ms-sentinel-mcp-server

Instructions

Implementation Reference

• tools/analytics_tools.py:237-294 (handler)

  The handler class SentinelAnalyticsRuleTemplateGetTool that defines the tool name and implements the core logic in its async run method to retrieve a specific Sentinel analytics rule template using the Azure SDK SecurityInsights client.

  class SentinelAnalyticsRuleTemplateGetTool(MCPToolBase):
      """
      Get details for a specific Sentinel analytics rule template by ID.
      Returns a dict with summary fields and full template details, or error details.
      """
  
      name = "sentinel_analytics_rule_template_get"
      description = "Get a specific Sentinel analytics rule template"
  
      async def run(self, ctx: Context, **kwargs):
          """
          Get details for a specific analytics rule template by ID.
          Parameters:
              ctx (Context): MCP context object.
              template_id (str): The ID of the analytics rule template to retrieve.
              **kwargs: Accepts template_id as direct key or via kwargs["kwargs"].
          Returns:
              dict: Template summary and details, or error dict.
          """
          logger = self.logger
          # Extract template_id using the centralized parameter extraction from MCPToolBase
          template_id = self._extract_param(kwargs, "template_id")
          if not template_id:
              logger.error(
                  "No template_id provided for analytics rule template retrieval."
              )
              return {"error": "No template_id provided."}
          # Extract Azure context
          workspace, resource_group, subscription_id = self.get_azure_context(ctx)
          if not (workspace and resource_group and subscription_id):
              logger.error(
                  "Missing Azure Sentinel context for analytics rule template retrieval."
              )
              return {"error": "Missing Azure Sentinel context."}
          # Get client
          client = self.get_securityinsight_client(subscription_id)
          try:
              template = client.alert_rule_templates.get(
                  resource_group, workspace, template_id
              )
              template_dict = (
                  template.as_dict() if hasattr(template, "as_dict") else dict(template)
              )
              summary = {
                  "id": template_dict.get("id"),
                  "name": template_dict.get("name"),
                  "displayName": template_dict.get("display_name")
                  or template_dict.get("displayName"),
                  "description": template_dict.get("description"),
                  "kind": template_dict.get("kind"),
              }
              summary["_full"] = template_dict
              return summary
          except Exception as e:
              logger.error("Error retrieving analytics rule template: %s", e)
              # pylint: disable=consider-using-f-string
              return {"error": f"Error retrieving analytics rule template: {str(e)}"}

• tools/analytics_tools.py:608-623 (registration)

  The register_tools function that includes the registration call for SentinelAnalyticsRuleTemplateGetTool with the MCP server instance.

  def register_tools(mcp):
      """
      Register all analytics tools with the given MCP server instance.
  
      Args:
          mcp: The MCP server instance to register tools with.
      """
      SentinelAnalyticsRuleListTool.register(mcp)
      SentinelAnalyticsRuleGetTool.register(mcp)
      SentinelAnalyticsRuleTemplatesListTool.register(mcp)
      SentinelAnalyticsRuleTemplateGetTool.register(mcp)
      SentinelAnalyticsRulesCountByTacticTool.register(mcp)
      SentinelAnalyticsRuleTemplatesCountByTacticTool.register(mcp)
      SentinelAnalyticsRulesCountByTechniqueTool.register(mcp)
      SentinelAnalyticsRuleTemplatesCountByTechniqueTool.register(mcp)