extraction to match your feed's JSON schema and the MCP tool's result shape.
- Watchlist key
- Set the watchlist item's itemsKeyValue mapping to your watchlist's column schema.
Key Expressions
The flow is intentionally light on Power Fx / WDL gymnastics — the heaviest expressions are the branch-name concatenation and the approval outcome check. They are listed below in the order they appear in the flow.
EXPR.01Correlation ID
Minted once, stamped on the Teams report
EXPR.02Feed auth header
Authorization header for the threat-intel feed
EXPR.03MCP session reuse
Captured session id reused for tools/call
EXPR.04New IOCs to add
MCP-validated set if present, else raw feed array
EXPR.05Added count
Count of IOCs being written this run
EXPR.06Watchlist item URI
PUT endpoint for a single watchlist item
EXPR.07ARM OAuth audience
OAuth audience for the ARM watchlist write
Customize & download
Generate a ready-to-import copy of this solution with your environment-variable values baked in — available on Base, Pro, or Team.
Upgrade to customize
Comments
Sign in to join the conversation.
Sign inNo comments yet. Be the first to share your experience with this flow.