Skip to main content
Glama

Security Infrastructure MCP Server

by jmstar85
npmGitHub
TypeScript
32
10
  • Apple
OverviewInspectNewSchemaRelated ServersReviewsScore
Need Help?View Source CodeReport Issue

Security Infrastructure MCP Servers

A comprehensive collection of MCP (Model Context Protocol) server implementations for security platform integrations.

🔐 Supported Platforms

Splunk SIEM

  • SPL Query Execution: Execute Search Processing Language queries with custom time ranges
  • Event Search: Search security events across all indexes with flexible filtering
  • Time-based Analysis: Support for relative time ranges (-24h, -1d) and custom time windows
  • Asynchronous Job Management: Create and monitor search jobs with automatic result retrieval
  • JSON Result Format: Structured output for seamless integration with other tools

CrowdStrike EDR

  • Detection Search: Query detections using FQL (Falcon Query Language) with advanced filtering
  • Detection Details: Retrieve comprehensive detection summaries and metadata
  • OAuth 2.0 Authentication: Secure API access using client credentials flow
  • Sorting and Pagination: Flexible result ordering and limit controls
  • Real-time Threat Data: Access to latest endpoint detection and response information

Microsoft MISP

  • Event Search: Query MISP events with customizable filters and event type targeting
  • IOC Attribute Search: Search indicators of compromise by value, type, or category
  • Multi-format Support: Handle various IOC types (IP addresses, domains, hashes, URLs)
  • Published Status Filtering: Filter events by publication status
  • RESTful API Integration: Native MISP REST API support with JSON responses

📖 Live Documentation

Complete documentation and code examples: https://jmstar85.github.io/SecurityInfrastructure

Features available in the live documentation:

  • 📋 Complete server implementation code
  • 🔍 Real-time search and filtering
  • 📱 Responsive mobile support
  • 📑 One-click code copying
  • 🗂️ Organized by categories

🚀 Quick Start

For MCP Client Integration (Claude Desktop)

# 1. Clone the repository git clone https://github.com/jmstar85/SecurityInfrastructure.git cd SecurityInfrastructure # 2. Install dependencies pip install -r project-requirements.txt # 3. Configure credentials cp .env.example .env # Edit .env with your platform credentials # 4. Add to Claude Desktop configuration # Copy config/mcp-settings.json content to your Claude Desktop config # Location: ~/Library/Application Support/Claude/claude_desktop_config.json (macOS) # Update the "cwd" paths and environment variables with your values

For Standalone Server Usage

# Start individual MCP servers python src/splunk_server.py # Runs on localhost:8080 python src/crowdstrike_server.py # Runs on localhost:8081 python src/misp_server.py # Runs on localhost:8082 # Or use Docker for all services docker-compose up -d # Run tests to verify connectivity pytest tests/test_mcp_servers.py -v

🔧 MCP Server Tools

Splunk SIEM Tools

  • search-events: Execute SPL queries with time range filtering
    # Example: Search for failed login attempts in last 24 hours query = "index=security sourcetype=auth action=failure" earliest_time = "-24h"

CrowdStrike EDR Tools

  • search-detections: Query detections using FQL filtering
    # Example: Search for high severity detections filter_query = "max_severity:'high'" sort = "created_timestamp.desc"

MISP Tools

  • search-events: Query threat intelligence events
  • search-attributes: Search IOCs by type, value, or category
    # Example: Search for IP-based IOCs type = "ip-dst" category = "Network activity"

📁 Project Structure

SecurityInfrastructure/ ├── docs/ # GitHub Pages documentation │ ├── index.html # Main documentation page │ └── assets/ # CSS, JS resources ├── src/ # MCP server source code │ ├── splunk_server.py # Splunk SIEM integration │ ├── crowdstrike_server.py # CrowdStrike EDR integration │ └── misp_server.py # Microsoft MISP integration ├── config/ # Configuration files │ └── mcp-settings.json # MCP client configuration template ├── tests/ # Unit tests ├── mcp-config.json # Basic MCP configuration ├── .env.example # Environment variables template ├── INSTALLATION.md # Detailed setup guide ├── docker-compose.yml # Container configuration └── project-requirements.txt # Python dependencies

