feat(tracing): opt-in Application Insights / OpenTelemetry support (#42)

Wires azure-monitor-opentelemetry as an opt-in [tracing] extra. When APPLICATIONINSIGHTS_CONNECTION_STRING is set, src.common.tracing.configure_tracing() initialises Azure Monitor and instruments FastAPI + httpx + logging spans; otherwise it is a no-op so the offline path is unaffected.

Bicep gains an enableAppInsights switch that provisions a workspace-based App Insights resource and injects the connection string + OTEL_SERVICE_NAME via Container App secrets. Docker image now installs the [tracing] extra by default so cloud deployments work out of the box.

Closes the v0.8 roadmap item.

Author: NobufumiMurata

Dockerfile

@@ -13,7 +13,7 @@ WORKDIR /app
 COPY pyproject.toml README.md LICENSE ./
 COPY src ./src
 
-RUN pip install --upgrade pip && pip install .
+RUN pip install --upgrade pip && pip install ".[tracing]"
 
 # Create non-root user.
 RUN useradd --create-home --uid 10001 appuser

README.md

@@ -60,6 +60,8 @@ One `Deploy to Azure` click → Container Apps (scale-to-zero, < $5/month idle)
 | `GREYNOISE_API_KEY` | `/greynoise/*` | Free Community key from <https://viz.greynoise.io/signup> → *Account → API Key*. Required for GreyNoise classification. |
 | `ABUSEIPDB_API_KEY` | `/abuseipdb/*` | Free key from <https://www.abuseipdb.com/register> → *API → Create Key* (1000 req/day). Required for AbuseIPDB checks. |
 | `OTX_API_KEY` | `/otx/*` | Free key from <https://otx.alienvault.com/> → *Settings → API Integration*. Required for AlienVault OTX indicator lookups. |
+| `APPLICATIONINSIGHTS_CONNECTION_STRING` | All routes (tracing) | Optional. When set, the app initialises [Azure Monitor OpenTelemetry](https://learn.microsoft.com/azure/azure-monitor/app/opentelemetry-enable?tabs=python) and ships FastAPI / `httpx` / logging spans to Application Insights. Leave unset to keep the stack fully offline. The Bicep template can provision an App Insights resource and inject this automatically — pass `enableAppInsights=true`. |
+| `OTEL_SERVICE_NAME` | Tracing | Optional override for the OpenTelemetry `service.name` resource attribute. Defaults to `copilot-mcp-soc-pack`. |
 
 > **Conditional registration**: Tools requiring an upstream key
 > (`abusech`, `greynoise`, `abuseipdb`, `otx`) are registered **only**
@@ -232,7 +234,7 @@ See [mcp-client-config/](./mcp-client-config/) for ready-to-use configurations.
 - [x] v0.5 AlienVault OTX + Have I Been Pwned, smoke harness, `#ExamplePrompts` planner hints, **Public Preview**
 - [x] v0.6 Reliability hardening (httpx retries with backoff, LRU-bounded TTL cache, `/ready` probe), per-tool unit tests, mypy in CI, Dependabot, single-source version, PR-based workflow
 - [x] v0.7 OSV.dev + CIRCL hashlookup + MITRE D3FEND, full upstream-retry coverage across every tool, codified `request_with_retry` convention
-- [ ] v0.8 Promptbook samples, structured eval harness, Application Insights tracing
+- [x] v0.8 Promptbook samples ([docs/promptbook.md](./docs/promptbook.md)), structured live eval harness ([docs/eval.md](./docs/eval.md)), opt-in Application Insights tracing (`APPLICATIONINSIGHTS_CONNECTION_STRING` + Bicep `enableAppInsights`)
 - [ ] v1.0 Hardening (Managed Identity inbound, custom metrics, Sentinel Workbook), GA based on Preview feedback
 
