CrowdSentinel MCP Server
Enables natural language threat hunting and incident response by querying Elasticsearch clusters (7.x, 8.x, 9.x) with AI-guided workflows, bundled detection rules, and cross-tool IoC correlation.
Provides similar capabilities for OpenSearch 1.x/2.x/3.x environments, including multi-source analysis and persistent investigation state.
Integrates with tshark for PCAP network traffic analysis, supporting cross-tool IoC correlation and forensic timeline reconstruction.
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@CrowdSentinel MCP Serverinvestigate recent failed logins from IP 10.0.0.45"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
CrowdSentinel MCP Server
AI-Powered Threat Hunting & Incident Response Framework
MCP Official Registry · PyPI Package
Open-source threat hunting orchestrator connecting LLMs to enterprise security data via Model Context Protocol (MCP)
Quick Start · Installation · CLI Usage · Features · Architecture · Documentation · Examples
Warning This project is in active development and intended for security testing, research, and educational purposes only. It is not production-ready. Do not deploy in production environments. APIs, tool interfaces, and data formats may change without notice. Use at your own risk.
Demo
https://github.com/user-attachments/assets/0d0381f0-5b68-43b2-8630-19ec130885b2
Related MCP server: bhe_mcp
What is CrowdSentinel?
CrowdSentinel transforms traditional SIEM querying into intelligent, framework-driven investigations using natural language. It serves as a unified security intelligence layer that connects large language models to enterprise security data sources, enabling:
Natural Language Threat Hunting — Query Elasticsearch using plain English
AI-Guided Investigation Workflows — Built-in prompts guide agents through proper IR methodology
Persistent Investigation State — Memory-managed IoC tracking, forensic timelines, and cross-query correlation that survives across sessions (8GB FIFO storage)
Cross-Tool IoC Correlation — IoCs discovered in one tool are automatically available to all others
Multi-Source Analysis — Elasticsearch, EVTX logs (Chainsaw), PCAP files (Wireshark), live endpoint forensics (Velociraptor)
Velociraptor Endpoint Forensics — 20 MCP tools for live artefact collection (processes, network, persistence, execution evidence, NTFS MFT) with automatic IoC extraction
DFIR Knowledge Resources — 9 MCP resources exposing investigation playbooks, Pyramid of Pain reference, and cross-correlation guidance directly to connected AI agents
Standalone CLI — Full threat hunting from the terminal without an MCP client
Installation
Install from PyPI (recommended)
# Install with pip
pip install crowdsentinel-mcp-server
# Or install with uv
uv pip install crowdsentinel-mcp-server
# Download detection rules, Chainsaw, and Sigma rules (one-time)
crowdsentinel setupDetection rules (6,060 Lucene + EQL + ES|QL) are bundled with the package — no download needed. The setup command downloads additional tools:
Chainsaw binary for EVTX analysis
3,000+ Sigma rules for Chainsaw
Downloaded tools are stored in ~/.crowdsentinel/ and persist across package upgrades.
System dependency for PCAP analysis:
# Required for network traffic analysis and cross-tool IoC correlation
sudo apt install tshark # Debian/Ubuntu/Kali
sudo dnf install wireshark-cli # Fedora/RHEL
brew install wireshark # macOSRun directly with uvx (no install needed)
# Elasticsearch 8.x (default)
uvx crowdsentinel-mcp-server
# Other backends
uvx crowdsentinel-mcp-server-es7 # Elasticsearch 7.x
uvx crowdsentinel-mcp-server-es9 # Elasticsearch 9.x
uvx opensearch-mcp-server # OpenSearch 1.x/2.x/3.xInstall from source
git clone https://github.com/thomasxm/CrowdSentinels-AI-MCP.git
cd CrowdSentinels-AI-MCP
chmod +x setup.sh && ./setup.shThe setup script will:
Install dependencies (pipx, uv, Claude Code CLI if needed)
Bundle 6,060 detection rules and download Chainsaw binary
Prompt for Elasticsearch credentials (never hardcoded)
Configure the MCP server with Claude Code
Validate your connection
Installed Size
CrowdSentinel bundles 6,060 detection rules and integrates with external analysis tools. Below is the full disk space breakdown so you can plan accordingly.
