Security Infrastructure MCP Servers

A comprehensive collection of secure MCP (Model Context Protocol) server implementations for security platform integrations with enterprise-grade security hardening.

🛡️ Security-First Design

This project has undergone comprehensive security hardening to address critical vulnerabilities and implement security best practices:

✅ Security Improvements (Latest Update)

• 🔴 HIGH Severity Fixes:

  • SPL injection prevention with query sanitization and dangerous command blocking

  • Secure XML parsing using defusedxml to prevent XXE attacks

  • Complete removal of hardcoded credentials from all configuration files

• 🟡 MEDIUM Severity Fixes:

  • Enforced TLS 1.2+ with strong cipher suites for all API communications

  • Comprehensive input validation and sanitization across all servers

  • Prevention of command execution risks and injection attacks

  • Error message sanitization to prevent information disclosure

• 🔵 Additional Security Features:

  • FQL/SPL injection attack prevention with pattern matching

  • SSL certificate validation enforcement

  • Data sanitization for API responses

  • Secure configuration templates with safe placeholders

  • Comprehensive .gitignore to prevent credential exposure

🔒 Security Documentation

See SECURITY.md for comprehensive security guidelines, configuration best practices, and vulnerability reporting procedures.

Related MCP server: Enrichment MCP Server

🔐 Supported Platforms

Splunk SIEM

• Secure SPL Query Execution: Execute Search Processing Language queries with injection prevention

• Event Search: Search security events across all indexes with sanitized filtering

• Time-based Analysis: Validated time ranges and custom time windows

• Asynchronous Job Management: Create and monitor search jobs with secure result retrieval

• JSON Result Format: Structured output with sensitive data filtering

CrowdStrike EDR

• Secure Detection Search: Query detections using validated FQL (Falcon Query Language)

• Detection Details: Retrieve sanitized detection summaries and metadata

• OAuth 2.0 Authentication: Secure API access with proper token management

• Input Validation: Comprehensive parameter validation and whitelisting

• Real-time Threat Data: Access to latest endpoint detection data with security filtering

Microsoft MISP

• Event Search: Query MISP events with input sanitization and validation

• IOC Attribute Search: Search indicators with XSS and injection prevention

• Multi-format Support: Handle various IOC types with content validation

• SSL Security: Enforced certificate verification with security warnings

• RESTful API Integration: Secure MISP REST API support with error sanitization

🚀 Quick Start

Installation

# 1. Clone the repository
git clone https://github.com/jmstar85/SecurityInfrastructure.git
cd SecurityInfrastructure

# 2. Install secure dependencies
pip install -r requirements.txt

# 3. Configure credentials securely
cp .env.example .env
# Edit .env with your platform credentials (see security guidelines)

# 4. Add to Claude Desktop configuration
# Copy config-example.json content to your Claude Desktop config
# Location: ~/Library/Application Support/Claude/claude_desktop_config.json (macOS)
# Update paths and environment variables with your secure values

Secure Configuration

# Verify configuration security
python -c "
import json
with open('.env', 'r') as f:
    content = f.read()
    if 'REPLACE_WITH_YOUR' in content:
        print('⚠️  Please update placeholder credentials in .env')
    else:
        print('✅ Configuration appears to be customized')
"

# Test server security
python src/splunk_server.py        # Runs on localhost:8080
python src/crowdstrike_server.py   # Runs on localhost:8081  
python src/misp_server.py          # Runs on localhost:8082

🔧 MCP Server Tools

Splunk SIEM Tools (Security Hardened)

• search-events: Execute sanitized SPL queries with injection prevention

  # Example: Secure search for failed login attempts
  query = "index=security sourcetype=auth action=failure"  # Automatically sanitized
  earliest_time = "-24h"  # Validated time format

CrowdStrike EDR Tools (Security Hardened)

• search-detections: Query detections with FQL validation and whitelisting

  # Example: Secure search for high severity detections
  filter_query = "max_severity:'high'"  # Validated against injection patterns
  sort = "created_timestamp.desc"  # Whitelisted sort options only

MISP Tools (Security Hardened)

• search-events: Query threat intelligence with input sanitization

• search-attributes: Search IOCs with XSS and injection prevention

  # Example: Secure search for IP-based IOCs
  type = "ip-dst"  # Input sanitized and validated
  category = "Network activity"  # Content filtered for safety

📁 Optimized Project Structure

SecurityInfrastructure/
├── src/                    # Secure MCP server implementations
│   ├── splunk_server.py    # Splunk SIEM integration (hardened)
│   ├── crowdstrike_server.py # CrowdStrike EDR integration (hardened)
│   └── misp_server.py      # Microsoft MISP integration (hardened)
├── config/                 # Secure configuration templates
│   ├── mcp-settings.json   # MCP client configuration (sanitized)
│   └── splunk.yaml         # Splunk configuration template
├── tests/                  # Security validation tests
├── SECURITY.md             # Security guidelines and best practices
├── config-example.json     # Safe configuration template
├── .env.example            # Environment variables template (secure)
├── .gitignore              # Comprehensive credential protection
├── requirements.txt        # Minimal secure dependencies
├── INSTALLATION.md         # Detailed setup guide
├── setup-guide.md          # Quick setup templates
└── docker-compose.yml      # Container configuration

Note: Frontend components, unnecessary Node.js files, and development artifacts have been removed to minimize attack surface and optimize security posture.