 ## Known limitations
@@ -242,7 +244,7 @@ This is a **Public Preview**. The following are intentional gaps today; PRs and
 - **Inbound auth is API key only.** No Managed Identity, no Entra ID inbound, no per-caller RBAC. Rotate the shared `MCP_SOC_PACK_API_KEY` regularly.
 - **In-memory TTL cache only.** Cache resets on every cold start (which is expected at scale-to-zero). v0.6 added an LRU eviction cap (default 1024 entries) so long-running replicas no longer leak memory; there is still no Redis or shared cache across replicas.
 - **Single region.** The `Deploy to Azure` button provisions one Container Apps environment. There is no multi-region active-active sample yet.
-- **Observability is logs only.** Container App logs land in a Log Analytics workspace; there are no custom metrics, traces, or a Workbook yet.
+- **Observability ships logs + opt-in traces.** Container App logs land in a Log Analytics workspace. Application Insights distributed tracing is opt-in via `APPLICATIONINSIGHTS_CONNECTION_STRING` (or the Bicep `enableAppInsights=true` switch). There are no custom metrics or a packaged Sentinel Workbook yet.
 - **`/health` and `/openapi.json` are intentionally un-authenticated** to support Container App probes and OpenAPI ingestion. Restrict ingress (Front Door, IP allow-list, private endpoint) if this is unacceptable.
 - **OpenAPI is downgraded to 3.0.1 at runtime.** Microsoft Security Copilot rejects 3.1; downstream tools that rely on 3.1 features should consume the FastAPI source instead of `/openapi.json`.
 - **No Sentinel Workbook / Foundry agent sample bundled yet.** Planned for v0.8+.

