naftiko: 1.0.0-alpha2 info: label: SaaS Alerts MSP Security Monitoring description: Unified security monitoring capability for Managed Service Providers using SaaS Alerts. Combines event detection, alert management, customer visibility, and user risk monitoring into a single workflow for MSP security operations teams. tags: - SaaS Alerts - MSP - SaaS Security - Threat Detection - Incident Response created: '2026-05-02' modified: '2026-05-06' binds: - namespace: env keys: SAAS_ALERTS_API_KEY: SAAS_ALERTS_API_KEY capability: consumes: - type: http namespace: saas-alerts baseUri: https://api.saasalerts.com description: SaaS Alerts REST API for MSP security monitoring authentication: type: apikey key: X-API-Key value: '{{SAAS_ALERTS_API_KEY}}' placement: header resources: - name: events path: /reports/events description: Security events detected across monitored SaaS applications operations: - name: list-security-events method: GET description: List security events with optional filtering by type, severity, application, and date range inputParameters: - name: eventType in: query type: string required: false description: Filter by event type (e.g., login.failure, data.exfiltration) - name: alertStatus in: query type: string required: false description: 'Filter by severity: low, medium, or critical' - name: application in: query type: string required: false description: Filter by SaaS application - name: customerId in: query type: string required: false description: Filter by customer identifier - name: startDate in: query type: string required: false description: Start date for filtering (ISO 8601) - name: endDate in: query type: string required: false description: End date for filtering (ISO 8601) - name: pageSize in: query type: integer required: false description: Results per page (max 100) - name: page in: query type: integer required: false description: Page number outputRawFormat: json outputParameters: - name: result type: object value: $. - name: event-query path: /reports/event/query description: Structured JSON query against SaaS Alerts event indexes operations: - name: query-security-events method: POST description: Execute structured query against SaaS Alerts event data with multiple filter conditions inputParameters: [] outputRawFormat: json outputParameters: - name: result type: object value: $. body: type: json data: eventTypes: '{{tools.eventTypes}}' alertStatus: '{{tools.alertStatus}}' startDate: '{{tools.startDate}}' endDate: '{{tools.endDate}}' customerIds: '{{tools.customerIds}}' applications: '{{tools.applications}}' - name: alerts path: /reports/alerts description: Security alerts generated by anomalous behavior detection operations: - name: list-alerts method: GET description: List active and historical security alerts inputParameters: - name: alertStatus in: query type: string required: false description: Filter by severity - name: resolved in: query type: boolean required: false description: Filter by resolution status - name: customerId in: query type: string required: false description: Filter by customer outputRawFormat: json outputParameters: - name: result type: object value: $. - name: customers path: /reports/customers description: MSP customer tenants being monitored operations: - name: list-customers method: GET description: List all monitored MSP customer tenants inputParameters: - name: pageSize in: query type: integer required: false description: Results per page - name: page in: query type: integer required: false description: Page number outputRawFormat: json outputParameters: - name: result type: object value: $. - name: users path: /reports/users description: Users monitored across customer tenants operations: - name: list-users method: GET description: List monitored users with activity summary and risk indicators inputParameters: - name: customerId in: query type: string required: false description: Filter by customer - name: application in: query type: string required: false description: Filter by application outputRawFormat: json outputParameters: - name: result type: object value: $. exposes: - type: rest port: 8080 namespace: msp-security-monitoring-api description: Unified REST API for MSP SaaS security monitoring and incident response. resources: - path: /v1/events name: events description: Security events detected across all monitored SaaS applications operations: - method: GET name: list-events description: List security events with filtering by type, severity, application, and date range call: saas-alerts.list-security-events with: eventType: rest.eventType alertStatus: rest.alertStatus application: rest.application customerId: rest.customerId startDate: rest.startDate endDate: rest.endDate pageSize: rest.pageSize page: rest.page outputParameters: - type: object mapping: $. - method: POST name: query-events description: Execute structured event query with complex filter conditions call: saas-alerts.query-security-events outputParameters: - type: object mapping: $. - path: /v1/alerts name: alerts description: Security alerts generated by anomalous behavior detection operations: - method: GET name: list-alerts description: List active and historical security alerts call: saas-alerts.list-alerts with: alertStatus: rest.alertStatus resolved: rest.resolved customerId: rest.customerId startDate: rest.startDate endDate: rest.endDate outputParameters: - type: object mapping: $. - path: /v1/customers name: customers description: MSP customer tenants under monitoring operations: - method: GET name: list-customers description: List all monitored MSP customer tenants call: saas-alerts.list-customers with: pageSize: rest.pageSize page: rest.page outputParameters: - type: object mapping: $. - path: /v1/users name: users description: Users monitored across all customer tenants operations: - method: GET name: list-users description: List monitored users with risk scores and activity summaries call: saas-alerts.list-users with: customerId: rest.customerId application: rest.application outputParameters: - type: object mapping: $. - type: mcp port: 9090 namespace: msp-security-monitoring-mcp transport: http description: MCP server for AI-assisted MSP SaaS security monitoring and threat investigation. tools: - name: list-security-events description: List SaaS security events across monitored applications. Filter by event type (login.failure, data.exfiltration, impossible.travel, etc.), severity (low/medium/critical), application, and date range. hints: readOnly: true openWorld: false call: saas-alerts.list-security-events with: eventType: tools.eventType alertStatus: tools.alertStatus application: tools.application customerId: tools.customerId startDate: tools.startDate endDate: tools.endDate outputParameters: - type: object mapping: $. - name: query-security-events description: Execute a structured query against SaaS Alerts event indexes. Supports complex filtering on multiple event types, severities, applications, and customers simultaneously. hints: readOnly: true openWorld: false call: saas-alerts.query-security-events outputParameters: - type: object mapping: $. - name: list-security-alerts description: List security alerts triggered by anomalous behavior detection. Filter by severity and resolution status to prioritize incident response. hints: readOnly: true openWorld: false call: saas-alerts.list-alerts with: alertStatus: tools.alertStatus resolved: tools.resolved customerId: tools.customerId outputParameters: - type: object mapping: $. - name: list-customers description: List all MSP customer tenants being monitored. Returns customer IDs, names, monitored applications, user counts, and monitoring status. hints: readOnly: true openWorld: false call: saas-alerts.list-customers outputParameters: - type: object mapping: $. - name: list-monitored-users description: List users monitored across customer tenants including activity summaries, risk scores, and alert counts. Use to identify high-risk users for investigation. hints: readOnly: true openWorld: false call: saas-alerts.list-users with: customerId: tools.customerId application: tools.application outputParameters: - type: object mapping: $.