ms-sentinel-mcp-server

Instructions

Implementation Reference

• tools/workspace_tools.py:16-104 (handler)

  The SentinelWorkspaceGetTool class implements the core logic for the 'sentinel_workspace_get' tool. It inherits from MCPToolBase and defines the async 'run' method that retrieves detailed information about the Sentinel Log Analytics workspace using Azure SDK clients, handling context extraction, API calls, property mapping, and error handling.
  class SentinelWorkspaceGetTool(MCPToolBase): """ Tool for retrieving detailed information about the current Sentinel Log Analytics workspace. """ name = "sentinel_workspace_get" description = "Get workspace information (refactored, MCP-compliant)" async def run(self, ctx: Context, **kwargs): """ Get detailed information about the current Sentinel Log Analytics workspace. Returns: dict: { 'workspace_name': str, 'resource_group': str, 'subscription_id': str, 'properties': dict, # workspace properties or empty if unavailable 'additional_information': list[str], 'error': str (optional, present only if an error occurs) } Output Fields: - workspace_name: The name of the Sentinel Log Analytics workspace. - resource_group: The Azure resource group for the workspace. - subscription_id: The Azure subscription ID. - properties: Detailed properties about the workspace (location, SKU, retention, etc.). - additional_information: Guidance on related tools and next steps. - error: Error message if an error occurs (optional). Error cases will always include an 'error' key for testability. Parameters are extracted from both kwargs and kwargs['kwargs'] for MCP compatibility. Azure Context Fallback: - Supports both MCP server and direct invocation. - If ctx.request_context is not available, falls back to environment variables for Azure context: AZURE_TENANT_ID, AZURE_CLIENT_ID, AZURE_CLIENT_SECRET, AZURE_SUBSCRIPTION_ID, AZURE_RESOURCE_GROUP, AZURE_WORKSPACE_NAME. """ logger = self.logger # Extract parameters from both kwargs and kwargs['kwargs'] (future-proof, # even if unused) params = dict(kwargs) if "kwargs" in kwargs and isinstance(kwargs["kwargs"], dict): params.update(kwargs["kwargs"]) # Extract context (assume .env is loaded and Context is configured) workspace_name, resource_group, subscription_id = self.get_azure_context(ctx) result = { "workspace_name": workspace_name, "resource_group": resource_group, "subscription_id": subscription_id, "properties": {}, "additional_information": [ "For data connector details, use the `sentinel_connectors_list` tool.", "For analytics rules details, use the `list_analytics_rules` tool.", ], } try: client = self.get_loganalytics_client(subscription_id) ws = await run_in_thread( client.workspaces.get, resource_group, workspace_name ) result["properties"] = { "location": ws.location, "sku": getattr(ws.sku, "name", None), "sku_description": getattr(ws.sku, "description", None), "last_sku_update": str(getattr(ws, "last_sku_update", "")), "retention_period_days": ws.retention_in_days, "daily_quota_gb": getattr(ws, "daily_quota_gb", None), "quota_reset_time": str(getattr(ws, "quota_reset_time", "")), "ingestion_status": getattr(ws, "ingestion_status", None), "public_network_access_ingestion": getattr( ws, "public_network_access_for_ingestion", None ), "public_network_access_query": getattr( ws, "public_network_access_for_query", None ), "created": str(getattr(ws, "created_date", "")), "last_modified": str(getattr(ws, "modified_date", "")), "features": getattr(ws, "features", {}), } except Exception as ex: error_msg = "Error retrieving workspace info: %s" % ex logger.exception("%s", error_msg) result["error"] = error_msg return result
• tools/workspace_tools.py:570-579 (registration)

  The 'register_tools' function registers the SentinelWorkspaceGetTool (and other related tools) with the MCP server instance via its 'register' class method.
  def register_tools(mcp): """Register all Sentinel workspace-related tools with the MCP server instance.""" SentinelWorkspaceGetTool.register(mcp) SentinelSourceControlsListTool.register(mcp) SentinelSourceControlGetTool.register(mcp) SentinelMetadataListTool.register(mcp) SentinelMetadataGetTool.register(mcp) SentinelMLAnalyticsSettingsListTool.register(mcp) SentinelMLAnalyticsSettingGetTool.register(mcp)
• tools/workspace_tools.py:27-56 (schema)

  The docstring in the 'run' method defines the input/output schema and structure for the tool, detailing the expected return dictionary fields, output descriptions, error handling, and parameter extraction behavior.
  Get detailed information about the current Sentinel Log Analytics workspace. Returns: dict: { 'workspace_name': str, 'resource_group': str, 'subscription_id': str, 'properties': dict, # workspace properties or empty if unavailable 'additional_information': list[str], 'error': str (optional, present only if an error occurs) } Output Fields: - workspace_name: The name of the Sentinel Log Analytics workspace. - resource_group: The Azure resource group for the workspace. - subscription_id: The Azure subscription ID. - properties: Detailed properties about the workspace (location, SKU, retention, etc.). - additional_information: Guidance on related tools and next steps. - error: Error message if an error occurs (optional). Error cases will always include an 'error' key for testability. Parameters are extracted from both kwargs and kwargs['kwargs'] for MCP compatibility. Azure Context Fallback: - Supports both MCP server and direct invocation. - If ctx.request_context is not available, falls back to environment variables for Azure context: AZURE_TENANT_ID, AZURE_CLIENT_ID, AZURE_CLIENT_SECRET, AZURE_SUBSCRIPTION_ID, AZURE_RESOURCE_GROUP, AZURE_WORKSPACE_NAME. """