Core package (via pip or uvx):
Component | Size | Notes |
CrowdSentinel package | 49 MB | The server itself |
— Bundled Sigma rules ( | 30 MB | 6,060 pre-converted detection rules |
— Elastic TOML rules ( | 17 MB | Original TOML format rules + hunting queries |
— Python code (clients, tools, etc.) | 2 MB | Actual application code |
Dependencies | 64 MB | All transitive deps |
— | 14 MB | Largest dependency (TLS) |
— | 8.3 MB | ES Python client |
— | 5.2 MB | Syntax highlighting |
— | 5 MB | Validation engine |
— | 3.6 MB | OpenSearch client |
— Others (27 packages) | ~28 MB | mcp, fastmcp, httpx, anthropic, etc. |
Core total | 113 MB |
|
Additional tools (via crowdsentinel setup):
Component | Download | Installed | Notes |
Chainsaw binary (v2.13.1) | ~3 MB | ~15 MB | EVTX log analysis engine |
Sigma rules (SigmaHQ) | ~3 MB | ~30 MB | 3,000+ Sigma rules for Chainsaw |
Chainsaw mappings | — | <1 MB | Event log source mappings |
Setup total | ~6 MB | ~46 MB | Stored in |
System dependency (via package manager):
Component | Installed | Install Command | Notes |
tshark + Wireshark libs | ~132 MB |
| PCAP network analysis — required for cross-tool IoC correlation |
Full installation summary:
Scenario | Total Disk Space |
Core only ( | ~113 MB |
Core + setup ( | ~159 MB |
Full platform (+ tshark) | ~291 MB |
Note: PyPI download size is only 8.9 MB (wheel) thanks to compression of the bundled detection rules.
Quick Start
1. Set environment variables
export ELASTICSEARCH_HOSTS="https://localhost:9200"
export ELASTICSEARCH_API_KEY="your_api_key"
# Or use username/password:
# export ELASTICSEARCH_USERNAME="elastic"
# export ELASTICSEARCH_PASSWORD="your_password"
export VERIFY_CERTS="false"2. Connect to an MCP Client
CrowdSentinel works with any MCP-compatible AI agent. Choose your client below:
claude mcp add crowdsentinel \
-e ELASTICSEARCH_HOSTS="https://localhost:9200" \
-e ELASTICSEARCH_API_KEY="your_api_key" \
-e VERIFY_CERTS="false" \
-- uvx crowdsentinel-mcp-serverEdit ~/.config/Claude/claude_desktop_config.json (Linux) or ~/Library/Application Support/Claude/claude_desktop_config.json (macOS):
{
"mcpServers": {
"crowdsentinel": {
"command": "uvx",
"args": ["crowdsentinel-mcp-server"],
"env": {
"ELASTICSEARCH_HOSTS": "https://localhost:9200",
"ELASTICSEARCH_API_KEY": "your_api_key",
"VERIFY_CERTS": "false"
}
}
}
}Create .vscode/mcp.json in your workspace:
{
"servers": {
"crowdsentinel": {
"command": "uvx",
"args": ["crowdsentinel-mcp-server"],
"env": {
"ELASTICSEARCH_HOSTS": "https://localhost:9200",
"ELASTICSEARCH_API_KEY": "your_api_key",
"VERIFY_CERTS": "false"
}
}
}
}Then enable MCP in VS Code settings: "chat.mcp.enabled": true
Create or edit ~/.cursor/mcp.json:
{
"mcpServers": {
"crowdsentinel": {
"command": "uvx",
"args": ["crowdsentinel-mcp-server"],
"env": {
"ELASTICSEARCH_HOSTS": "https://localhost:9200",
"ELASTICSEARCH_API_KEY": "your_api_key",
"VERIFY_CERTS": "false"
}
}
}
}Create .roo/mcp.json in your workspace:
{
"mcpServers": {
"crowdsentinel": {
"command": "uvx",
"args": ["crowdsentinel-mcp-server"],
"env": {
"ELASTICSEARCH_HOSTS": "https://localhost:9200",
"ELASTICSEARCH_API_KEY": "your_api_key",
"VERIFY_CERTS": "false"
}
}
}
}Or configure via Roo Code settings panel: Settings > MCP Servers > Add Server.