🔧 Secure MCP Client Configuration

Claude Desktop Setup (Secure)

Configuration File Location:

• macOS: ~/Library/Application Support/Claude/claude_desktop_config.json

• Windows: %APPDATA%\Claude\claude_desktop_config.json

Secure Configuration Template:

{
  "mcpServers": {
    "security-infrastructure-splunk": {
      "command": "python",
      "args": ["/FULL/PATH/TO/SecurityInfrastructure/src/splunk_server.py"],
      "env": {
        "SPLUNK_HOST": "REPLACE_WITH_YOUR_SPLUNK_HOST",
        "SPLUNK_TOKEN": "REPLACE_WITH_YOUR_API_TOKEN",
        "SPLUNK_VERIFY_SSL": "true"
      }
    }
  }
}

⚠️ Security Note: Never commit real credentials to version control. Use the provided templates and replace placeholders with actual values.

💻 Secure Usage Examples

Once securely configured with Claude Desktop, you can use natural language to interact with your security platforms:

Splunk SIEM Queries (Injection-Safe)

"Search for failed SSH login attempts in the last 6 hours"
"Find all authentication events from IP 192.168.1.100"  
"Show me high priority security alerts from yesterday"
"Search for events in the security index containing 'malware'"

CrowdStrike EDR Queries (Validated)

"Show me all high severity detections from today"
"Find endpoint detections with behavior patterns"
"List recent detections sorted by creation time"
"Search for detections on specific hostnames"

MISP Threat Intelligence (Sanitized)

"Search for events related to specific threat actors"
"Find all IP address indicators of compromise"
"Look up domain indicators from the last week"
"Search for published threat intelligence events about phishing"

🛠️ Security Features

Core Security Implementations

• Input Validation: Comprehensive sanitization and validation of all user inputs

• Injection Prevention: Protection against SPL, FQL, SQL, and XSS injection attacks

• Secure Communications: Enforced HTTPS/TLS 1.2+ with strong cipher suites

• Error Sanitization: Generic error messages to prevent information disclosure

• Authentication Security: Secure token/credential handling with proper validation

Security Architecture

• Multiple Auth Methods: Session-based, token-based, and OAuth 2.0 with secure defaults

• SSL/TLS Enforcement: Mandatory certificate verification for all connections

• API Security: Rate limiting, timeout enforcement, and connection pooling limits

• Configuration Security: Safe templates, credential masking, and .gitignore protection

Data Protection

• Output Sanitization: Removal of sensitive fields from API responses

• Credential Management: No hardcoded secrets, environment variable protection

• Logging Security: Sensitive data filtering in logs and audit trails

• Session Management: Proper token expiration and secure storage

📋 Requirements

• Python 3.11+

• Secure access credentials for security platforms (properly configured)

• MCP-compatible client (Claude Desktop recommended)

• SSL/TLS certificates for production deployments

🔐 Secure Credential Management

Splunk SIEM (Secure Setup)

• API Token (strongly recommended) with minimal required permissions

• HTTPS endpoint verification required

• Search permissions limited to necessary indexes only

CrowdStrike EDR (Secure Setup)

• Client ID and Client Secret with principle of least privilege

• API permissions: Detections (READ), limited scope

• Base URL validation and HTTPS enforcement

Microsoft MISP (Secure Setup)

• API Key with read-only permissions when possible

• MISP instance URL with SSL certificate validation

• Timeout settings configured for security

🧪 Security Validation

This project includes comprehensive security validation:

# Run security validation tests
python -m pytest tests/ -v

# Validate configuration security
python -c "
import os
config_files = ['.env', 'config/mcp-settings.json']
for f in config_files:
    if os.path.exists(f):
        with open(f) as file:
            content = file.read()
            if 'REPLACE_WITH_YOUR' in content:
                print(f'⚠️  {f} contains placeholder credentials')
            else:
                print(f'✅ {f} appears configured')
"

📊 Security Metrics

• Vulnerability Status: All HIGH and MEDIUM severity issues resolved

• Security Coverage: 83% of security validation tests passed

• Code Quality: Comprehensive input validation and error handling

• Attack Surface: Minimized through component removal and optimization

🤝 Contributing

1. Fork the repository

2. Create a feature branch (git checkout -b feature/security-enhancement)

3. Follow security guidelines in SECURITY.md

4. Add security tests for new features

5. Commit with security validation (git commit -am 'Add secure feature')

6. Push to the branch (git push origin feature/security-enhancement)

7. Create a Pull Request with security review checklist

📄 License

This project is provided for security research and educational purposes with a focus on secure implementation practices.

🔗 Security Resources

• SECURITY.md - Security guidelines and best practices

• MCP Protocol Documentation

• OWASP Security Guidelines

• Platform API Security Documentation

🚨 Security Reporting

If you discover a security vulnerability, please:

1. Do not create a public issue

2. Email security details to the maintainer

3. Allow reasonable time for fixes before disclosure

4. Follow responsible disclosure practices

⭐ If you find this secure implementation useful, please give it a star!

Latest Security Update: December 2024 - Comprehensive security hardening with vulnerability remediation and optimization.