de en es ja ko ru zh

ms-sentinel-mcp-server

by dstreefkerk

Overview Schema Related Servers Score Discussions

Python

Remote

sentinel_workspace_get

Retrieve workspace details from Microsoft Sentinel to access security analytics and threat intelligence data.

Instructions

Get workspace information (refactored, MCP-compliant)

Input Schema

TableJSON Schema

Name	Required	Description	Default
`kwargs`	Yes

Implementation Reference

tools/workspace_tools.py:16-104 (handler)

The SentinelWorkspaceGetTool class implements the core logic for the 'sentinel_workspace_get' tool. It inherits from MCPToolBase and defines the async 'run' method that retrieves detailed information about the Sentinel Log Analytics workspace using Azure SDK clients, handling context extraction, API calls, property mapping, and error handling.

class SentinelWorkspaceGetTool(MCPToolBase):
    """
    Tool for retrieving detailed information about the current Sentinel Log Analytics
    workspace.
    """

    name = "sentinel_workspace_get"
    description = "Get workspace information (refactored, MCP-compliant)"

    async def run(self, ctx: Context, **kwargs):
        """
        Get detailed information about the current Sentinel Log Analytics workspace.

        Returns:
            dict: {
                'workspace_name': str,
                'resource_group': str,
                'subscription_id': str,
                'properties': dict,  # workspace properties or empty if unavailable
                'additional_information': list[str],
                'error': str (optional, present only if an error occurs)
            }
        Output Fields:
            - workspace_name: The name of the Sentinel Log Analytics workspace.
            - resource_group: The Azure resource group for the workspace.
            - subscription_id: The Azure subscription ID.
            - properties: Detailed properties about the workspace (location, SKU,
              retention, etc.).
            - additional_information: Guidance on related tools and next steps.
            - error: Error message if an error occurs (optional).
        Error cases will always include an 'error' key for testability.
        Parameters are extracted from both kwargs and kwargs['kwargs'] for MCP
        compatibility.

        Azure Context Fallback:
            - Supports both MCP server and direct invocation.
            - If ctx.request_context is not available, falls back to environment
              variables for Azure context:
              AZURE_TENANT_ID, AZURE_CLIENT_ID, AZURE_CLIENT_SECRET,
              AZURE_SUBSCRIPTION_ID, AZURE_RESOURCE_GROUP, AZURE_WORKSPACE_NAME.
        """
        logger = self.logger
        # Extract parameters from both kwargs and kwargs['kwargs'] (future-proof,
        # even if unused)
        params = dict(kwargs)
        if "kwargs" in kwargs and isinstance(kwargs["kwargs"], dict):
            params.update(kwargs["kwargs"])
        # Extract context (assume .env is loaded and Context is configured)
        workspace_name, resource_group, subscription_id = self.get_azure_context(ctx)
        result = {
            "workspace_name": workspace_name,
            "resource_group": resource_group,
            "subscription_id": subscription_id,
            "properties": {},
            "additional_information": [
                "For data connector details, use the `sentinel_connectors_list` tool.",
                "For analytics rules details, use the `list_analytics_rules` tool.",
            ],
        }

        try:
            client = self.get_loganalytics_client(subscription_id)
            ws = await run_in_thread(
                client.workspaces.get, resource_group, workspace_name
            )
            result["properties"] = {
                "location": ws.location,
                "sku": getattr(ws.sku, "name", None),
                "sku_description": getattr(ws.sku, "description", None),
                "last_sku_update": str(getattr(ws, "last_sku_update", "")),
                "retention_period_days": ws.retention_in_days,
                "daily_quota_gb": getattr(ws, "daily_quota_gb", None),
                "quota_reset_time": str(getattr(ws, "quota_reset_time", "")),
                "ingestion_status": getattr(ws, "ingestion_status", None),
                "public_network_access_ingestion": getattr(
                    ws, "public_network_access_for_ingestion", None
                ),
                "public_network_access_query": getattr(
                    ws, "public_network_access_for_query", None
                ),
                "created": str(getattr(ws, "created_date", "")),
                "last_modified": str(getattr(ws, "modified_date", "")),
                "features": getattr(ws, "features", {}),
            }
        except Exception as ex:
            error_msg = "Error retrieving workspace info: %s" % ex
            logger.exception("%s", error_msg)
            result["error"] = error_msg
        return result

tools/workspace_tools.py:570-579 (registration)

The 'register_tools' function registers the SentinelWorkspaceGetTool (and other related tools) with the MCP server instance via its 'register' class method.

def register_tools(mcp):
    """Register all Sentinel workspace-related tools with the MCP server instance."""
    SentinelWorkspaceGetTool.register(mcp)
    SentinelSourceControlsListTool.register(mcp)
    SentinelSourceControlGetTool.register(mcp)
    SentinelMetadataListTool.register(mcp)
    SentinelMetadataGetTool.register(mcp)
    SentinelMLAnalyticsSettingsListTool.register(mcp)
    SentinelMLAnalyticsSettingGetTool.register(mcp)

tools/workspace_tools.py:27-56 (schema)

The docstring in the 'run' method defines the input/output schema and structure for the tool, detailing the expected return dictionary fields, output descriptions, error handling, and parameter extraction behavior.

