Anywhere MCP Server

A Model Context Protocol (MCP) server for integrating with Levelblue USM Anywhere platform. This server provides secure access to security monitoring data including alarms, events, and threat intelligence through the USM Anywhere API v2.0.

Features

OAuth 2.0 Authentication: Secure authentication using client credentials flow
USM Anywhere API Integration: Access to alarms, events, and security data
Legacy OTX Support: Backward compatibility with AlienVault OTX API
Type-Safe: Built with TypeScript and Zod validation
MCP Protocol: Standard Model Context Protocol implementation

Available Tools

USM Anywhere API v2.0 Tools

get_alarms - Retrieve security alarms with filtering options
get_events - Retrieve security events with filtering options
get_alarm_details - Get detailed information about a specific alarm
get_event_details - Get detailed information about a specific event

Legacy OTX API Tools

search_pulses - Search threat intelligence pulses
get_indicator - Get indicator information (IP, domain, hash)
get_pulse - Get detailed pulse information

Installation

Clone the repository:

git clone https://github.com/jballesteros/anywhere-mcp-server.git
cd anywhere-mcp-server

Install dependencies:

npm install

Build the project:

npm run build

Configuration

USM Anywhere API (Primary)

Create a .env file with your USM Anywhere credentials:

# USM Anywhere API v2.0 Configuration
ANYWHERE_CLIENT_ID=your_client_id
ANYWHERE_CLIENT_SECRET=your_client_secret
ANYWHERE_SUBDOMAIN=your_subdomain

# Legacy OTX API (Optional)
OTX_API_KEY=your_otx_api_key

Getting USM Anywhere Credentials

Log into your USM Anywhere console
Navigate to Settings > API Keys
Create a new API key with appropriate permissions
Note your subdomain from the URL (e.g., company.alienvault.cloud)

Usage

Starting the Server

npm start

Using with MCP Clients

Add to your MCP client configuration:

{
  "mcpServers": {
    "anywhere": {
      "command": "node",
      "args": ["/path/to/anywhere-mcp-server/dist/index.js"],
      "env": {
        "ANYWHERE_CLIENT_ID": "your_client_id",
        "ANYWHERE_CLIENT_SECRET": "your_client_secret", 
        "ANYWHERE_SUBDOMAIN": "your_subdomain"
      }
    }
  }
}

Example Tool Calls

Get Recent Alarms

{
  "tool": "get_alarms",
  "arguments": {
    "account_name": "Anywhere",
    "page": 0,
    "size": 10,
    "sort": "timestamp_occured,desc"
  }
}

Get Events by Source

{
  "tool": "get_events", 
  "arguments": {
    "account_name": "Anywhere",
    "source_name": "firewall-01",
    "size": 20
  }
}

Search Threat Intelligence

{
  "tool": "search_pulses",
  "arguments": {
    "query": "malware",
    "limit": 5
  }
}

API Reference

USM Anywhere API Methods

getAlarms(accountName, options) - Retrieve security alarms
getEvents(accountName, options) - Retrieve security events
getAlarmDetails(alarmId) - Get specific alarm details
getEventDetails(eventId) - Get specific event details

Legacy OTX API Methods

searchPulses(query, limit) - Search threat intelligence
getIndicator(indicator, section) - Get indicator information
getPulse(pulseId) - Get pulse details

Development

Building

npm run build

Development Mode

npm run dev

Cleaning Build Files

npm run clean

Error Handling

The server includes comprehensive error handling:

OAuth token refresh automation
API rate limiting respect
Detailed error messages
Graceful fallbacks

Security

OAuth 2.0 client credentials flow
Secure token management
Environment variable configuration
No hardcoded credentials

Contributing

Fork the repository
Create a feature branch
Make your changes
Add tests if applicable
Submit a pull request

License

This project is licensed under the GNU General Public License v3.0 - see the LICENSE file for details.

Author

Javier Ballesteros

Email: javier.ballesteros@gmail.com
GitHub: @javierb507

Support

For issues and questions:

GitHub Issues: anywhere-mcp-server/issues
Email: javier.ballesteros@gmail.com

Changelog

v1.0.0

Initial release
USM Anywhere API v2.0 integration
OAuth 2.0 authentication
Legacy OTX API support
MCP protocol implementation

This server cannot be installed

security - not tested

license - not found

quality - not tested

remote-capable server

The server can be hosted and run remotely because it primarily relies on remote services or has no dependency on the local environment.

A Model Context Protocol server that integrates with AT&T Cybersecurity's USM Anywhere platform, providing secure access to security monitoring data including alarms, events, and threat intelligence.

Related MCP Servers

Toolkit MCP Server
cyanheads
A
security
A
license
A
quality
A Model Context Protocol server that provides LLM Agents with a comprehensive toolset for IP geolocation, network diagnostics, system monitoring, cryptographic operations, and QR code generation.
Last updated -
16
3
4
TypeScript
Apache 2.0
Mattermost MCP Server
kakehashi-inc
-
security
A
license
-
quality
A Model Context Protocol server that connects to Mattermost, allowing AI models to monitor and process messages from specific teams and channels in real-time via SSE or Standard I/O transport modes.
Last updated -
1
TypeScript
MIT License
IR Toolshed MCP Server
rossja
-
security
A
license
-
quality
A Model Context Protocol server that provides network analysis tools for security professionals, enabling AI models like Claude to perform tasks such as ASN lookups, DNS analysis, WHOIS retrieval, and IP geolocation for security investigations.
Last updated -
1
Python
Apache 2.0
Enrichment MCP Server
MSAdministrator
A
security
F
license
A
quality
A Model Context Protocol server that enables users to perform third-party enrichment lookups for security observables (IP addresses, domains, URLs, emails) through services like VirusTotal, Shodan, and others.
Last updated -
1
Python

View all related MCP servers

Anywhere MCP Server