Rubrik Sentinel Tools
БесплатноНе проверенEnables querying Rubrik Security Cloud protection and threat data in Microsoft Sentinel via KQL-based custom MCP tools for backup posture, compliance, anomaly t
Описание
Enables querying Rubrik Security Cloud protection and threat data in Microsoft Sentinel via KQL-based custom MCP tools for backup posture, compliance, anomaly triage, and recovery readiness.
README
Alpha-ready custom MCP tool collection for Rubrik Security Cloud data in Microsoft Sentinel, optimized for teams using Claude Code.
This repository is for a Rubrik ISV developer, partner engineer, or joint customer team that wants an agent surface such as Claude Code, GitHub Copilot in VS Code, Copilot Studio, Foundry, Security Copilot, or a product-owned agent to call focused Rubrik investigation tools over Sentinel data.
The repo does not ingest or generate telemetry. It assumes the customer already has one or both official Rubrik Security Cloud Sentinel connectors sending production data into Sentinel:
| Rubrik source | Sentinel table queried by these tools | Required signal |
|---|---|---|
| Rubrik Security Cloud Protection Status CCF connector | RubrikProtectionStatus_CL |
Backup/protection posture fields such as AssetName, ObjectType, ProtectionStatus, ComplianceStatus, SlaDomainName, MissedSnapshots, LocalStorage, ArchiveStorage, ReplicaStorage, and DataReduction |
| Rubrik webhook events Azure Function connector | Rubrik_Anomaly_Data_CL, Rubrik_Ransomware_Data_CL, Rubrik_ThreatHunt_Data_CL, Rubrik_Events_Data_CL |
Event fields such as severity_s, summary_s, custom_details_eventName_s, custom_details_objectName_s, custom_details_objectId_g, custom_details_objectType_s, and cluster details |
Protection-status tools reduce RubrikProtectionStatus_CL to the latest row per AssetId before counting or summing. This avoids over-counting the same asset across repeated connector polls.
What this publishes
scripts/publish-mcp-tools.py calls the Sentinel Platform Services authoring API and publishes each file in mcp-tools/*.kql as a Kqs custom MCP tool under one collection, defaulting to:
Rubrik-Sentinel-MCP-Tools
Runtime endpoint:
https://sentinel.microsoft.com/mcp/custom/Rubrik-Sentinel-MCP-Tools/
Tools
| Tool | Main table(s) | What it answers |
|---|---|---|
Rubrik_Backup_Posture_Summary |
RubrikProtectionStatus_CL |
What is the current Rubrik protection/compliance posture across assets, snapshots, storage, clusters, and SLA domains? |
Rubrik_Out_Of_Compliance_Assets |
RubrikProtectionStatus_CL |
Which assets are out of snapshot, archival, or replication compliance? |
Rubrik_Unprotected_Asset_Hunt |
RubrikProtectionStatus_CL |
Which assets are unprotected, awaiting first full, or have no recovery points? |
Rubrik_Snapshot_Failure_Triage |
RubrikProtectionStatus_CL |
Where are missed snapshots and archival/replication lag concentrated? |
Rubrik_Storage_Capacity_Risk |
RubrikProtectionStatus_CL |
Which Rubrik clusters show storage, archive, replica, or poor data-reduction risk? |
Rubrik_Ransomware_Recovery_Readiness |
RubrikProtectionStatus_CL |
How ready is the environment for ransomware recovery based on protection, SLA compliance, missed snapshots, and secondary copy posture? |
Rubrik_Threat_Monitoring_Matches |
Rubrik_Events_Data_CL |
Which threat-monitoring hash/YARA/file-hash matches were reported by Rubrik? |
Rubrik_Anomaly_Ransomware_Triage |
Rubrik_Anomaly_Data_CL, Rubrik_Ransomware_Data_CL, Rubrik_ThreatHunt_Data_CL |
What anomaly/ransomware/threat-hunt events are active, by source table and severity? |
Rubrik_Asset_Recovery_Readiness |
RubrikProtectionStatus_CL |
For a supplied AssetName, what is the asset's recovery readiness, SLA, snapshot, storage, and compliance context? |
For detailed usage, input arguments, KQL strategy, and expected output shape, see docs/tool-reference.md.
