Provides tools for querying CrowdStrike EDR detections using FQL with advanced filtering, retrieving detection details, accessing real-time threat data, and sorting/pagination of results.
Offers MISP (Malware Information Sharing Platform) integration for searching threat intelligence events, querying IOC attributes by type/value/category, and handling various indicator formats with publication status filtering.
Enables executing SPL queries with time range filtering, searching security events across indexes, time-based analysis, and managing asynchronous search jobs with structured JSON output.
Security Infrastructure MCP Servers
A comprehensive collection of secure MCP (Model Context Protocol) server implementations for security platform integrations with enterprise-grade security hardening.
🛡️ Security-First Design
This project has undergone comprehensive security hardening to address critical vulnerabilities and implement security best practices:
✅ Security Improvements (Latest Update)
- 🔴 HIGH Severity Fixes:
- SPL injection prevention with query sanitization and dangerous command blocking
- Secure XML parsing using defusedxml to prevent XXE attacks
- Complete removal of hardcoded credentials from all configuration files
- 🟡 MEDIUM Severity Fixes:
- Enforced TLS 1.2+ with strong cipher suites for all API communications
- Comprehensive input validation and sanitization across all servers
- Prevention of command execution risks and injection attacks
- Error message sanitization to prevent information disclosure
- 🔵 Additional Security Features:
- FQL/SPL injection attack prevention with pattern matching
- SSL certificate validation enforcement
- Data sanitization for API responses
- Secure configuration templates with safe placeholders
- Comprehensive .gitignore to prevent credential exposure
🔒 Security Documentation
See SECURITY.md for comprehensive security guidelines, configuration best practices, and vulnerability reporting procedures.
🔐 Supported Platforms
Splunk SIEM
- Secure SPL Query Execution: Execute Search Processing Language queries with injection prevention
- Event Search: Search security events across all indexes with sanitized filtering
- Time-based Analysis: Validated time ranges and custom time windows
- Asynchronous Job Management: Create and monitor search jobs with secure result retrieval
- JSON Result Format: Structured output with sensitive data filtering
CrowdStrike EDR
- Secure Detection Search: Query detections using validated FQL (Falcon Query Language)
- Detection Details: Retrieve sanitized detection summaries and metadata
- OAuth 2.0 Authentication: Secure API access with proper token management
- Input Validation: Comprehensive parameter validation and whitelisting
- Real-time Threat Data: Access to latest endpoint detection data with security filtering
Microsoft MISP
- Event Search: Query MISP events with input sanitization and validation
- IOC Attribute Search: Search indicators with XSS and injection prevention
- Multi-format Support: Handle various IOC types with content validation
- SSL Security: Enforced certificate verification with security warnings
- RESTful API Integration: Secure MISP REST API support with error sanitization
🚀 Quick Start
Installation
Secure Configuration
🔧 MCP Server Tools
Splunk SIEM Tools (Security Hardened)
search-events
: Execute sanitized SPL queries with injection prevention
CrowdStrike EDR Tools (Security Hardened)
search-detections
: Query detections with FQL validation and whitelisting
MISP Tools (Security Hardened)
search-events
: Query threat intelligence with input sanitizationsearch-attributes
: Search IOCs with XSS and injection prevention
📁 Optimized Project Structure
Note: Frontend components, unnecessary Node.js files, and development artifacts have been removed to minimize attack surface and optimize security posture.
🔧 Secure MCP Client Configuration
Claude Desktop Setup (Secure)
Configuration File Location:
- macOS:
~/Library/Application Support/Claude/claude_desktop_config.json
- Windows:
%APPDATA%\Claude\claude_desktop_config.json
Secure Configuration Template:
⚠️ Security Note: Never commit real credentials to version control. Use the provided templates and replace placeholders with actual values.
