Skip to main content
Glama
deenesjakoruzh
dstreefkerk

ms-sentinel-mcp-server

by dstreefkerk
OverviewSchemaRelated ServersScoreDiscussions
Python
Remote

sentinel_ti_indicator_get

Retrieve specific threat intelligence indicators from Microsoft Sentinel to analyze security threats and enhance monitoring capabilities.

Instructions

Get a specific Sentinel threat intelligence indicator

Input Schema

TableJSON Schema
NameRequiredDescriptionDefault
kwargsYes

Implementation Reference

  • tools/threat_intel_tools.py:311-375 (handler)
    The `run` method of the `SentinelThreatIntelligenceIndicatorGetTool` class implements the core logic for the `sentinel_ti_indicator_get` tool. It extracts the `indicator_name` parameter, validates Azure context, constructs the REST API URL for the specific indicator, calls the API, processes the response properties into a structured dictionary, and returns the indicator details or an error.
    async def run(self, ctx: Context, **kwargs):
    """
    Get a specific Sentinel Threat Intelligence indicator.

    Args:
        ctx (Context): The MCP tool context.
        **kwargs: Indicator name as 'indicator_name' parameter.

    Returns:
        dict: Results as described in the class docstring.
    """
    indicator_name = self._extract_param(kwargs, "indicator_name")
    if not indicator_name:
        return {"error": "indicator_name parameter is required", "valid": False}
    workspace_name, resource_group, subscription_id = self.get_azure_context(ctx)
    valid = self.validate_azure_context(
        True, workspace_name, resource_group, subscription_id, self.logger
    )
    if not valid:
        return {"error": "Missing required Azure context", "valid": False}
    try:
        url = (
            f"https://management.azure.com/subscriptions/{subscription_id}/"
            f"resourceGroups/{resource_group}/providers/Microsoft.OperationalInsights/"
            f"workspaces/{workspace_name}/providers/Microsoft.SecurityInsights/"
            f"threatIntelligence/main/indicators/{indicator_name}?"
            f"api-version=2024-01-01-preview"
        )
        indicator = await self.call_api(ctx, "GET", url, name="get_ti_indicator")
        if not indicator:
            return {
                "error": "Threat intelligence indicator '%s' not found"
                % indicator_name,
                "valid": False,
            }
        props = indicator.get("properties", {})
        details = {
            "id": indicator.get("id"),
            "name": indicator.get("name"),
            "type": indicator.get("type"),
            "displayName": props.get("displayName"),
            "patternType": props.get("patternType"),
            "pattern": props.get("pattern"),
            "source": props.get("source"),
            "created": props.get("createdTimeUtc"),
            "confidence": props.get("confidence"),
            "threatTypes": props.get("threatTypes"),
            "validFrom": props.get("validFrom"),
            "validUntil": props.get("validUntil"),
            "description": props.get("description"),
            "killChainPhases": props.get("killChainPhases"),
            "labels": props.get("labels"),
        }
        return {"indicator": details, "valid": True}
    except Exception as e:
        self.logger.error(
            "Error retrieving threat intelligence indicator %s: %s",
            indicator_name,
            e,
        )
        return {
            "error": "Error retrieving threat intelligence indicator %s: %s"
            % (indicator_name, e),
            "valid": False,
        }
  • tools/threat_intel_tools.py:429-440 (registration)
    The `register_tools` function registers the `sentinel_ti_indicator_get` tool (via `SentinelThreatIntelligenceIndicatorGetTool.register(mcp)`) along with other threat intelligence tools to the MCP server instance.
    def register_tools(mcp: FastMCP):
    """
    Register all Sentinel Threat Intelligence tools with the given MCP instance.

    Args:
        mcp (FastMCP): The MCP instance to register tools with.
    """
    SentinelThreatIntelligenceIndicatorGetTool.register(mcp)
    SentinelThreatIntelligenceIndicatorMetricsCollectTool.register(mcp)
    SentinelIPGeodataGetTool.register(mcp)
    SentinelDomainWhoisGetTool.register(mcp)
  • tools/threat_intel_tools.py:296-310 (handler)
    The `SentinelThreatIntelligenceIndicatorGetTool` class definition, including the tool `name`, `description`, and output schema description in the docstring, which defines the tool for MCP.
    class SentinelThreatIntelligenceIndicatorGetTool(MCPToolBase):
    """
    Tool to get a specific Sentinel Threat Intelligence indicator.

    Returns:
        dict: {
            'indicator': dict,  # Indicator details as returned by the API
            'valid': bool,      # True if successful
            'error': str (optional)
        }
    """

    name = "sentinel_ti_indicator_get"
    description = "Get a specific Sentinel threat intelligence indicator"
  • tools/threat_intel_tools.py:297-306 (schema)
    Class docstring describing the tool's input (indicator_name parameter) and output format (indicator dict with specific fields, valid bool, optional error). Serves as the schema definition.
    """
Tool to get a specific Sentinel Threat Intelligence indicator.

Returns:
    dict: {
        'indicator': dict,  # Indicator details as returned by the API
        'valid': bool,      # True if successful
        'error': str (optional)
    }
"""
Install Server

Other Tools

Latest Blog Posts

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/dstreefkerk/ms-sentinel-mcp-server'

If you have feedback or need assistance with the MCP directory API, please join our Discord server