Prerequisites
- A Microsoft Sentinel workspace with Sentinel Platform Services / data lake enabled.
- Production Rubrik data already flowing into
RubrikProtectionStatus_CLand/or the Rubrik webhook event tables. - Azure CLI authenticated to the tenant that owns the Sentinel workspace:
az login az account set --subscription "<subscription-id-or-name>" - Permission to author custom MCP collections in Sentinel Platform Services.
- Python 3.9+.
- Claude Code installed if you want the Claude-first local workflow.
This is an alpha/private-preview style surface. The publisher and runtime both use the Sentinel Platform Services resource ID 4500ebfb-89b6-4b14-a480-7f749797bfcd. In practice:
- The tenant must have Microsoft Sentinel data lake and the required Microsoft Defender / Sentinel Platform Services licensing enabled.
- To create, update, or delete custom tools, use an identity with Security Operator, Security Administrator, or Global Administrator privileges for the Microsoft Security experience plus read access to the target Sentinel workspace.
- To list or invoke the tools, use an identity with Security Reader or Global Reader privileges plus read access to the target Sentinel workspace.
- If API publishing is unavailable in your tenant, create the same KQL as custom tools through the Microsoft Defender portal / Advanced hunting "Save as tool" flow, then use the same runtime endpoint pattern.
Quick start for Claude Code
Clone, install, publish, and generate a Claude Code MCP config:
git clone https://github.com/MitchellGulledge3/rubrik-sentinel-mcp-tools.git
cd rubrik-sentinel-mcp-tools
python3 -m venv .venv
source .venv/bin/activate
pip install -r requirements.txt
python3 scripts/publish-mcp-tools.py \
--collection Rubrik-Sentinel-MCP-Tools \
--workspace-id "<workspace-customer-id>"
TOKEN=$(az account get-access-token \
--resource 4500ebfb-89b6-4b14-a480-7f749797bfcd \
--query accessToken -o tsv)
python3 scripts/write-claude-mcp-config.py \
--collection Rubrik-Sentinel-MCP-Tools \
--bearer-token "$TOKEN"
This writes a gitignored .mcp.json that Claude Code can use as a project MCP configuration. The token is short-lived; rerun the token/config command when it expires.
Suggested Claude Code prompt from the repo root:
Read this repo. Use the Rubrik-Sentinel-MCP-Tools MCP server from .mcp.json.
List the available Rubrik tools, then call Rubrik_Backup_Posture_Summary for workspace <workspace-customer-id>.
After that, call Rubrik_Ransomware_Recovery_Readiness and summarize which recovery gaps matter most.
Asset-specific prompt:
Use Rubrik_Asset_Recovery_Readiness for asset prd-sql-cluster-01 in workspace <workspace-customer-id>.
Summarize whether this asset has a current recovery point, SLA drift, archival/replication lag, and secondary copy coverage.
Run locally from the terminal
Copy environment template:
cp .env.example .envEdit
.env:SENTINEL_MCP_COLLECTION=Rubrik-Sentinel-MCP-Tools MCP_DEFAULT_ARGUMENTS={"workspaceId":"<workspace-customer-id>"} MCP_TOOL_ARGUMENT_TEMPLATE={} # Optional fallback: # ASSET_NAME=prd-sql-cluster-01Run tools:
python3 run_tools.py --prompt "Summarize Rubrik backup posture" --show-raw python3 run_tools.py --prompt "Score Rubrik ransomware recovery readiness" --show-raw python3 run_tools.py --prompt "Investigate Rubrik asset prd-sql-cluster-01" --show-raw
The runner calls the real custom MCP endpoint at https://sentinel.microsoft.com/mcp/custom/<collection>/ using Azure credentials.