deploy/azuredeploy.json

@@ -4,8 +4,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.42.1.51946",
-      "templateHash": "678075599944877869"
+      "version": "0.41.2.15936",
+      "templateHash": "16082163654774733647"
     }
   },
   "parameters": {
@@ -67,6 +67,13 @@
         "description": "Free AlienVault OTX API key (https://otx.alienvault.com/, Settings -> API Integration). Required for /otx/* endpoints. Leave empty to disable."
       }
     },
+    "enableAppInsights": {
+      "type": "bool",
+      "defaultValue": false,
+      "metadata": {
+        "description": "Provision a workspace-based Application Insights resource and inject APPLICATIONINSIGHTS_CONNECTION_STRING into the container. Requires the image to ship the optional `tracing` extra (default image does)."
+      }
+    },
     "minReplicas": {
       "type": "int",
       "defaultValue": 0,
@@ -88,7 +95,8 @@
   },
   "variables": {
     "logAnalyticsName": "[format('{0}-logs', parameters('containerAppName'))]",
-    "environmentName": "[format('{0}-env', parameters('containerAppName'))]"
+    "environmentName": "[format('{0}-env', parameters('containerAppName'))]",
+    "appInsightsName": "[format('{0}-ai', parameters('containerAppName'))]"
   },
   "resources": [
     {
@@ -106,6 +114,24 @@
         }
       }
     },
+    {
+      "condition": "[parameters('enableAppInsights')]",
+      "type": "Microsoft.Insights/components",
+      "apiVersion": "2020-02-02",
+      "name": "[variables('appInsightsName')]",
+      "location": "[parameters('location')]",
+      "kind": "web",
+      "properties": {
+        "Application_Type": "web",
+        "WorkspaceResourceId": "[resourceId('Microsoft.OperationalInsights/workspaces', variables('logAnalyticsName'))]",
+        "IngestionMode": "LogAnalytics",
+        "publicNetworkAccessForIngestion": "Enabled",
+        "publicNetworkAccessForQuery": "Enabled"
+      },
+      "dependsOn": [
+        "[resourceId('Microsoft.OperationalInsights/workspaces', variables('logAnalyticsName'))]"
+      ]
+    },
     {
       "type": "Microsoft.App/managedEnvironments",
       "apiVersion": "2024-03-01",
@@ -138,7 +164,7 @@
             "transport": "auto",
             "allowInsecure": false
           },
-          "secrets": "[concat(if(empty(parameters('apiKey')), createArray(), createArray(createObject('name', 'api-key', 'value', parameters('apiKey')))), if(empty(parameters('abuseChAuthKey')), createArray(), createArray(createObject('name', 'abusech-auth-key', 'value', parameters('abuseChAuthKey')))), if(empty(parameters('greynoiseApiKey')), createArray(), createArray(createObject('name', 'greynoise-api-key', 'value', parameters('greynoiseApiKey')))), if(empty(parameters('abuseIpdbApiKey')), createArray(), createArray(createObject('name', 'abuseipdb-api-key', 'value', parameters('abuseIpdbApiKey')))), if(empty(parameters('otxApiKey')), createArray(), createArray(createObject('name', 'otx-api-key', 'value', parameters('otxApiKey')))))]"
+          "secrets": "[concat(if(empty(parameters('apiKey')), createArray(), createArray(createObject('name', 'api-key', 'value', parameters('apiKey')))), if(empty(parameters('abuseChAuthKey')), createArray(), createArray(createObject('name', 'abusech-auth-key', 'value', parameters('abuseChAuthKey')))), if(empty(parameters('greynoiseApiKey')), createArray(), createArray(createObject('name', 'greynoise-api-key', 'value', parameters('greynoiseApiKey')))), if(empty(parameters('abuseIpdbApiKey')), createArray(), createArray(createObject('name', 'abuseipdb-api-key', 'value', parameters('abuseIpdbApiKey')))), if(empty(parameters('otxApiKey')), createArray(), createArray(createObject('name', 'otx-api-key', 'value', parameters('otxApiKey')))), if(parameters('enableAppInsights'), createArray(createObject('name', 'applicationinsights-connection-string', 'value', reference(resourceId('Microsoft.Insights/components', variables('appInsightsName')), '2020-02-02').ConnectionString)), createArray()))]"
         },
         "template": {
           "containers": [
@@ -149,7 +175,7 @@
                 "cpu": "[json('0.5')]",
                 "memory": "1.0Gi"
               },
-              "env": "[concat(if(empty(parameters('apiKey')), createArray(), createArray(createObject('name', 'MCP_SOC_PACK_API_KEY', 'secretRef', 'api-key'))), if(empty(parameters('abuseChAuthKey')), createArray(), createArray(createObject('name', 'ABUSE_CH_AUTH_KEY', 'secretRef', 'abusech-auth-key'))), if(empty(parameters('greynoiseApiKey')), createArray(), createArray(createObject('name', 'GREYNOISE_API_KEY', 'secretRef', 'greynoise-api-key'))), if(empty(parameters('abuseIpdbApiKey')), createArray(), createArray(createObject('name', 'ABUSEIPDB_API_KEY', 'secretRef', 'abuseipdb-api-key'))), if(empty(parameters('otxApiKey')), createArray(), createArray(createObject('name', 'OTX_API_KEY', 'secretRef', 'otx-api-key'))))]",
+              "env": "[concat(if(empty(parameters('apiKey')), createArray(), createArray(createObject('name', 'MCP_SOC_PACK_API_KEY', 'secretRef', 'api-key'))), if(empty(parameters('abuseChAuthKey')), createArray(), createArray(createObject('name', 'ABUSE_CH_AUTH_KEY', 'secretRef', 'abusech-auth-key'))), if(empty(parameters('greynoiseApiKey')), createArray(), createArray(createObject('name', 'GREYNOISE_API_KEY', 'secretRef', 'greynoise-api-key'))), if(empty(parameters('abuseIpdbApiKey')), createArray(), createArray(createObject('name', 'ABUSEIPDB_API_KEY', 'secretRef', 'abuseipdb-api-key'))), if(empty(parameters('otxApiKey')), createArray(), createArray(createObject('name', 'OTX_API_KEY', 'secretRef', 'otx-api-key'))), if(parameters('enableAppInsights'), createArray(createObject('name', 'APPLICATIONINSIGHTS_CONNECTION_STRING', 'secretRef', 'applicationinsights-connection-string'), createObject('name', 'OTEL_SERVICE_NAME', 'value', parameters('containerAppName'))), createArray()), createArray(createObject('name', 'MCP_SOC_PACK_PUBLIC_BASE_URL', 'value', format('https://{0}.{1}', parameters('containerAppName'), reference(resourceId('Microsoft.App/managedEnvironments', variables('environmentName')), '2024-03-01').defaultDomain))))]",
               "probes": [
                 {
                   "type": "Liveness",
@@ -179,6 +205,7 @@
         }
       },
       "dependsOn": [
+        "[resourceId('Microsoft.Insights/components', variables('appInsightsName'))]",
         "[resourceId('Microsoft.App/managedEnvironments', variables('environmentName'))]"
       ]
     }
@@ -199,6 +226,10 @@
     "mcpSseUrl": {
       "type": "string",
       "value": "[format('https://{0}/mcp/', reference(resourceId('Microsoft.App/containerApps', parameters('containerAppName')), '2024-03-01').configuration.ingress.fqdn)]"
+    },
+    "appInsightsName": {
+      "type": "string",
+      "value": "[if(parameters('enableAppInsights'), variables('appInsightsName'), '')]"
     }
   }
 }

