MCP Connector Strategies
How to use Sentinel and Splunk MCP integrations in Canoma for high-confidence internal context.
This page focuses on the two built-in MCP connector types in Canoma: Microsoft Sentinel and Splunk. Use these connectors to validate external threat claims against your environment.
How Connector Queries Run
- Configure connector credentials in Settings.
- Define narrow query scope (assets, timeframe, and threat object).
- Canoma executes the connector query and normalizes returned evidence.
- Review connector-tagged findings in the response.
Security Expectations
- Use least-privilege credentials for each connector.
- Restrict connector targets to approved environments.
- Rotate tokens regularly and retest access after rotation.
- Keep production connector traffic encrypted.
Microsoft Sentinel in Canoma
Required Fields
Workspace IDAccess Token(Bearer token with Sentinel API permissions)
Recommended Pattern
- Start with a single CVE, actor, or IOC cluster.
- Use a bounded time window (
24hto72h) for first-pass triage. - Return host, timestamp, and evidence summary in one response.
Sentinel Prompt Pattern
bash
Check Microsoft Sentinel for evidence of CVE-2025-XXXX in internet-facing assets over the last 24h. Return affected hosts, event timestamps, and top matching logs.
Splunk in Canoma
Required Fields
Splunk Host(for example,https://mycompany.splunkcloud.com:8089)API Token
Recommended Pattern
- Start with bounded searches before broad hunts.
- Ask for source types, impacted systems, and confidence notes.
- Re-run critical hits using a second query angle.
Splunk Prompt Pattern
bash
Search Splunk for indicators related to [actor/CVE/IOC] over the past 24h. Return matched events, sourcetypes, affected systems, and confidence notes.
Investigation Workflow (Sentinel or Splunk)
1) Triage
- Start with one threat object (single CVE, actor, or IOC cluster).
- Use a short timeframe first (
24hto72h).
2) Correlate
- Compare internal hits against external intelligence claims.
- Separate confirmed internal evidence from inferred links.
3) Escalate
- Convert confirmed findings into owner-based actions.
- Include source system, timestamp range, and confidence.
Failure Modes and Fixes
| Symptom | Likely cause | Fix |
|---|---|---|
| Empty results | Time window too narrow or wrong scope | Expand time range and verify entity fields |
| Query error | Connector tool/argument mismatch | Test connector first and inspect available tools |
| Noisy output | Query too broad | Constrain by asset group and threat object |
| False certainty | Weak correlation from partial evidence | Force explicit fact vs assumption separation |
Operational Best Practices
- Run connector test after setup and credential rotation.
- Keep one connector query objective per prompt.
- Re-run high-impact findings with a second query angle.
- Keep internal findings separate from external claims until validated.
Related setup guidance
For connector hardening controls, see MCP Security Hardening.