sentinel_analytics_rule_list
List analytics rules with key fields from Microsoft Sentinel to manage security monitoring configurations and threat detection policies.
Instructions
List all analytics rules with key fields
Input Schema
TableJSON Schema
| Name | Required | Description | Default |
|---|---|---|---|
| kwargs | Yes |
Implementation Reference
- tools/analytics_tools.py:28-117 (handler)The SentinelAnalyticsRuleListTool class implements the tool, with the async run method containing the core logic to list all Microsoft Sentinel analytics rules using the Azure SecurityInsights client, extract key fields like id, name, kind, displayName, severity, enabled, and return a list of summaries or errors.class SentinelAnalyticsRuleListTool(MCPToolBase): """ Tool to list all Microsoft Sentinel analytics rules with key fields. Returns a list of dictionaries, each containing rule summary fields or error details. """ name = "sentinel_analytics_rule_list" description = "List all analytics rules with key fields" async def run(self, ctx: Context, **kwargs): """ List all analytics rules with key fields. Supports both MCP server and direct (test) invocation. Args: ctx (Context): MCP context object. **kwargs: Additional keyword arguments (unused). Returns: list[dict]: List of rule summaries or error details. """ logger = self.logger workspace, resource_group, subscription_id = self.get_azure_context(ctx) if not (workspace and resource_group and subscription_id): logger.error("Missing Azure Sentinel context for analytics rule listing.") return [{"error": "Missing Azure Sentinel context."}] rule_summaries = [] errors = [] try: client = self.get_securityinsight_client(subscription_id) rules = client.alert_rules.list( resource_group_name=resource_group, workspace_name=workspace, ) except (HttpResponseError, ResourceNotFoundError) as e: logger.error("Azure SDK error listing analytics rules: %s", e) return [{"error": f"Azure SDK error: {str(e)}"}] except Exception as e: logger.error("Unexpected error listing analytics rules: %s", e) return [{"error": f"Unexpected error: {str(e)}"}] logged_first = False for rule in rules: try: if not hasattr(rule, "name") or not hasattr(rule, "id"): raise ValueError("Rule object missing required attributes") name = getattr(rule, "name", None) id_ = getattr(rule, "id", None) kind = getattr(rule, "kind", None) display_name = getattr(rule, "display_name", None) or getattr( rule, "displayName", None ) severity = getattr(rule, "severity", None) enabled = getattr(rule, "enabled", None) summary = { "id": id_, "name": name, "kind": kind, "displayName": display_name, "severity": severity, "enabled": enabled, } rule_summaries.append(summary) if not logged_first: logger.debug("First rule object: %s", rule) logger.debug( "First rule as_dict: %s", getattr(rule, "as_dict", lambda: None)(), ) logged_first = True except Exception as rule_exc: logger.warning("Failed to process rule: %s", rule_exc) errors.append(str(rule_exc)) continue if errors: rule_summaries.append( { "warning": f"{len(errors)} rules could not be processed", "details": errors, } ) logger.info( "Retrieved %d analytics rule summaries (with %d errors).", len(rule_summaries), len(errors), ) return rule_summaries
- tools/analytics_tools.py:615-615 (registration)Registration of the SentinelAnalyticsRuleListTool instance with the MCP server in the register_tools function.SentinelAnalyticsRuleListTool.register(mcp)
- tools/analytics_tools.py:36-38 (schema)Tool name and description defining the schema and purpose: lists analytics rules with key fields, no input parameters required.name = "sentinel_analytics_rule_list" description = "List all analytics rules with key fields"