In 5ire settings (v0.15.0+), add an MCP server with:
Command:
uvxArguments:
crowdsentinel-mcp-serverEnvironment Variables:
ELASTICSEARCH_HOSTS=https://localhost:9200ELASTICSEARCH_API_KEY=your_api_keyVERIFY_CERTS=false
Note: 5ire v0.14.0 has known MCP compatibility issues. Use v0.15.0+ for reliable operation.
stdio transport (default — works with most clients):
{
"mcpServers": {
"crowdsentinel": {
"command": "uvx",
"args": ["crowdsentinel-mcp-server"],
"env": {
"ELASTICSEARCH_HOSTS": "https://localhost:9200",
"ELASTICSEARCH_API_KEY": "your_api_key",
"VERIFY_CERTS": "false"
}
}
}
}SSE transport (for web-based clients):
crowdsentinel-mcp-server --transport sse --port 8001
# Connect to: http://localhost:8001/sse/HTTP transport (for REST API clients):
crowdsentinel-mcp-server --transport streamable-http --port 8001
# Connect to: http://localhost:8001/mcp/3. Or use the CLI directly
# Download rules and tools (one-time)
crowdsentinel setup
# Check cluster health
crowdsentinel health
# Hunt for threats
crowdsentinel hunt "powershell encoded" -i winlogbeat-*
# Run detection rules
crowdsentinel rules -p windows --tactic credential_access
crowdsentinel detect windows_builtin_win_alert_mimikatz_keywords_lucene -i winlogbeat-*
# Analyse PCAP files
crowdsentinel pcap overview capture.pcap
crowdsentinel pcap beaconing capture.pcap
# Hunt EVTX logs with Chainsaw
crowdsentinel chainsaw hunt /path/to/evtx/ --sigma-rules /path/to/sigma/CLI Usage
CrowdSentinel provides a full CLI for threat hunting from the terminal:
pip install crowdsentinel-mcp-server
crowdsentinel setup # Download rules, Chainsaw, Sigma (one-time)
crowdsentinel --helpAvailable Commands
Command | Description | Example |
| Download detection rules, Chainsaw, and Sigma rules |
|
| Show cluster health |
|
| List all indices |
|
| IR-focused threat hunt with IoC extraction |
|
| Execute an EQL query |
|
| Execute an ES|QL query |
|
| Execute a detection rule by ID |
|
| List available detection rules |
|
| Detect schema for an index pattern |
|
| Hunt for a specific Indicator of Compromise |
|
| Analyse search results from stdin (JSON) |
|
| AI agent analysis using all 97 MCP tools |
|
| Manage LLM authentication for agent mode |
|
| Analyse PCAP files (overview, beaconing, lateral movement) |
|
| Hunt EVTX logs with Chainsaw and Sigma rules |
|
Output Formats
All commands support --output/-o with three formats:
crowdsentinel hunt "failed login" -i winlogbeat-* -o json # Structured JSON (default)
crowdsentinel hunt "failed login" -i winlogbeat-* -o table # Human-readable table
crowdsentinel hunt "failed login" -i winlogbeat-* -o summary # Condensed summaryAgent Mode (--mcp)
The analyse --mcp flag replaces deterministic analysis with an AI agent that autonomously uses all 97 MCP tools to investigate. The agent follows the 4-phase IR methodology: hunt, analyse, correlate, report.
