SaaS Alerts · Capability

SaaS Alerts MSP Security Monitoring

Unified security monitoring capability for Managed Service Providers using SaaS Alerts. Combines event detection, alert management, customer visibility, and user risk monitoring into a single workflow for MSP security operations teams.

Run with Naftiko SaaS AlertsMSPSaaS SecurityThreat DetectionIncident Response

What You Can Do

GET
List events — List security events with filtering by type, severity, application, and date range
/v1/events
POST
Query events — Execute structured event query with complex filter conditions
/v1/events
GET
List alerts — List active and historical security alerts
/v1/alerts
GET
List customers — List all monitored MSP customer tenants
/v1/customers
GET
List users — List monitored users with risk scores and activity summaries
/v1/users

MCP Tools

list-security-events

List SaaS security events across monitored applications. Filter by event type (login.failure, data.exfiltration, impossible.travel, etc.), severity (low/medium/critical), application, and date range.

read-only
query-security-events

Execute a structured query against SaaS Alerts event indexes. Supports complex filtering on multiple event types, severities, applications, and customers simultaneously.

read-only
list-security-alerts

List security alerts triggered by anomalous behavior detection. Filter by severity and resolution status to prioritize incident response.

read-only
list-customers

List all MSP customer tenants being monitored. Returns customer IDs, names, monitored applications, user counts, and monitoring status.

read-only
list-monitored-users

List users monitored across customer tenants including activity summaries, risk scores, and alert counts. Use to identify high-risk users for investigation.

read-only

APIs Used

saas-alerts

Capability Spec

Raw ↑ 
naftiko: "1.0.0-alpha1"

info:
  label: "SaaS Alerts MSP Security Monitoring"
  description: "Unified security monitoring capability for Managed Service Providers using SaaS Alerts. Combines event detection, alert management, customer visibility, and user risk monitoring into a single workflow for MSP security operations teams."
  tags:
    - SaaS Alerts
    - MSP
    - SaaS Security
    - Threat Detection
    - Incident Response
  created: "2026-05-02"
  modified: "2026-05-02"

binds:
  - namespace: env
    keys:
      SAAS_ALERTS_API_KEY: SAAS_ALERTS_API_KEY

capability:
  consumes:
    - import: saas-alerts
      location: ./shared/saas-alerts.yaml

  exposes:
    - type: rest
      port: 8080
      namespace: msp-security-monitoring-api
      description: "Unified REST API for MSP SaaS security monitoring and incident response."
      resources:
        - path: /v1/events
          name: events
          description: "Security events detected across all monitored SaaS applications"
          operations:
            - method: GET
              name: list-events
              description: "List security events with filtering by type, severity, application, and date range"
              call: "saas-alerts.list-security-events"
              with:
                eventType: "rest.eventType"
                alertStatus: "rest.alertStatus"
                application: "rest.application"
                customerId: "rest.customerId"
                startDate: "rest.startDate"
                endDate: "rest.endDate"
                pageSize: "rest.pageSize"
                page: "rest.page"
              outputParameters:
                - type: object
                  mapping: "$."
            - method: POST
              name: query-events
              description: "Execute structured event query with complex filter conditions"
              call: "saas-alerts.query-security-events"
              outputParameters:
                - type: object
                  mapping: "$."
        - path: /v1/alerts
          name: alerts
          description: "Security alerts generated by anomalous behavior detection"
          operations:
            - method: GET
              name: list-alerts
              description: "List active and historical security alerts"
              call: "saas-alerts.list-alerts"
              with:
                alertStatus: "rest.alertStatus"
                resolved: "rest.resolved"
                customerId: "rest.customerId"
                startDate: "rest.startDate"
                endDate: "rest.endDate"
              outputParameters:
                - type: object
                  mapping: "$."
        - path: /v1/customers
          name: customers
          description: "MSP customer tenants under monitoring"
          operations:
            - method: GET
              name: list-customers
              description: "List all monitored MSP customer tenants"
              call: "saas-alerts.list-customers"
              with:
                pageSize: "rest.pageSize"
                page: "rest.page"
              outputParameters:
                - type: object
                  mapping: "$."
        - path: /v1/users
          name: users
          description: "Users monitored across all customer tenants"
          operations:
            - method: GET
              name: list-users
              description: "List monitored users with risk scores and activity summaries"
              call: "saas-alerts.list-users"
              with:
                customerId: "rest.customerId"
                application: "rest.application"
              outputParameters:
                - type: object
                  mapping: "$."

    - type: mcp
      port: 9090
      namespace: msp-security-monitoring-mcp
      transport: http
      description: "MCP server for AI-assisted MSP SaaS security monitoring and threat investigation."
      tools:
        - name: list-security-events
          description: "List SaaS security events across monitored applications. Filter by event type (login.failure, data.exfiltration, impossible.travel, etc.), severity (low/medium/critical), application, and date range."
          hints:
            readOnly: true
            openWorld: false
          call: "saas-alerts.list-security-events"
          with:
            eventType: "tools.eventType"
            alertStatus: "tools.alertStatus"
            application: "tools.application"
            customerId: "tools.customerId"
            startDate: "tools.startDate"
            endDate: "tools.endDate"
          outputParameters:
            - type: object
              mapping: "$."
        - name: query-security-events
          description: "Execute a structured query against SaaS Alerts event indexes. Supports complex filtering on multiple event types, severities, applications, and customers simultaneously."
          hints:
            readOnly: true
            openWorld: false
          call: "saas-alerts.query-security-events"
          outputParameters:
            - type: object
              mapping: "$."
        - name: list-security-alerts
          description: "List security alerts triggered by anomalous behavior detection. Filter by severity and resolution status to prioritize incident response."
          hints:
            readOnly: true
            openWorld: false
          call: "saas-alerts.list-alerts"
          with:
            alertStatus: "tools.alertStatus"
            resolved: "tools.resolved"
            customerId: "tools.customerId"
          outputParameters:
            - type: object
              mapping: "$."
        - name: list-customers
          description: "List all MSP customer tenants being monitored. Returns customer IDs, names, monitored applications, user counts, and monitoring status."
          hints:
            readOnly: true
            openWorld: false
          call: "saas-alerts.list-customers"
          outputParameters:
            - type: object
              mapping: "$."
        - name: list-monitored-users
          description: "List users monitored across customer tenants including activity summaries, risk scores, and alert counts. Use to identify high-risk users for investigation."
          hints:
            readOnly: true
            openWorld: false
          call: "saas-alerts.list-users"
          with:
            customerId: "tools.customerId"
            application: "tools.application"
          outputParameters:
            - type: object
              mapping: "$."