Sentinel MCP New Detection-Rule Drafting
When an analyst describes a detection idea (Teams/form), the flow asks the Sentinel MCP (Preview) to draft an analytics rule (KQL, entity mappings, severity), validates it, opens a pull request or change record for review, and on approval deploys the rule via ARM. Turns detection ideas into reviewed Sentinel rules.
Provided as-is, without warranty of any kind. Review and test each pattern in a non-production environment before deploying it to live automations. See our Terms.
Overview
This flow turns analyst detection ideas into reviewed Microsoft Sentinel analytics rules. When an analyst submits a detection idea via Microsoft Forms, the flow asks the Sentinel MCP (Preview) to draft an analytics rule (KQL, entity mappings, severity), validates the draft, opens an Azure DevOps work item (change record) and routes it through an Approval, and on approval deploys the rule to Sentinel via ARM.
Status: Built - FlowLibs CF-711. Ships Off (demo). Going live requires only connection authorization + environment-variable configuration.
Why it matters: Writing and reviewing detection rules is slow. MCP-assisted drafting plus a governed review/deploy path accelerates detection coverage safely - every rule is human-reviewed before it goes live.
Use Case
A detection-engineering / SOC team wants a fast, governed path from idea to deployed rule. An analyst describes a detection idea; the Sentinel MCP drafts the rule; an engineer reviews it in Azure DevOps and approves; the rule is deployed to Sentinel. Advisory drafting + mandatory human review keeps quality high.
Flow Architecture
When a new detection idea is submitted
Microsoft Forms CreateFormWebhookAnalyst submits a detection idea (webhook trigger)
Get Detection Idea
Microsoft Forms GetFormResponseByIdFetch the submitted idea by response id
Open MCP Session
Sentinel MCP invokemcpknowledgeobjectsJSON-RPC initialize; capture Mcp-Session-Id
MCP Draft Rule
Sentinel MCP invokemcpknowledgeobjectstools/call to draft the analytics rule (reuses session)
Validate Drafted Rule
Condition (If)Gate: only proceed if the draft is non-empty
Open ADO Change Record
Azure DevOps HttpRequestCreate a Task work item (change record) holding the rule
Start Rule Review Approval
Approvals StartAndWaitForAnApprovalHuman review (Approve/Reject)
Check Approval Outcome
Condition (If)On approve: Deploy Sentinel Rule via ARM (HTTP PUT) + notify deployed. On reject: notify rejected. Draft empty: notify draft failed.
Environment Variables
| Schema name | Type | Default | Description |
|---|---|---|---|
| flowlibs_DetectionIdeaFormId | String | REPLACE_WITH_FORM_ID | Microsoft Forms form id for detection-idea intake |
| flowlibs_SentinelMcpDraftToolName | String | draft_analytics_rule | Sentinel MCP tool that drafts the analytics rule |
| flowlibs_SentinelResourceId | String | /subscriptions/.../workspaces/... | Sentinel (Log Analytics) workspace ARM resource id |
| flowlibs_RuleRepo | String | sentinel-detections | Detection-as-code repo tag on the ADO work item |
| flowlibs_ADOAccount | String | your-org | Azure DevOps organization (HttpRequest account) |
| flowlibs_AdoProject | String | FlowLibs | Azure DevOps project |
| flowlibs_DeployApproverEmail | String | you@yourcompany.com | Approver / requestor fallback |
| flowlibs_ArmBaseUrl | String | https://management.azure.com | ARM base URL (drives the OAuth audience) |
| flowlibs_AzureSubscriptionId | String | <configure> | Azure subscription id |
Connectors & Connections
| Connector | API name | Actions used |
|---|---|---|
| Microsoft Forms | shared_microsoftforms | CreateFormWebhook GetFormResponseById |
| Microsoft Sentinel MCP (Preview) | shared_sentinelmcp | invokemcpknowledgeobjects |
| Azure DevOps | shared_visualstudioteamservices | HttpRequest |
| Approvals | shared_approvals | StartAndWaitForAnApproval |
| Office 365 Outlook |
Customization Guide
Almost every realistic variant of this flow can be implemented by changing environment variable values. A few cases require small edits inside the flow definition — those are called out explicitly below.
- MCP tool & arguments
- Set flowlibs_SentinelMcpDraftToolName to your tenant's actual rule-drafting tool; extend arguments in MCP Draft Rule with data source / MITRE context.
- Parse the draft
- Initialize Drafted Rule stores the raw MCP result. In production, parse the JSON to pull query, severity, entityMappings into the Deploy Sentinel Rule body rather than passing the whole text as the query.
- Review target
- Swap the ADO HttpRequest create-work-item for CreatePullRequest if you want a true detection-as-code PR.
- Rule schedule
- Tune queryFrequency / queryPeriod / triggerThreshold in Deploy Sentinel Rule.
- MITRE tagging & rollback
- Auto-map tactics/techniques; add a disable-on-false-positive-spike companion flow.
Key Expressions
The flow is intentionally light on Power Fx / WDL gymnastics — the heaviest expressions are the branch-name concatenation and the approval outcome check. They are listed below in the order they appear in the flow.
EXPR.01Correlation id
First action, propagated everywhere
EXPR.02Forms response id
Submitted form response id
EXPR.03MCP session id (from header)
Captured from the initialize response header
EXPR.04MCP result text
Raw drafted-rule text from the MCP
EXPR.05Validate gate
Proceed only when the draft is non-empty
EXPR.06ADO work item URI
Create-Task work item endpoint
EXPR.07Approval outcome
Branch on approval result
EXPR.08Sentinel deploy URI
PUT endpoint for the analytics rule
EXPR.09ARM OAuth audience
OAuth audience for the ARM deploy
Customize & download
Generate a ready-to-import copy of this solution with your environment-variable values baked in — available on Base, Pro, or Team.
Upgrade to customize
Comments
Sign in to join the conversation.
Sign inNo comments yet. Be the first to share your experience with this flow.