Authentication:
# Option 1: Browser sign-in (ChatGPT subscription — no API billing)
crowdsentinel auth login
# Option 2: Anthropic (setup-token or API key)
crowdsentinel auth login --provider anthropic
# Option 3: Environment variable
export ANTHROPIC_API_KEY="sk-ant-..." # or OPENAI_API_KEY
# Option 4: Local models (Ollama, vLLM — free)
crowdsentinel analyse --mcp --model-url http://localhost:11434/v1 --model llama3.1
# Check auth status
crowdsentinel auth statusAgent flags:
Flag | Default | Description |
| off | Enable AI agent with MCP tools |
| none | Add external MCP server (e.g., VirusTotal) |
| auto-detect | LLM model to use |
| none | OpenAI-compatible API endpoint |
| 30 | Maximum tool calls |
| 300 | Maximum seconds |
Pipeline Examples
Deterministic analysis (no API key needed):
# Hunt then analyse
crowdsentinel hunt "powershell encoded" -i winlogbeat-* -o json | \
crowdsentinel analyse -c "Encoded PowerShell commands" -o summary
# Investigate failed authentication attempts
crowdsentinel hunt "event.code:4625" -i winlogbeat-* -o json | \
crowdsentinel analyse -c "Failed login brute force investigation" -o summary
# Triage process execution and privilege escalation
crowdsentinel hunt "event.code:4688 OR event.code:4672 OR event.code:1" -i winlogbeat-* -o json | \
crowdsentinel analyse -c "Process execution and privilege escalation" -o summaryAI agent investigation (requires auth):
# Credential dumping investigation — agent hunts, analyses kill chain, checks adjacent stages
crowdsentinel hunt "mimikatz OR lsass OR procdump" -i winlogbeat-* -o json | \
crowdsentinel analyse --mcp -c "Credential dumping tools investigation" --max-steps 15 -o summary
# Encoded PowerShell — full IR workflow with kill chain and adjacent stage hunting
crowdsentinel hunt "powershell -enc OR FromBase64String" -i winlogbeat-* -o json | \
crowdsentinel analyse --mcp -c "Full IR workflow: encoded PowerShell" --max-steps 30 -o table
# Process execution with detection rules
crowdsentinel hunt "event.code:4688" -i winlogbeat-* -o json | \
crowdsentinel analyse --mcp -c "Execute detection rules against process creation" --max-steps 20 -o summary
# PCAP beaconing — agent generates IoCs and maps to kill chain
crowdsentinel pcap beaconing capture.pcap -o json | \
crowdsentinel analyse --mcp -c "Investigate beaconing for C2 infrastructure" --max-steps 10 -o summary
# Anti-forensics investigation
crowdsentinel hunt "event.code:1102" -i winlogbeat-* -o json | \
crowdsentinel analyse --mcp -c "Security log cleared - anti-forensics" --max-steps 10 -o summary
# With external MCP server (e.g., VirusTotal)
crowdsentinel hunt "powershell" -i winlogbeat-* -o json | \
crowdsentinel analyse --mcp --mcp-server "vt:uvx virustotal-mcp-server" \
-c "Check IoCs against VirusTotal" -o summaryKey Features
125+ MCP Tools
Threat hunting, detection rules, forensics, endpoint collection, network analysis, cross-correlation, and IoC enrichment — all accessible via natural language
6,060 Detection Rules
Pre-built Lucene, EQL & ES|QL rules with automatic MITRE ATT&CK mapping
Investigation State
Persistent IoC tracking across tools and sessions with cross-source correlation and FIFO storage
4 Security Frameworks
Cyber Kill Chain (7 stages)
Pyramid of Pain (6 levels)
Diamond Model (4 vertices)
MITRE ATT&CK (automatic mapping)
4 Data Sources + Threat Intel
Elasticsearch / OpenSearch (SIEM)
Velociraptor (live endpoint forensics)
EVTX logs (Chainsaw + Sigma)
PCAP files (Wireshark/TShark)