Run locally from VS Code / GitHub Copilot
VS Code needs an MCP server registration that includes an access token for Sentinel Platform Services:
TOKEN=$(az account get-access-token \
--resource 4500ebfb-89b6-4b14-a480-7f749797bfcd \
--query accessToken -o tsv)
python3 scripts/write-vscode-mcp-config.py \
--collection Rubrik-Sentinel-MCP-Tools \
--bearer-token "$TOKEN"
This writes .vscode/mcp.json with the HTTP MCP endpoint and Authorization: Bearer <token> header. The file is gitignored because it contains a bearer token.
Configure any MCP-capable agent
Register this remote MCP endpoint in any MCP-capable agent runtime that supports authenticated HTTP MCP servers:
https://sentinel.microsoft.com/mcp/custom/Rubrik-Sentinel-MCP-Tools/
At runtime, every tool requires:
{
"workspaceId": "<workspace-customer-id>"
}
Rubrik_Asset_Recovery_Readiness also requires:
{
"AssetName": "prd-sql-cluster-01"
}
workspaceId is the workspace customer ID the Sentinel custom MCP runtime uses to bind the KQL execution target. The KQL text itself does not call workspace("<id>"); target selection is handled by the platform tool runtime.
Repository map
| Path | Purpose |
|---|---|
mcp-tools/*.kql |
Production-table KQL definitions published as custom MCP tools |
scripts/publish-mcp-tools.py |
API publisher for the Sentinel custom MCP collection |
scripts/write-claude-mcp-config.py |
Writes a gitignored Claude Code .mcp.json config with a short-lived bearer token |
scripts/write-vscode-mcp-config.py |
Writes a gitignored VS Code MCP config with a short-lived bearer token |
run_tools.py |
Local runner that selects a tool from a natural-language prompt and calls the custom MCP endpoint |
sentinel_mcp_tools/client.py |
Minimal JSON-RPC client for Sentinel custom MCP endpoints |
docs/tool-reference.md |
Deep explanation of every tool and how agents should use it |
docs/sample-output.md |
Captured/sanitized sample output from local runs |
docs/runbook.md |
Alpha handoff runbook for Rubrik and customer teams |
Notes for alpha users
- The tools are read-only KQL tools.
- Protection-status tools query
RubrikProtectionStatus_CL. - Webhook event tools query
Rubrik_Anomaly_Data_CL,Rubrik_Ransomware_Data_CL,Rubrik_ThreatHunt_Data_CL, andRubrik_Events_Data_CL. - If a workspace has no Rubrik rows, the tools execute but return zero-row or zero-count output.
Установка Rubrik Sentinel Tools
У этого сервера нет опубликованного пакета — он собирается из исходников. Открой репозиторий и следуй инструкции в README.
▸ github.com/MitchellGulledge3/rubrik-sentinel-mcp-toolsFAQ
Rubrik Sentinel Tools MCP бесплатный?
Да, Rubrik Sentinel Tools MCP бесплатный — установка в пару кликов через Unyly без оплаты.
Нужен ли API-ключ для Rubrik Sentinel Tools?
Нет, Rubrik Sentinel Tools работает без API-ключей и переменных окружения.
Rubrik Sentinel Tools — hosted или self-hosted?
Доступен hosted-вариант: Unyly запускает сервер в облаке, локальная установка не обязательна.
Как установить Rubrik Sentinel Tools в Claude Desktop, Claude Code или Cursor?
Открой Rubrik Sentinel Tools на unyly.org, выбери вкладку своего клиента (Claude Desktop, Claude Code, Cursor) и нажми Install — конфиг сгенерируется автоматически, без правки JSON.
Похожие MCP
GitHub
PRs, issues, code search, CI status
автор: GitHubFilesystem
Secure file operations with configurable access controls.
Memory
Knowledge graph-based persistent memory system.
Template MCP Server
A CLI tool to create a new Model Context Protocol server project with TypeScript support, dual transport options, and an extensible structure
автор: mcpdotdirectCompare Rubrik Sentinel Tools with
Не уверен что выбрать?
Найди свой стек за 60 секунд
Автор?
Embed-бейдж для README
Похожее
Все в категории development