🔧 MCP Client Configuration

Claude Desktop Setup

Configuration File Location:

  • macOS: ~/Library/Application Support/Claude/claude_desktop_config.json
  • Windows: %APPDATA%\Claude\claude_desktop_config.json

Basic Configuration:

{ "mcpServers": { "security-infrastructure-splunk": { "command": "python", "args": ["/path/to/SecurityInfrastructure/src/splunk_server.py"], "env": { "SPLUNK_HOST": "your-splunk-host.com", "SPLUNK_TOKEN": "your-api-token" } } } }

Complete setup instructions: See INSTALLATION.md for detailed configuration guide. Quick setup: See setup-guide.md for copy-paste configuration templates.

💻 Usage Examples

Once configured with Claude Desktop, you can use natural language to interact with your security platforms:

Splunk SIEM Queries

"Search for failed SSH login attempts in the last 6 hours" "Find all authentication events from IP 192.168.1.100" "Show me high priority security alerts from yesterday" "Search for events in the security index containing 'malware'"

CrowdStrike EDR Queries

"Show me all high severity detections from today" "Find endpoint detections with 'ransomware' behavior" "List recent detections sorted by creation time" "Search for detections on hostname 'web-server-01'"

MISP Threat Intelligence

"Search for events related to APT29" "Find all IP address indicators of compromise" "Look up domain indicators from the last week" "Search for published threat intelligence events about phishing"

Cross-Platform Analysis

"Search Splunk for events related to this CrowdStrike detection ID" "Check MISP for threat intelligence on this suspicious IP from Splunk" "Correlate this endpoint detection with known threat indicators"

🔧 Configuration Examples

Splunk Connection

splunk: host: "your-splunk-server.com" port: 8089 username: "admin" token: "your-api-token" verify_ssl: true

CrowdStrike Authentication

crowdstrike: client_id: "your-client-id" client_secret: "your-client-secret" base_url: "https://api.crowdstrike.com"

MISP Setup

misp: url: "https://your-misp-instance.com" key: "your-api-key" verifycert: true

🛠️ Key Features

Core Functionality

  • MCP Protocol Integration: Native Model Context Protocol server implementation
  • Asynchronous Operations: Non-blocking API calls for optimal performance
  • Multi-platform Support: Unified interface for Splunk, CrowdStrike, and MISP
  • Flexible Query Language: Support for SPL, FQL, and MISP REST queries

Security & Authentication

  • Multiple Auth Methods: Session-based, token-based, and OAuth 2.0 authentication
  • SSL/TLS Support: Configurable certificate verification for secure connections
  • API Key Management: Secure credential handling and rotation support
  • Error Recovery: Automatic token refresh and connection retry mechanisms

Data Processing

  • Real-time Search: Live querying across security platforms
  • Structured Output: Consistent JSON response format across all integrations
  • Time Range Flexibility: Custom time windows and relative time specifications
  • Result Pagination: Configurable limits and sorting for large datasets

Development & Testing

  • Comprehensive Testing: Unit tests with pytest framework
  • Docker Support: Containerized deployment with docker-compose
  • Configuration Management: YAML-based configuration with environment variable support
  • Logging & Monitoring: Structured logging with configurable levels

📋 Requirements

  • Python 3.11+
  • Access credentials for security platforms (API keys, tokens)
  • MCP-compatible client (Claude Desktop, or other MCP clients)
  • Docker & Docker Compose (optional, for containerized deployment)

🔐 Required Credentials

Splunk SIEM

  • API Token (recommended) or Username/Password
  • Host/Port information for your Splunk instance
  • Search permissions on target indexes