IoC enrichment (Shodan, VirusTotal, AbuseIPDB, ThreatFox)
Architecture
┌─────────────────────────────────────────────────────────────────┐
│ LLM Client / Claude Code CLI │
└─────────────────────────────┬───────────────────────────────────┘
│ MCP Protocol (stdio/SSE/HTTP)
▼
┌─────────────────────────────────────────────────────────────────┐
│ CrowdSentinel MCP Server │
│ ┌───────────────┐ ┌───────────────┐ ┌───────────────────────┐ │
│ │ 125+ Tools │ │ 6,060 Rules │ │ Security Frameworks │ │
│ │ - Hunting │ │ - Lucene │ │ - Cyber Kill Chain │ │
│ │ - Detection │ │ - EQL │ │ - Pyramid of Pain │ │
│ │ - Forensics │ │ - Sigma │ │ - Diamond Model │ │
│ │ - Endpoint │ │ │ │ - MITRE ATT&CK │ │
│ │ - Network │ │ │ │ │ │
│ │ - Enrichment │ │ │ │ 9 MCP Resources │ │
│ │ - Correlation │ │ │ │ (DFIR knowledge base) │ │
│ └───────────────┘ └───────────────┘ └───────────────────────┘ │
│ ┌─────────────────────────────────────────────────────────────┐│
│ │ Investigation State (Persistent) ││
│ │ Cross-source IoC sharing, auto-capture, STIX 2.1 export ││
│ └─────────────────────────────────────────────────────────────┘│
└──────────┬──────────────┬───────────────────┬───────────────────┘
│ │ │
┌────────┼──────────────┼───────────────┐ │
▼ ▼ ▼ ▼ ▼
┌──────────────┐ ┌───────────────┐ ┌───────────────┐ ┌───────────────┐
│Elasticsearch │ │ Velociraptor │ │ Chainsaw │ │ Wireshark │
│ /OpenSearch │ │ (EDR/DFIR) │ │ (EVTX/Sigma) │ │ (PCAP) │
│ (SIEM) │ │ (Endpoint) │ │ (Offline) │ │ (Network) │
└──────────────┘ └───────────────┘ └───────────────┘ └───────────────┘
│
┌───────────────────────┼───────────────────────┐
▼ ▼ ▼
┌───────────────┐ ┌───────────────┐ ┌───────────────┐
│ Shodan │ │ VirusTotal │ │ AbuseIPDB │
│ InternetDB │ │ (v3) │ │ + ThreatFox │
│ (free/no key)│ │ (free tier) │ │ (free tier) │
└───────────────┘ └───────────────┘ └───────────────┘
│
▼ (Roadmap)
┌───────────────┐ ┌───────────────┐ ┌───────────────┐
│ Splunk │ │ Carbon Black │ │ Zeek │
│ │ │ (EDR) │ │ (NSM/IDS) │
└───────────────┘ └───────────────┘ └───────────────┘What's Included
Tool Categories (84 Tools)
Category | Tools | Description |
Elasticsearch Core | 18 | Index, document, cluster, alias, data stream operations |
Threat Hunting | 12 | Attack pattern detection, IoC hunting, timeline analysis |
Detection Rules | 9 | 6,060 rule library — list, execute, validate, suggest |
Kill Chain Analysis | 5 | Stage hunting, progression tracking, adjacent stage prediction |
Investigation Prompts | 5 | Fast triage spine — 10 critical IR questions |
Chainsaw (EVTX) | 6 | Sigma rule hunting, iterative IoC discovery |
Wireshark (PCAP) | 11 | Network forensics, beaconing, lateral movement detection |
Threat Intelligence | 5 | IoC enrichment (Shodan, VirusTotal, AbuseIPDB, ThreatFox) + MISP export/search |
Investigation State | 13 | Persistent IoCs, cross-tool sharing, STIX 2.1 export, reporting |
Security Frameworks
Framework | Purpose |
Cyber Kill Chain | Hunt by attack stage (7 stages), predict adversary's next move |
Pyramid of Pain | Prioritise IoCs by difficulty for attackers to change (6 levels) |
Diamond Model | Map adversary, capability, infrastructure, victim relationships |
MITRE ATT&CK | Automatic technique mapping for all detections |
Detection Rules (6,060 Rules)
Type | Count | Source | Description |
Lucene | 1,966 | Sigma-converted | Fast pattern matching queries |
EQL | 3,963 | Sigma-converted + Elastic | Event sequences and correlations |
ES|QL | 131 | Elastic TOML rules | Pipe-based query language (ES 8.11+) |
