ms-sentinel-mcp-server

Instructions

Implementation Reference

• tools/analytics_tools.py:120-176 (handler)

  The SentinelAnalyticsRuleGetTool class defines the MCP tool 'sentinel_analytics_rule_get'. Its async 'run' method (lines 124-176) executes the tool logic: extracts 'rule_name' parameter and Azure context, retrieves the analytics rule using Azure SecurityInsights client's alert_rules.get, builds a summary dictionary with key fields and full rule details under '_full', handles various exceptions like ResourceNotFoundError and returns appropriate error dicts.

  class SentinelAnalyticsRuleGetTool(MCPToolBase):
      name = "sentinel_analytics_rule_get"
      description = "Get details for a specific analytics rule"
  
      async def run(self, ctx: Context, rule_name: str = None, **kwargs):
          """
          Get details for a specific analytics rule.
          Supports both MCP server and direct (test) invocation.
          Returns a dict with summary fields and full rule details, or error details.
          """
          logger = self.logger
          # Robust parameter extraction: support both direct and nested kwargs
          if rule_name is None:
              rule_name = self._extract_param(kwargs, "rule_name")
          workspace, resource_group, subscription_id = self.get_azure_context(ctx)
          if not (workspace and resource_group and subscription_id):
              logger.error("Missing Azure Sentinel context for analytics rule retrieval.")
              return {"error": "Missing Azure Sentinel context."}
          if not rule_name:
              logger.error("No rule_name provided for analytics rule retrieval.")
              return {"error": "No rule_name provided."}
          try:
              client = self.get_securityinsight_client(subscription_id)
              rule = client.alert_rules.get(
                  resource_group_name=resource_group,
                  workspace_name=workspace,
                  rule_id=rule_name,
              )
              if hasattr(rule, "as_dict"):
                  rule_dict = rule.as_dict()
              else:
                  rule_dict = dict(rule)
              display_name = rule_dict.get("display_name") or rule_dict.get("displayName")
              severity = rule_dict.get("severity")
              enabled = rule_dict.get("enabled")
              summary = {
                  "id": rule_dict.get("id"),
                  "name": rule_dict.get("name"),
                  "kind": rule_dict.get("kind"),
                  "displayName": display_name,
                  "severity": severity,
                  "enabled": enabled,
              }
              summary["_full"] = rule_dict
              return summary
          except ResourceNotFoundError as e:
              logger.error("Analytics rule not found: %s", e)
              return {"error": "Analytics rule not found", "details": str(e)}
          except HttpResponseError as e:
              logger.error("HTTP error retrieving analytics rule: %s", e)
              return {"error": "HTTP error", "details": str(e)}
          except Exception as e:
              logger.error(
                  "Unexpected error retrieving analytics rule '%s': %s", rule_name, e
              )
              return {"error": "Unexpected error", "details": str(e)}

• tools/analytics_tools.py:608-623 (registration)

  The 'register_tools' function (lines 608-623) registers the SentinelAnalyticsRuleGetTool (line 616) and other analytics tools with the MCP server instance via the .register(mcp) class method inherited from MCPToolBase.

  def register_tools(mcp):
      """
      Register all analytics tools with the given MCP server instance.
  
      Args:
          mcp: The MCP server instance to register tools with.
      """
      SentinelAnalyticsRuleListTool.register(mcp)
      SentinelAnalyticsRuleGetTool.register(mcp)
      SentinelAnalyticsRuleTemplatesListTool.register(mcp)
      SentinelAnalyticsRuleTemplateGetTool.register(mcp)
      SentinelAnalyticsRulesCountByTacticTool.register(mcp)
      SentinelAnalyticsRuleTemplatesCountByTacticTool.register(mcp)
      SentinelAnalyticsRulesCountByTechniqueTool.register(mcp)
      SentinelAnalyticsRuleTemplatesCountByTechniqueTool.register(mcp)

• tools/analytics_tools.py:120-123 (schema)

  Tool metadata: name 'sentinel_analytics_rule_get' and description define the tool's identity and purpose. Input schema implied by 'run' signature: rule_name: str (extracted via _extract_param for MCP compatibility). Output: dict with summary fields (id, name, kind, displayName, severity, enabled) and _full rule details.

  class SentinelAnalyticsRuleGetTool(MCPToolBase):
      name = "sentinel_analytics_rule_get"
      description = "Get details for a specific analytics rule"