ms-sentinel-mcp-server

Instructions

Implementation Reference

• tools/analytics_tools.py:28-118 (handler)

  The handler implementation for the 'sentinel_analytics_rule_list' tool. This is the MCPToolBase subclass containing the 'run' method that lists all Microsoft Sentinel analytics rules using the Azure SDK, extracts key fields like id, name, kind, displayName, severity, and enabled status, and returns a list of summaries or errors.
  class SentinelAnalyticsRuleListTool(MCPToolBase): """ Tool to list all Microsoft Sentinel analytics rules with key fields. Returns a list of dictionaries, each containing rule summary fields or error details. """ name = "sentinel_analytics_rule_list" description = "List all analytics rules with key fields" async def run(self, ctx: Context, **kwargs): """ List all analytics rules with key fields. Supports both MCP server and direct (test) invocation. Args: ctx (Context): MCP context object. **kwargs: Additional keyword arguments (unused). Returns: list[dict]: List of rule summaries or error details. """ logger = self.logger workspace, resource_group, subscription_id = self.get_azure_context(ctx) if not (workspace and resource_group and subscription_id): logger.error("Missing Azure Sentinel context for analytics rule listing.") return [{"error": "Missing Azure Sentinel context."}] rule_summaries = [] errors = [] try: client = self.get_securityinsight_client(subscription_id) rules = client.alert_rules.list( resource_group_name=resource_group, workspace_name=workspace, ) except (HttpResponseError, ResourceNotFoundError) as e: logger.error("Azure SDK error listing analytics rules: %s", e) return [{"error": f"Azure SDK error: {str(e)}"}] except Exception as e: logger.error("Unexpected error listing analytics rules: %s", e) return [{"error": f"Unexpected error: {str(e)}"}] logged_first = False for rule in rules: try: if not hasattr(rule, "name") or not hasattr(rule, "id"): raise ValueError("Rule object missing required attributes") name = getattr(rule, "name", None) id_ = getattr(rule, "id", None) kind = getattr(rule, "kind", None) display_name = getattr(rule, "display_name", None) or getattr( rule, "displayName", None ) severity = getattr(rule, "severity", None) enabled = getattr(rule, "enabled", None) summary = { "id": id_, "name": name, "kind": kind, "displayName": display_name, "severity": severity, "enabled": enabled, } rule_summaries.append(summary) if not logged_first: logger.debug("First rule object: %s", rule) logger.debug( "First rule as_dict: %s", getattr(rule, "as_dict", lambda: None)(), ) logged_first = True except Exception as rule_exc: logger.warning("Failed to process rule: %s", rule_exc) errors.append(str(rule_exc)) continue if errors: rule_summaries.append( { "warning": f"{len(errors)} rules could not be processed", "details": errors, } ) logger.info( "Retrieved %d analytics rule summaries (with %d errors).", len(rule_summaries), len(errors), ) return rule_summaries
• tools/analytics_tools.py:608-623 (registration)

  The registration function 'register_tools' that calls SentinelAnalyticsRuleListTool.register(mcp) at line 615 to register the tool with the MCP server.
  def register_tools(mcp): """ Register all analytics tools with the given MCP server instance. Args: mcp: The MCP server instance to register tools with. """ SentinelAnalyticsRuleListTool.register(mcp) SentinelAnalyticsRuleGetTool.register(mcp) SentinelAnalyticsRuleTemplatesListTool.register(mcp) SentinelAnalyticsRuleTemplateGetTool.register(mcp) SentinelAnalyticsRulesCountByTacticTool.register(mcp) SentinelAnalyticsRuleTemplatesCountByTacticTool.register(mcp) SentinelAnalyticsRulesCountByTechniqueTool.register(mcp) SentinelAnalyticsRuleTemplatesCountByTechniqueTool.register(mcp)