deploy/main.bicep

@@ -35,6 +35,8 @@ param abuseIpdbApiKey string = ''
 @description('Free AlienVault OTX API key (https://otx.alienvault.com/, Settings -> API Integration). Required for /otx/* endpoints. Leave empty to disable.')
 @secure()
 param otxApiKey string = ''
+@description('Provision a workspace-based Application Insights resource and inject APPLICATIONINSIGHTS_CONNECTION_STRING into the container. Requires the image to ship the optional `tracing` extra (default image does).')
+param enableAppInsights bool = false
 @description('Minimum number of replicas. Set 0 for scale-to-zero.')
 @minValue(0)
 @maxValue(5)
@@ -47,6 +49,7 @@ param maxReplicas int = 3
 
 var logAnalyticsName = '${containerAppName}-logs'
 var environmentName = '${containerAppName}-env'
+var appInsightsName = '${containerAppName}-ai'
 
 resource logAnalytics 'Microsoft.OperationalInsights/workspaces@2023-09-01' = {
   name: logAnalyticsName
@@ -62,6 +65,19 @@ resource logAnalytics 'Microsoft.OperationalInsights/workspaces@2023-09-01' = {
   }
 }
 
+resource appInsights 'Microsoft.Insights/components@2020-02-02' = if (enableAppInsights) {
+  name: appInsightsName
+  location: location
+  kind: 'web'
+  properties: {
+    Application_Type: 'web'
+    WorkspaceResourceId: logAnalytics.id
+    IngestionMode: 'LogAnalytics'
+    publicNetworkAccessForIngestion: 'Enabled'
+    publicNetworkAccessForQuery: 'Enabled'
+  }
+}
+
 resource environment 'Microsoft.App/managedEnvironments@2024-03-01' = {
   name: environmentName
   location: location
@@ -118,7 +134,13 @@ resource containerApp 'Microsoft.App/containerApps@2024-03-01' = {
             name: 'otx-api-key'
             value: otxApiKey
           }
-        ]
+        ],
+        enableAppInsights ? [
+          {
+            name: 'applicationinsights-connection-string'
+            value: appInsights!.properties.ConnectionString
+          }
+        ] : []
       )
     }
     template: {
@@ -161,6 +183,16 @@ resource containerApp 'Microsoft.App/containerApps@2024-03-01' = {
                 secretRef: 'otx-api-key'
               }
             ],
+            enableAppInsights ? [
+              {
+                name: 'APPLICATIONINSIGHTS_CONNECTION_STRING'
+                secretRef: 'applicationinsights-connection-string'
+              }
+              {
+                name: 'OTEL_SERVICE_NAME'
+                value: containerAppName
+              }
+            ] : [],
             // Public base URL injected into the OpenAPI `servers[]` block.
             // Required for Microsoft Security Copilot's Agent Builder
             // API Tool importer to resolve operation base URLs (the
@@ -207,3 +239,4 @@ output fqdn string = containerApp.properties.configuration.ingress.fqdn
 output endpoint string = 'https://${containerApp.properties.configuration.ingress.fqdn}'
 output openApiUrl string = 'https://${containerApp.properties.configuration.ingress.fqdn}/openapi.json'
 output mcpSseUrl string = 'https://${containerApp.properties.configuration.ingress.fqdn}/mcp/'
+output appInsightsName string = enableAppInsights ? appInsights!.name : ''

