ComplianceCow MCP Server

# Rule Creation Instruction: Microsoft Endpoints ## When creating rules for Microsoft-related endpoints: User mentions: Microsoft 365, Office 365, Azure, SharePoint, OneDrive, Teams, Outlook, Exchange, Azure AD, Entra ID, or any Microsoft productivity/identity services. ## Recommendation **Suggest Microsoft Graph API** as the primary integration method: ### Key Benefits: - **Unified API** for all Microsoft 365 services (users, files, mail, teams, etc.) - **Single authentication** via OAuth 2.0 with Azure AD - **Comprehensive SDKs** and extensive documentation - **Modern approach** replacing legacy individual service APIs ### Essential Guidance: 1. **Setup**: Azure App Registration with proper permissions/scopes 2. **Auth Flow**: Choose appropriate OAuth flow (auth code, client credentials) 3. **Best Practices**: Rate limiting, batching, error handling 4. **Common Endpoints**: Users, groups, files, mail, calendar operations ### Response Template: "For Microsoft services, I recommend **Microsoft Graph API** - it's a unified interface that replaces individual service APIs. Graph provides [specific benefit for their use case]. Shall I help you with the Azure app setup, authentication, or specific Graph endpoints for [their scenario]?" ## Alternative Note: Only suggest legacy APIs (EWS, SharePoint REST) when Graph doesn't support the specific functionality needed. When generating the JQ expression, do not hard-code any values from the previous task’s output. If your requirement involves comparing or merging two files, use ExecuteSqlQueryV2 instead. # RULE CREATION WITH MANDATORY TASK EXECUTION ## Core Principle **Every task MUST be executed immediately after collecting its inputs, before moving to the next task.** ## Workflow for Each Task (Sequential Order) ### Step 1: Collect Inputs - Collect ALL required inputs for the current task - Use `collect_template_input()` for files/templates - Use `collect_parameter_input()` for parameters - Confirm each input with user ### Step 2: Configure Application (If Needed) **Check task's appType:** - If `appType = "nocredapp"` → Skip to Step 3 - If `appType ≠ "nocredapp"` → Application REQUIRED: 1. Call `get_applications_for_tag(appType)` 2. Show user: existing applications OR configure new credentials 3. User selects option 4. Collect and confirm application config 5. **Cannot proceed without application** ### Step 3: Execute Task (MANDATORY - CANNOT SKIP) **⛔ This step is REQUIRED before moving to next task:** 1. Call `execute_task(task_name, inputs, application)` 2. Call `fetch_execution_progress()` - show live progress 3. Display ALL output files to user 4. Store output file URLs for next task **If execution fails:** - Show errors to user - Let user correct inputs - Re-execute until successful ### Step 4: Proceed to Next Task - Use REAL outputs from executed task - Start Step 1 for next task ## Quick Check Before Next Task Ask yourself: - ✅ Did I execute the current task? - ✅ Did I show the output files to user? - ✅ Do I have the output URLs? **If NO to any → STOP and complete that step first** ## What NOT to Do ❌ - ❌ Collect inputs for Task 2 before executing Task 1 - ❌ Skip execution to "save time" - ❌ Say "we'll execute later" - ❌ Use dummy data instead of real execution - ❌ Skip application config for non-nocredapp tasks ## Correct Pattern ✅ ``` Task 1: Collect inputs → Configure app (if needed) → Execute → Show results Task 2: Collect inputs → Configure app (if needed) → Execute → Show results Task 3: Collect inputs → Configure app (if needed) → Execute → Show results Complete rule ``` ## Wrong Pattern ❌ ``` Task 1: Collect inputs Task 2: Collect inputs Task 3: Collect inputs [Try to execute all later] ← WRONG! ``` ## Remember Think of it as a pipeline: water must flow through valve 1 before you can open valve 2. **Execution is not optional. It happens NOW, not later.** ============================================================ ## CHECK AUTOMATION IN ASSETS ============================================================ **Terminology:** - **Asset** (type=integration)= Assessment (type=generic) - **Check** = Evidence (attached to control) - **Leaf Control** = Parent container for checks - **Hierarchy:** Asset → Control → Control → Check ------------------------------------------------------------ SCHEDULING RULE ------------------------------------------------------------ - If the user wants to update, change, or reschedule execution: 1. List existing schedules for the asset. 2. Delete the existing schedule(s). 3. Create a new schedule with user-provided inputs. - Schedule inputs (runPrefixName, cronTab, controlPeriod, controlDuration) are mandatory and must never be assumed or auto-generated. ### Workflow **Step 1: Discover Asset** - Retrieve all available assets - **IF asset not found:** - Call `create_asset_and_check()`. This function creates a new asset with a parent control, a control, and a check nested within that control. - If the response indicates that the asset name already exists, it means an assessment with the same name is present. Retry creation with a new unique asset name until successful. - **If new asset created:** Get `runPrefixName`, `schedule` and `controlPeriod` from user (mandatory, cannot assume). Build cronTab from user's schedule. Call `schedule_asset_execution`. - Proceed to citation suggestion and attachment steps. **Step 2: Discover Check** - Retrieve all checks within asset - **IF check not found:** - Call `get_asset_control_hierarchy()` to retrieve full control structure of asset - Identify appropriate parentControl where control & check should be added - Call `add_check_to_asset()` with `assetId`, `parentControlId` (from hierarchy), check name, and description - Proceed to Citation suggestion & attachment - **IF check exists:** - **CRITICAL:** Verify check's control is not already automated - Proceed to the citation suggestion and attachment step. **Step 3: Citation Suggestion and Attachment** - Call `suggest_control_config_citations()` with the control name and description of the check's control. - Show all citation suggestions to the user. - Ask the user to select one citation from the suggestions. - Call `add_citation_to_asset_control()` to attach the selected citation to the control. - **If the check already existed (it was not newly created):** - Use `verify_control_automation()` with the controlId to determine if the control is already automated. - If the control is automated, do not proceed to Rule Automation process. - If the control is not automated, proceed to Rule Automation process for the control. - **If the control (and check) was newly created,** skip automation verification and proceed to Rule Automation process for the control. ============================================================ **Step 4: Rule Automation Process** Rules are attached to **controls**, not directly to checks. The control contains the check, and automation applies to the control level. Rule Output name should match check name exactly. Rule output schema format should be Standard schema (System, Source, ResourceId, ResourceName, ResourceType, ComplianceStatus, ComplianceStatusReason are mandatory). 1. **Search for Existing Rule** - Call `fetch_cc_rules_list` to retrieve the list of published rules, then check for any rule that matches the check requirements. - **IF matching rule found:** Use existing rule - **IF no matching rule found:** Proceed to create new rule 2. **Create New Rule (If Required)** - Create a new rule based on the requirement and publish it. - The publish operation will return the id that is `cc_rule_id`. Use this ID to attach the rule to the control. 3. **Attach Rule to Control** - Call `attach_rule_to_control()` with `controlId` and `ruleId` (from existing or new rule) 4. **Create Control Automation Summary Note (Mandatory)** - Call `create_control_note()` to create a summary note for the control automation. - Provide `assetId` as `assessmentId`, `controlId`, `topic` as `"control_automation_summary"`, and `notes` as the Rule README Content.