CrowdStrike EDR

  • Client ID and Client Secret from Falcon Console
  • API permissions: Detections (READ), Hosts (READ), Incidents (READ)
  • Appropriate Base URL for your region

Microsoft MISP

  • API Key generated from MISP user profile
  • MISP instance URL
  • Read access to events and attributes

🤝 Contributing

  1. Fork the repository
  2. Create a feature branch (git checkout -b feature/new-feature)
  3. Commit your changes (git commit -am 'Add new feature')
  4. Push to the branch (git push origin feature/new-feature)
  5. Create a Pull Request

📄 License

This project is provided for security research and educational purposes.

If you find this useful, please give it a star!

This server cannot be installed

-
security - not tested
F
license - not found
-
quality - not tested

How are these scores calculated?

A comprehensive implementation of Model Context Protocol servers enabling natural language interactions with security platforms including Splunk SIEM, CrowdStrike EDR, and Microsoft MISP for threat intelligence querying and analysis.

  1. 🔐 Supported Platforms
    1. Splunk SIEM
    2. CrowdStrike EDR
    3. Microsoft MISP
  2. 📖 Live Documentation
    1. 🚀 Quick Start
      1. For MCP Client Integration (Claude Desktop)
      2. For Standalone Server Usage
    2. 🔧 MCP Server Tools
      1. Splunk SIEM Tools
      2. CrowdStrike EDR Tools
      3. MISP Tools
    3. 📁 Project Structure
      1. 🔧 MCP Client Configuration
        1. Claude Desktop Setup
      2. 💻 Usage Examples
        1. Splunk SIEM Queries
        2. CrowdStrike EDR Queries
        3. MISP Threat Intelligence
        4. Cross-Platform Analysis
      3. 🔧 Configuration Examples
        1. Splunk Connection
        2. CrowdStrike Authentication
        3. MISP Setup
      4. 🛠️ Key Features
        1. Core Functionality
        2. Security & Authentication
        3. Data Processing
        4. Development & Testing
      5. 📋 Requirements
        1. 🔐 Required Credentials
          1. Splunk SIEM
          2. CrowdStrike EDR
          3. Microsoft MISP
        2. 🤝 Contributing
          1. 📄 License
            1. 🔗 Related Links

              Related MCP Servers

              • OpenCTI MCP Server

                Spathodea-Network
                A
                security
                A
                license
                A
                quality
                A Model Context Protocol server that facilitates integration with OpenCTI, allowing users to query and retrieve cyber threat intelligence data via a standardized interface.
                Last updated -
                16
                7
                TypeScript
                MIT License

              • Windows Command Line MCP Server

                alxspiker
                A
                security
                A
                license
                A
                quality
                A secure Model Context Protocol server that allows AI models to safely interact with Windows command-line functionality, enabling controlled execution of system commands, project creation, and system information retrieval.
                Last updated -
                8
                3
                TypeScript
                MIT License

              • IR Toolshed MCP Server

                rossja
                -
                security
                A
                license
                -
                quality
                A Model Context Protocol server that provides network analysis tools for security professionals, enabling AI models like Claude to perform tasks such as ASN lookups, DNS analysis, WHOIS retrieval, and IP geolocation for security investigations.
                Last updated -
                1
                Python
                Apache 2.0
                • Linux
                • Apple

              • Enrichment MCP Server

                synackpwn
                -
                security
                -
                license
                -
                quality
                A Model Context Protocol server that performs third-party threat intelligence enrichment for various observables (IP addresses, domains, URLs, emails) using services like VirusTotal, Shodan, and AbuseIPDB.
                Last updated -

              View all related MCP servers

              New MCP Servers

              MCP directory API

              We provide all the information about MCP servers via our MCP API.

              curl -X GET 'https://glama.ai/api/mcp/v1/servers/jmstar85/SecurityInfrastructure'

              If you have feedback or need assistance with the MCP directory API, please join our Discord server