Platforms: Windows, Linux, macOS, Cloud (AWS/Azure/GCP), Network, Identity
Log Sources: PowerShell, Sysmon, Security Events, Process Creation, Audit logs
Configuration
Environment Variables
# Connection (required — choose one)
ELASTICSEARCH_HOSTS="https://localhost:9200" # Self-hosted
# OR
ELASTICSEARCH_CLOUD_ID="deployment:base64..." # Elastic Cloud
# Authentication — choose one (in priority order):
ELASTICSEARCH_BEARER_TOKEN="service_token_here" # Service/bearer token
ELASTICSEARCH_API_KEY="your_api_key" # API key (recommended)
ELASTICSEARCH_USERNAME="elastic" # Basic auth
ELASTICSEARCH_PASSWORD="your_password"
# TLS / Certificate verification
VERIFY_CERTS="true" # Verify against system CA bundle
# VERIFY_CERTS="/path/to/ca.crt" # Verify against custom CA certificate
# ELASTICSEARCH_CA_CERT="/path/to/ca.crt" # Explicit CA certificate path
# ELASTICSEARCH_CLIENT_CERT="/path/to/client.crt" # Client certificate (mTLS)
# ELASTICSEARCH_CLIENT_KEY="/path/to/client.key" # Client private key (mTLS)
# Options
REQUEST_TIMEOUT="30" # Request timeout in seconds
DISABLE_HIGH_RISK_OPERATIONS="true" # Block all write operations
# Threat Intelligence (optional — Shodan InternetDB works without any key)
VIRUSTOTAL_API_KEY="your_vt_key" # Free: 500 lookups/day
ABUSEIPDB_API_KEY="your_abuse_key" # Free: 1,000 lookups/day
THREATFOX_API_KEY="your_tf_key" # Free: unlimited
# MISP Integration (optional — offline JSON export works without a server)
MISP_URL="https://misp.example.org" # MISP instance URL
MISP_API_KEY="your_misp_key" # MISP API key (40-char hex)
# MISP_SSL_VERIFY="true" # Set "false" for self-signed (dev only)Security Warning: Never use
VERIFY_CERTS="false"or plain-text passwords in production. Use API keys or service tokens with TLS certificate verification enabled. For self-signed certificates, setELASTICSEARCH_CA_CERTto your CA certificate path.
Production Configuration Examples
ELASTICSEARCH_CLOUD_ID="my-deployment:dXMtY2VudHJhbC0x..."
ELASTICSEARCH_API_KEY="your_cloud_api_key"
VERIFY_CERTS="true"ELASTICSEARCH_HOSTS="https://es-cluster.internal:9200"
ELASTICSEARCH_API_KEY="your_api_key"
ELASTICSEARCH_CA_CERT="/etc/elasticsearch/certs/ca.crt"
VERIFY_CERTS="true"ELASTICSEARCH_HOSTS="https://es-cluster.internal:9200"
ELASTICSEARCH_CA_CERT="/etc/elasticsearch/certs/ca.crt"
ELASTICSEARCH_CLIENT_CERT="/etc/elasticsearch/certs/client.crt"
ELASTICSEARCH_CLIENT_KEY="/etc/elasticsearch/certs/client.key"
VERIFY_CERTS="true"ELASTICSEARCH_HOSTS="http://localhost:9200"
ELASTICSEARCH_USERNAME="elastic"
ELASTICSEARCH_PASSWORD="test123"
VERIFY_CERTS="false"This configuration is not suitable for production. Use API keys with TLS in production environments.
Transport Modes
Mode | Use Case | Command |
stdio (default) | MCP clients (Claude Code, etc.) | Auto-configured by setup.sh |
SSE | Web/streaming clients |
|
HTTP | REST API access |
|
Disabling Write Operations
For read-only access (recommended for production):
DISABLE_HIGH_RISK_OPERATIONS="true"This hides destructive tools: create_index, delete_index, index_document, delete_document, delete_by_query, create_data_stream, delete_data_stream, put_alias, delete_alias, general_api_request
Usage Examples
Example 1: Hunt for Brute Force Attacks
You: Hunt for brute force attacks in the last hour
CrowdSentinel: Searching for failed authentication attempts...
[Calls hunt_by_timeframe with attack_types=["brute_force"]]
Found 47 failed login attempts from 3 source IPs targeting the "admin" account.
