sentinel_ml_analytics_setting_get
Retrieve specific machine learning analytics settings from Microsoft Sentinel by name to configure threat detection rules.
Instructions
Get a specific Sentinel ML analytics setting by name.
Input Schema
TableJSON Schema
| Name | Required | Description | Default |
|---|---|---|---|
| kwargs | Yes |
Implementation Reference
- tools/workspace_tools.py:454-567 (handler)The SentinelMLAnalyticsSettingGetTool class defines the tool, including its name, description, and the async run method that implements the core logic for retrieving a specific Sentinel ML analytics setting by name using the Azure SecurityInsights client. It enriches the response with properties and referenced analytic rules.
class SentinelMLAnalyticsSettingGetTool(MCPToolBase): """ Tool for retrieving a specific Sentinel ML analytics setting by name. """ name = "sentinel_ml_analytics_setting_get" description = "Get a specific Sentinel ML analytics setting by name." async def run(self, ctx: Context, **kwargs): """ Get a specific ML analytics setting by name. Parameters: setting_name (str, required): The name of the ML analytics setting. Returns MCP-compliant dict with 'setting', 'valid', 'errors', and 'error'. """ logger = self.logger # Extract parameters using the base class method setting_name = self._extract_param(kwargs, "setting_name") result = {"setting": {}, "valid": False, "errors": []} if not setting_name: error_msg = "Missing required parameter: setting_name" logger.error(error_msg) result["error"] = error_msg result["errors"].append(error_msg) return result workspace_name, resource_group, subscription_id = self.get_azure_context(ctx) if not (workspace_name and resource_group and subscription_id): error_msg = ( "Missing required Azure context (workspace_name, resource_group, " "subscription_id)." ) logger.error(error_msg) result["error"] = error_msg result["errors"].append(error_msg) return result try: client = self.get_securityinsight_client(subscription_id) s = client.security_ml_analytics_settings.get( resource_group, workspace_name, setting_name ) s_dict = s.as_dict() if hasattr(s, "as_dict") else dict(s) enriched = { "id": s_dict.get("id"), "name": s_dict.get("name"), "kind": s_dict.get("kind"), "etag": s_dict.get("etag"), "type": s_dict.get("type"), "description": s_dict.get("description"), "display_name": s_dict.get("display_name"), "enabled": s_dict.get("enabled"), "last_modified_utc": s_dict.get("last_modified_utc"), "required_data_connectors": s_dict.get("required_data_connectors"), "tactics": s_dict.get("tactics"), "techniques": s_dict.get("techniques"), "anomaly_version": s_dict.get("anomaly_version"), "customizable_observations": s_dict.get("customizable_observations"), "frequency": s_dict.get("frequency"), "settings_status": s_dict.get("settings_status"), "is_default_settings": s_dict.get("is_default_settings"), "anomaly_settings_version": s_dict.get("anomaly_settings_version"), "settings_definition_id": s_dict.get("settings_definition_id"), "properties": None, "referenced_by_analytic_rules": [], } # Parse 'properties' if present props = getattr(s, "properties", None) if props is not None: if hasattr(props, "as_dict"): enriched["properties"] = props.as_dict() elif isinstance(props, dict): enriched["properties"] = props else: enriched["properties"] = {"raw": str(props)} # Attempt to find analytic rules that reference this ML setting analytic_rules = [] for rule in client.alert_rules.list(resource_group, workspace_name): rule_dict = rule.as_dict() if hasattr(rule, "as_dict") else dict(rule) found_ref = False for val in rule_dict.values(): if isinstance(val, str) and ( enriched["name"] in val or enriched["id"] in val ): found_ref = True elif isinstance(val, dict): if any( enriched["name"] in str(v) or enriched["id"] in str(v) for v in val.values() ): found_ref = True elif isinstance(val, list): if any( enriched["name"] in str(v) or enriched["id"] in str(v) for v in val ): found_ref = True if found_ref: analytic_rules.append( { "rule_name": rule_dict.get( "display_name", rule_dict.get("name") ), "rule_id": rule_dict.get("id"), "rule_kind": rule_dict.get("kind"), } ) enriched["referenced_by_analytic_rules"] = analytic_rules result["setting"] = enriched result["valid"] = True except Exception as ex: error_msg = f"Error retrieving ML analytics setting: {ex}" logger.exception(error_msg) result["error"] = error_msg result["errors"].append(error_msg) return result - tools/workspace_tools.py:570-579 (registration)The register_tools function registers the SentinelMLAnalyticsSettingGetTool (line 578) along with other workspace tools to the MCP server.
def register_tools(mcp): """Register all Sentinel workspace-related tools with the MCP server instance.""" SentinelWorkspaceGetTool.register(mcp) SentinelSourceControlsListTool.register(mcp) SentinelSourceControlGetTool.register(mcp) SentinelMetadataListTool.register(mcp) SentinelMetadataGetTool.register(mcp) SentinelMLAnalyticsSettingsListTool.register(mcp) SentinelMLAnalyticsSettingGetTool.register(mcp) - tools/workspace_tools.py:462-468 (schema)Docstring in the run method defines the input schema (setting_name: str required) and output format.
async def run(self, ctx: Context, **kwargs): """ Get a specific ML analytics setting by name. Parameters: setting_name (str, required): The name of the ML analytics setting. Returns MCP-compliant dict with 'setting', 'valid', 'errors', and 'error'. """