💻 Secure Usage Examples
Once securely configured with Claude Desktop, you can use natural language to interact with your security platforms:
Splunk SIEM Queries (Injection-Safe)
CrowdStrike EDR Queries (Validated)
MISP Threat Intelligence (Sanitized)
🛠️ Security Features
Core Security Implementations
- Input Validation: Comprehensive sanitization and validation of all user inputs
- Injection Prevention: Protection against SPL, FQL, SQL, and XSS injection attacks
- Secure Communications: Enforced HTTPS/TLS 1.2+ with strong cipher suites
- Error Sanitization: Generic error messages to prevent information disclosure
- Authentication Security: Secure token/credential handling with proper validation
Security Architecture
- Multiple Auth Methods: Session-based, token-based, and OAuth 2.0 with secure defaults
- SSL/TLS Enforcement: Mandatory certificate verification for all connections
- API Security: Rate limiting, timeout enforcement, and connection pooling limits
- Configuration Security: Safe templates, credential masking, and .gitignore protection
Data Protection
- Output Sanitization: Removal of sensitive fields from API responses
- Credential Management: No hardcoded secrets, environment variable protection
- Logging Security: Sensitive data filtering in logs and audit trails
- Session Management: Proper token expiration and secure storage
📋 Requirements
- Python 3.11+
- Secure access credentials for security platforms (properly configured)
- MCP-compatible client (Claude Desktop recommended)
- SSL/TLS certificates for production deployments
🔐 Secure Credential Management
Splunk SIEM (Secure Setup)
- API Token (strongly recommended) with minimal required permissions
- HTTPS endpoint verification required
- Search permissions limited to necessary indexes only
CrowdStrike EDR (Secure Setup)
- Client ID and Client Secret with principle of least privilege
- API permissions: Detections (READ), limited scope
- Base URL validation and HTTPS enforcement
Microsoft MISP (Secure Setup)
- API Key with read-only permissions when possible
- MISP instance URL with SSL certificate validation
- Timeout settings configured for security
🧪 Security Validation
This project includes comprehensive security validation:
📊 Security Metrics
- Vulnerability Status: All HIGH and MEDIUM severity issues resolved
- Security Coverage: 83% of security validation tests passed
- Code Quality: Comprehensive input validation and error handling
- Attack Surface: Minimized through component removal and optimization
🤝 Contributing
- Fork the repository
- Create a feature branch (
git checkout -b feature/security-enhancement
) - Follow security guidelines in SECURITY.md
- Add security tests for new features
- Commit with security validation (
git commit -am 'Add secure feature'
) - Push to the branch (
git push origin feature/security-enhancement
) - Create a Pull Request with security review checklist
📄 License
This project is provided for security research and educational purposes with a focus on secure implementation practices.
🔗 Security Resources
- SECURITY.md - Security guidelines and best practices
- MCP Protocol Documentation
- OWASP Security Guidelines
- Platform API Security Documentation
🚨 Security Reporting
If you discover a security vulnerability, please:
- Do not create a public issue
- Email security details to the maintainer
- Allow reasonable time for fixes before disclosure
- Follow responsible disclosure practices
⭐ If you find this secure implementation useful, please give it a star!
Latest Security Update: December 2024 - Comprehensive security hardening with vulnerability remediation and optimization.
This server cannot be installed
A comprehensive implementation of Model Context Protocol servers enabling natural language interactions with security platforms including Splunk SIEM, CrowdStrike EDR, and Microsoft MISP for threat intelligence querying and analysis.
- 🛡️ Security-First Design
- 🔐 Supported Platforms
- 🚀 Quick Start
- 🔧 MCP Server Tools
- 📁 Optimized Project Structure
- 🔧 Secure MCP Client Configuration
- 💻 Secure Usage Examples
- 🛠️ Security Features
- 📋 Requirements
- 🔐 Secure Credential Management
- 🧪 Security Validation
- 📊 Security Metrics
- 🤝 Contributing
- 📄 License
- 🔗 Security Resources
- 🚨 Security Reporting
Related MCP Servers
- AsecurityAlicenseAqualityA Model Context Protocol server that facilitates integration with OpenCTI, allowing users to query and retrieve cyber threat intelligence data via a standardized interface.Last updated -167TypeScriptMIT License
- AsecurityAlicenseAqualityA secure Model Context Protocol server that allows AI models to safely interact with Windows command-line functionality, enabling controlled execution of system commands, project creation, and system information retrieval.Last updated -83TypeScriptMIT License
- -securityAlicense-qualityA Model Context Protocol server that provides network analysis tools for security professionals, enabling AI models like Claude to perform tasks such as ASN lookups, DNS analysis, WHOIS retrieval, and IP geolocation for security investigations.Last updated -1PythonApache 2.0
- -security-license-qualityA Model Context Protocol server that performs third-party threat intelligence enrichment for various observables (IP addresses, domains, URLs, emails) using services like VirusTotal, Shodan, and AbuseIPDB.Last updated -