ms-sentinel-mcp-server

Instructions

Implementation Reference

• tools/analytics_tools.py:120-176 (handler)

  The SentinelAnalyticsRuleGetTool class defines the MCP tool 'sentinel_analytics_rule_get'. Its async 'run' method (lines 124-176) executes the tool logic: extracts 'rule_name' parameter and Azure context, retrieves the analytics rule using Azure SecurityInsights client's alert_rules.get, builds a summary dictionary with key fields and full rule details under '_full', handles various exceptions like ResourceNotFoundError and returns appropriate error dicts.
  class SentinelAnalyticsRuleGetTool(MCPToolBase): name = "sentinel_analytics_rule_get" description = "Get details for a specific analytics rule" async def run(self, ctx: Context, rule_name: str = None, **kwargs): """ Get details for a specific analytics rule. Supports both MCP server and direct (test) invocation. Returns a dict with summary fields and full rule details, or error details. """ logger = self.logger # Robust parameter extraction: support both direct and nested kwargs if rule_name is None: rule_name = self._extract_param(kwargs, "rule_name") workspace, resource_group, subscription_id = self.get_azure_context(ctx) if not (workspace and resource_group and subscription_id): logger.error("Missing Azure Sentinel context for analytics rule retrieval.") return {"error": "Missing Azure Sentinel context."} if not rule_name: logger.error("No rule_name provided for analytics rule retrieval.") return {"error": "No rule_name provided."} try: client = self.get_securityinsight_client(subscription_id) rule = client.alert_rules.get( resource_group_name=resource_group, workspace_name=workspace, rule_id=rule_name, ) if hasattr(rule, "as_dict"): rule_dict = rule.as_dict() else: rule_dict = dict(rule) display_name = rule_dict.get("display_name") or rule_dict.get("displayName") severity = rule_dict.get("severity") enabled = rule_dict.get("enabled") summary = { "id": rule_dict.get("id"), "name": rule_dict.get("name"), "kind": rule_dict.get("kind"), "displayName": display_name, "severity": severity, "enabled": enabled, } summary["_full"] = rule_dict return summary except ResourceNotFoundError as e: logger.error("Analytics rule not found: %s", e) return {"error": "Analytics rule not found", "details": str(e)} except HttpResponseError as e: logger.error("HTTP error retrieving analytics rule: %s", e) return {"error": "HTTP error", "details": str(e)} except Exception as e: logger.error( "Unexpected error retrieving analytics rule '%s': %s", rule_name, e ) return {"error": "Unexpected error", "details": str(e)}
• tools/analytics_tools.py:608-623 (registration)

  The 'register_tools' function (lines 608-623) registers the SentinelAnalyticsRuleGetTool (line 616) and other analytics tools with the MCP server instance via the .register(mcp) class method inherited from MCPToolBase.
  def register_tools(mcp): """ Register all analytics tools with the given MCP server instance. Args: mcp: The MCP server instance to register tools with. """ SentinelAnalyticsRuleListTool.register(mcp) SentinelAnalyticsRuleGetTool.register(mcp) SentinelAnalyticsRuleTemplatesListTool.register(mcp) SentinelAnalyticsRuleTemplateGetTool.register(mcp) SentinelAnalyticsRulesCountByTacticTool.register(mcp) SentinelAnalyticsRuleTemplatesCountByTacticTool.register(mcp) SentinelAnalyticsRulesCountByTechniqueTool.register(mcp) SentinelAnalyticsRuleTemplatesCountByTechniqueTool.register(mcp)
• tools/analytics_tools.py:120-123 (schema)

  Tool metadata: name 'sentinel_analytics_rule_get' and description define the tool's identity and purpose. Input schema implied by 'run' signature: rule_name: str (extracted via _extract_param for MCP compatibility). Output: dict with summary fields (id, name, kind, displayName, severity, enabled) and _full rule details.
  class SentinelAnalyticsRuleGetTool(MCPToolBase): name = "sentinel_analytics_rule_get" description = "Get details for a specific analytics rule"