Top sources:
- 192.168.1.105: 28 attempts
- 10.0.0.42: 15 attempts
- 172.16.0.8: 4 attemptsExample 2: Investigate a Suspicious Host
You: Show me all activity on host DESKTOP-ABC123 in the last 24 hours
CrowdSentinel: Generating a forensic timeline for that host...
[Calls get_host_activity_timeline]
Timeline shows:
- 09:15: User "jsmith" logged in (Event 4624)
- 09:17: PowerShell executed encoded command
- 09:18: New scheduled task created "WindowsUpdate"
- 09:22: Outbound connection to 203.0.113.42:443
- 09:25: LSASS memory access detectedExample 3: Kill Chain Analysis
You: We found C2 beaconing. What should we hunt for next?
CrowdSentinel: Hunting adjacent kill chain stages...
[Calls hunt_adjacent_stages with current_stage="COMMAND_AND_CONTROL"]
Looking backwards (Installation stage):
- Found scheduled task persistence on 3 hosts
- Registry Run key modifications detected
Looking forwards (Actions on Objectives):
- Lateral movement to 2 additional hosts via SMB
- Credential dumping attempts detectedExample 4: Network Traffic Analysis
You: Analyse this PCAP for C2 beaconing
CrowdSentinel: Checking for regular connection intervals...
[Calls detect_beaconing on the PCAP file]
Detected beaconing pattern:
- Host: 192.168.1.50 → 203.0.113.100:443
- Interval: 60 seconds (±2s jitter)
- Duration: 4 hours
- Confidence: HIGH
Recommend blocking 203.0.113.100 and investigating 192.168.1.50.Example 5: CLI Threat Hunt
# Hunt for encoded PowerShell
crowdsentinel hunt "powershell -enc" -i winlogbeat-* --timeframe 1440 -o json
# Pipe results to analysis
crowdsentinel hunt "event.code:4625" -i winlogbeat-* -o json | \
crowdsentinel analyse -c "Failed authentication investigation"
# Search detection rules for lateral movement
crowdsentinel rules --tactic lateral_movement -p windowsCompatibility
Package | Backend | Install |
| Elasticsearch 8.x (default) |
|
| Elasticsearch 7.x |
|
| Elasticsearch 9.x |
|
| OpenSearch 1.x, 2.x, 3.x |
|
For Developers
crowdsentinel-mcp-server/
├── src/
│ ├── server.py # MCP server entry point
│ ├── version.py # Version constant
│ ├── risk_config.py # Write operation controls
│ │
│ ├── cli/ # Standalone CLI
│ │ └── main.py # CLI entry point (argparse)
│ │
│ ├── clients/ # Backend logic layer
│ │ ├── base.py # Base client, authentication
│ │ ├── exceptions.py # Exception handling decorators
│ │ └── common/
│ │ ├── client.py # Unified SearchClient (multiple inheritance)
│ │ ├── threat_hunting.py # Threat hunting queries
│ │ ├── ioc_analysis.py # IoC extraction & analysis
│ │ ├── cyber_kill_chain.py # Kill chain logic
│ │ ├── rule_loader.py # Detection rule loading
│ │ └── chainsaw_client.py # EVTX/Sigma integration
│ │
│ ├── tools/ # MCP tool interfaces (thin wrappers)
│ │ ├── register.py # Dynamic tool registration
│ │ ├── threat_hunting.py # Hunting tool definitions
│ │ ├── rule_management.py # Rule management tools
│ │ ├── chainsaw_hunting.py # Chainsaw tools
│ │ ├── wireshark_tools.py # Network analysis tools
│ │ └── investigation_state_tools.py # State management tools
│ │
│ ├── storage/ # Persistent investigation state
│ │ ├── investigation_state.py # Core state management
│ │ ├── storage_manager.py # File system storage (8GB FIFO)
│ │ └── models.py # Pydantic models (IoC, Investigation)
│ │
│ └── wireshark/ # Network traffic analysis
│ ├── core/ # TShark execution, PCAP parsing
│ ├── hunting/ # Beaconing, lateral movement, IoC hunting
│ ├── baseline/ # Traffic baseline creation
│ ├── extraction/ # File carving from traffic
│ └── reporting/ # NCSC-style reports, timelines
│
├── rules/ # 6,060 detection rules (EQL + Lucene)
├── chainsaw/ # Chainsaw binary + 3,000+ Sigma rules
├── skills/ # Claude Code agent skills
└── tests/ # Test suitesPattern | Usage |
Multiple Inheritance |
|
Decorator | Exception handling via |
Factory |
|
Plugin Architecture | Tools registered dynamically via |
Auto-Capture | Tool results automatically analysed for IoCs |
Create client method in
src/clients/common/your_module.py:
class YourClient(SearchClientBase):
def your_method(self, param: str) -> dict:
# Implementation
return resultsAdd to SearchClient in
src/clients/common/client.py:
class SearchClient(YourClient, OtherClients, ...):
passCreate tool wrapper in
src/tools/your_tools.py:
class YourTools:
def __init__(self, client, mcp):
self.client = client
self.mcp = mcp
def register_tools(self):
@self.mcp.tool()
def your_tool(param: str) -> str:
"""Tool description for LLM."""