Get detailed information about the current Sentinel Log Analytics workspace.

Returns:
    dict: {
        'workspace_name': str,
        'resource_group': str,
        'subscription_id': str,
        'properties': dict,  # workspace properties or empty if unavailable
        'additional_information': list[str],
        'error': str (optional, present only if an error occurs)
    }
Output Fields:
    - workspace_name: The name of the Sentinel Log Analytics workspace.
    - resource_group: The Azure resource group for the workspace.
    - subscription_id: The Azure subscription ID.
    - properties: Detailed properties about the workspace (location, SKU,
      retention, etc.).
    - additional_information: Guidance on related tools and next steps.
    - error: Error message if an error occurs (optional).
Error cases will always include an 'error' key for testability.
Parameters are extracted from both kwargs and kwargs['kwargs'] for MCP
compatibility.

Azure Context Fallback:
    - Supports both MCP server and direct invocation.
    - If ctx.request_context is not available, falls back to environment
      variables for Azure context:
      AZURE_TENANT_ID, AZURE_CLIENT_ID, AZURE_CLIENT_SECRET,
      AZURE_SUBSCRIPTION_ID, AZURE_RESOURCE_GROUP, AZURE_WORKSPACE_NAME.
"""

Tool Definition Quality

D1.9/5.0

Behavior1/5

Does the description disclose side effects, auth requirements, rate limits, or destructive behavior?

No annotations are provided, so the description carries full burden for behavioral disclosure. It only states the action ('Get workspace information') without any details on permissions required, rate limits, response format, error conditions, or whether it's a read-only operation. The parenthetical note about refactoring and MCP compliance is irrelevant to behavior. This leaves the agent with critical gaps in understanding how the tool behaves.

Agents need to know what a tool does to the world before calling it. Descriptions should go beyond structured annotations to explain consequences.

Conciseness3/5

Is the description appropriately sized, front-loaded, and free of redundancy?

The description is brief but inefficiently structured. The core purpose is stated upfront ('Get workspace information'), which is good, but the parenthetical '(refactored, MCP-compliant)' wastes space on non-functional details. It could be more concise by omitting the parenthetical and adding minimal useful context instead.

Shorter descriptions cost fewer tokens and are easier for agents to parse. Every sentence should earn its place.

Completeness1/5

Given the tool's complexity, does the description cover enough for an agent to succeed on first attempt?

Given the complexity (a tool with 1 undocumented parameter, no annotations, and no output schema), the description is severely incomplete. It doesn't explain what workspace information is retrieved, how to use the 'kwargs' parameter, what the output looks like, or any behavioral constraints. For a tool in a security context (Sentinel) with many siblings, this leaves the agent unable to use it effectively.

Complex tools with many parameters or behaviors need more documentation. Simple tools need less. This dimension scales expectations accordingly.

Parameters1/5

Does the description clarify parameter syntax, constraints, interactions, or defaults beyond what the schema provides?

The input schema has 1 parameter ('kwargs') with 0% description coverage, meaning the schema provides no semantic information. The description adds nothing about what 'kwargs' should contain (e.g., workspace ID, filter criteria) or how to format it. For a tool with undocumented parameters, the description fails to compensate, leaving the agent guessing about required inputs.

Input schemas describe structure but not intent. Descriptions should explain non-obvious parameter relationships and valid value ranges.

Purpose3/5

Does the description clearly state what the tool does and how it differs from similar tools?

The description states the tool 'Get workspace information' which provides a clear verb ('Get') and resource ('workspace information'), establishing its basic purpose. However, it doesn't specify what type of workspace (e.g., Microsoft Sentinel workspace) or what information is retrieved, and the parenthetical '(refactored, MCP-compliant)' adds no functional clarity. It doesn't distinguish from siblings like 'sentinel_metadata_get' or 'sentinel_authorization_summary' which might also retrieve workspace-related data.

Agents choose between tools based on descriptions. A clear purpose with a specific verb and resource helps agents select the right tool.

Usage Guidelines2/5

Does the description explain when to use this tool, when not to, or what alternatives exist?

The description provides no guidance on when to use this tool versus alternatives. There's no mention of prerequisites, context (e.g., for Sentinel security operations), or comparison to sibling tools like 'sentinel_metadata_get' that might retrieve similar information. The agent must infer usage from the tool name alone, which is insufficient for informed selection.

Agents often have multiple tools that could apply. Explicit usage guidance like "use X instead of Y when Z" prevents misuse.

Install Server

Other Tools

Latest Blog Posts

Tool Definition Quality Score (TDQS)
By punkpeye on April 3, 2026.
mcp
The Hackers Who Tracked My Sleep Cycle
By punkpeye on March 26, 2026.
security
Open Source Has a Bot Problem
By punkpeye on March 19, 2026.
open source

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/dstreefkerk/ms-sentinel-mcp-server'

If you have feedback or need assistance with the MCP directory API, please join our Discord server