docs/tracing.md

@@ -0,0 +1,62 @@
+# Application Insights tracing
+
+The SOC Pack ships an **opt-in** [Azure Monitor OpenTelemetry](https://learn.microsoft.com/azure/azure-monitor/app/opentelemetry-enable?tabs=python) integration that emits FastAPI HTTP server spans, outbound `httpx` client spans, and structured logs to Application Insights. It is **disabled by default** — leaving the connection string unset keeps the stack fully offline.
+
+## What gets instrumented
+
+`src/common/tracing.py` calls `azure.monitor.opentelemetry.configure_azure_monitor()` plus `FastAPIInstrumentor.instrument_app()`. With those two switches you get:
+
+- One server span per inbound HTTP request to any FastAPI route (including `/openapi.json` and the `/mcp/` SSE endpoint).
+- One client span per outbound call made through the shared `httpx.AsyncClient` in `src/common/http.py` (so every upstream call to KEV, EPSS, abuse.ch, OTX, OSV, ransomware.live, etc. is traced).
+- Standard `logging` records emitted by the app are forwarded as Application Insights traces.
+
+The `service.name` resource attribute defaults to `copilot-mcp-soc-pack` and can be overridden with `OTEL_SERVICE_NAME`.
+
+## Enabling tracing
+
+### 1. Bicep (recommended)
+
+`deploy/main.bicep` now supports a `enableAppInsights` parameter. When set to `true` it provisions a workspace-based Application Insights resource backed by the same Log Analytics workspace, then injects `APPLICATIONINSIGHTS_CONNECTION_STRING` and `OTEL_SERVICE_NAME` into the Container App as a secret-backed env var pair.
+
+```bash
+az deployment group create \
+  --resource-group rg-copilot-mcp-soc-pack \
+  --template-file deploy/main.bicep \
+  --parameters apiKey=$(openssl rand -hex 32) \
+               enableAppInsights=true
+```
+
+### 2. Bring-your-own connection string
+
+If you already have an Application Insights resource (or are running outside Bicep), set the env var directly on the Container App / your local shell:
+
+```bash
+export APPLICATIONINSIGHTS_CONNECTION_STRING="InstrumentationKey=...;IngestionEndpoint=https://..."
+export OTEL_SERVICE_NAME="copilot-mcp-soc-pack-prod"
+uvicorn src.app:app --host 0.0.0.0 --port 8080
+```
+
+The published Docker image (`ghcr.io/nobufumimurata/copilot-mcp-soc-pack:latest`) is already built with the `[tracing]` extra, so no extra install steps are needed in the cloud. For local installs from source, use `pip install ".[tracing]"`.
+
+## Verifying it works
+
+After enabling tracing and triggering a couple of requests (`scripts/smoke.ps1` or any tool call), open the App Insights resource in the Azure portal and check:
+
+- **Application map**: `copilot-mcp-soc-pack` should appear with downstream nodes for each upstream API hostname (e.g. `api.first.org`, `urlhaus-api.abuse.ch`).
+- **Transaction search → Dependencies**: filter by `target` to see per-upstream latency and HTTP status counts.
+- **Failures**: any 4xx/5xx surfaced by `request_with_retry` will show up here with the retry count visible in the span attributes.
+
+A useful KQL starter query (in the App Insights Logs blade):
+
+```kusto
+dependencies
+| where cloud_RoleName == "copilot-mcp-soc-pack"
+| summarize count(), avg(duration), percentiles(duration, 50, 95) by target, resultCode
+| order by count_ desc
+```
+
+## Disabling
+
+Unset `APPLICATIONINSIGHTS_CONNECTION_STRING` (or set it to an empty string) and restart the app. `configure_tracing()` will log `Application Insights tracing disabled: APPLICATIONINSIGHTS_CONNECTION_STRING is not set.` at startup and skip all OpenTelemetry initialisation.
+
+If you want to drop the dependency entirely, install without the extra (`pip install .` instead of `pip install ".[tracing]"`). The lazy import in `src/common/tracing.py` will detect the missing module and log a warning, but the app still starts normally.

pyproject.toml

@@ -22,6 +22,14 @@ dependencies = [
 ]
 
 [project.optional-dependencies]
+tracing = [
+    # Application Insights / OpenTelemetry. Imported lazily by
+    # src.common.tracing and only initialised when
+    # APPLICATIONINSIGHTS_CONNECTION_STRING is set. Install with
+    # `pip install ".[tracing]"` (the published Docker image already
+    # ships this extra).
+    "azure-monitor-opentelemetry>=1.6",
+]
 dev = [
     "pytest>=8.0",
     "pytest-asyncio>=0.24",

src/app.py

@@ -21,6 +21,7 @@
 from src import __version__
 from src.common.http import get_client
 from src.common.openapi_compat import downgrade_to_3_0_1
+from src.common.tracing import configure_tracing
 from src.tools import (
     abusech,
     abuseipdb,
@@ -206,6 +207,11 @@ def _clean_operation_id(route: APIRoute) -> str:
         allow_headers=["Authorization", "Content-Type", "X-API-Key"],
     )
 
+# Optional Application Insights tracing. No-op when
+# APPLICATIONINSIGHTS_CONNECTION_STRING is unset or the
+# `azure-monitor-opentelemetry` package is not installed.
+configure_tracing(app)
+
 
 @app.get("/health", tags=["meta"], summary="Liveness probe")
 def health() -> dict[str, str]: