Detection Rules

calseta://detection-rules

Returns all detection rules with metadata and documentation. Example response:

[
  {
    "uuid": "dr-abc123-...",
    "name": "Suspicious Auth - Impossible Travel",
    "severity": "High",
    "mitre_tactics": ["TA0001"],
    "mitre_techniques": ["T1078"],
    "documentation": "## Overview\nDetects authentication from two geographically distant locations..."
  }
]

calseta://detection-rules/

Returns a single detection rule with full documentation. URI parameters:

Parameter	Type	Description
`uuid`	string	The detection rule’s unique identifier

Example response:

{
  "uuid": "dr-abc123-...",
  "name": "Suspicious Auth - Impossible Travel",
  "source_rule_id": "SENTINEL-IR-001",
  "severity": "High",
  "mitre_tactics": ["TA0001"],
  "mitre_techniques": ["T1078"],
  "data_sources": ["Azure AD Sign-in Logs"],
  "false_positive_tags": ["vpn", "travel"],
  "documentation": "## Overview\nDetects authentication from two geographically distant locations within a short time window.\n\n## False Positives\n- VPN users switching regions\n- Business travel\n\n## Recommended Response\n1. Check travel requests\n2. Verify source IPs\n3. Revoke sessions if unauthorized"
}

Token optimization: Detection rule documentation is included inline — agents don’t need a separate call to understand what a detection rule does.

Required Scope

alerts:read

MCP Reference

​calseta://detection-rules

​calseta://detection-rules/

​Required Scope

calseta://detection-rules

calseta://detection-rules/

Required Scope