sentinel_watchlists_list
Retrieve all Microsoft Sentinel watchlists to monitor security threats and manage detection rules across your environment.
Instructions
List all Sentinel watchlists
Input Schema
TableJSON Schema
| Name | Required | Description | Default |
|---|---|---|---|
| kwargs | Yes |
Implementation Reference
- tools/watchlist_tools.py:18-89 (handler)The SentinelWatchlistsListTool class, inheriting from MCPToolBase, defines the tool name and implements the async run method to list all Sentinel watchlists using the Azure SecurityInsights client, extracting relevant properties into a structured list.class SentinelWatchlistsListTool(MCPToolBase): """ Tool for listing all Microsoft Sentinel watchlists in the configured workspace. """ name = "sentinel_watchlists_list" description = "List all Sentinel watchlists" async def run(self, ctx: Context, **kwargs): logger = self.logger # Get Azure context and SecurityInsights client using MCPToolBase methods workspace_name, resource_group, subscription_id = self.get_azure_context(ctx) try: client = self.get_securityinsight_client(subscription_id) except Exception as e: logger.error("Error initializing Azure SecurityInsights client: %s", e) return { "error": ( "Azure SecurityInsights client initialization failed: %s" % str(e) ) } if client is None: return {"error": "Azure SecurityInsights client is not initialized"} try: # List all watchlists watchlists = await run_in_thread( client.watchlists.list, resource_group_name=resource_group, workspace_name=workspace_name, ) result = [] for watchlist in watchlists: # Log the watchlist object to understand its structure logger.debug("Watchlist object: %s", watchlist) # Create a basic info dictionary with guaranteed attributes watchlist_info = { "id": watchlist.id if hasattr(watchlist, "id") else None, "name": watchlist.name if hasattr(watchlist, "name") else None, } # Add properties if they exist if hasattr(watchlist, "properties"): props = watchlist.properties if hasattr(props, "watchlist_alias"): watchlist_info["alias"] = props.watchlist_alias if hasattr(props, "display_name"): watchlist_info["displayName"] = props.display_name if hasattr(props, "description"): watchlist_info["description"] = props.description if hasattr(props, "provider"): watchlist_info["provider"] = props.provider if hasattr(props, "source"): watchlist_info["source"] = props.source if hasattr(props, "items_search_key"): watchlist_info["itemsSearchKey"] = props.items_search_key if hasattr(props, "created_time_utc"): watchlist_info["created"] = props.created_time_utc if hasattr(props, "updated_time_utc"): watchlist_info["updated"] = props.updated_time_utc if hasattr(props, "items_count"): watchlist_info["itemsCount"] = props.items_count result.append(watchlist_info) return {"watchlists": result, "count": len(result), "valid": True} except Exception as e: logger.error("Error retrieving watchlists: %s", e) return {"error": f"Error retrieving watchlists: {str(e)}"}
- tools/watchlist_tools.py:382-393 (registration)The register_tools function registers the SentinelWatchlistsListTool (and others) with the MCP server instance.def register_tools(mcp: FastMCP): """ Register all Sentinel watchlist tools with the MCP server instance. Args: mcp (FastMCP): The MCP server instance to register tools with. """ SentinelWatchlistsListTool.register(mcp) SentinelWatchlistGetTool.register(mcp) SentinelWatchlistItemsListTool.register(mcp) SentinelWatchlistItemGetTool.register(mcp)