result = self.client.your_method(param)
return json.dumps(result)Register in server in
src/server.py:
from src.tools.your_tools import YourTools
def _register_tools(self):
# ... existing tools ...
YourTools(self.client, self.mcp).register_tools()# All tests
uv run pytest
# Specific module
uv run pytest tests/test_investigation_state.py
# With coverage
uv run pytest --cov=src# Start Elasticsearch
docker-compose -f docker-compose-elasticsearch.yml up -d
# Start OpenSearch
docker-compose -f docker-compose-opensearch.yml up -dDefault credentials (testing only):
Elasticsearch:
elastic/test123OpenSearch:
admin/admin
Roadmap
Feature | Status | Description |
Velociraptor Integration | Planned | EDR/DFIR artifact collection and live response via Velociraptor API |
Zeek Integration | Planned | Network security monitoring — parse Zeek logs (conn, dns, http, ssl, x509) for threat hunting |
Splunk Integration | Planned | Add Splunk as a data source alongside Elasticsearch |
Sigma Rule Converter | Planned | Convert Sigma rules to native ES/Splunk queries |
Threat Intel Enrichment | Done | IoC enrichment via Shodan InternetDB, VirusTotal, AbuseIPDB, ThreatFox + STIX 2.1 export |
Case Management | Planned | Export investigations to TheHive, JIRA |
Custom Rule Builder | Planned | Create detection rules via natural language |
See CHANGELOG.md for detailed version history.
Velociraptor Integration (Live Endpoint Forensics)
CrowdSentinel integrates with Velociraptor for live endpoint forensic artefact collection. When configured, 20 additional MCP tools and 3 cross-correlation tools become available.
Setup
# Install optional dependencies
pip install crowdsentinel-mcp-server[velociraptor]
# Set the Velociraptor API config path
export VELOCIRAPTOR_API_CONFIG="/path/to/api_client.yaml"The API client config is generated from the Velociraptor server:
velociraptor config api_client --name crowdsentinel --role administrator,api \
--config server.config.yaml /path/to/api_client.yamlAvailable Tools
Category | Tools | Use Case |
Discovery |
| Resolve hostnames, discover available artefacts |
Live State |
| Running processes, active network connections, user accounts |
Execution Evidence |
| Forensic proof of programme execution |
Persistence |
| Service and scheduled task persistence mechanisms |
User Activity |
| User browsing, document access, file downloads |
Filesystem |
| MFT search for files by name, path, or timestamp |
Cross-Correlation |
| Validate SIEM findings on endpoints, pivot from endpoint IoCs to fleet-wide SIEM searches |
Cross-Source IoC Sharing
IoCs extracted from Velociraptor artefacts are automatically captured into the active investigation alongside SIEM, Chainsaw, and Wireshark findings. Use get_shared_iocs to retrieve the combined indicator set for cross-source correlation.
SIEM (Elasticsearch) Endpoint (Velociraptor)
│ │
hunt_by_timeframe() velociraptor_pslist()
│ │
auto_capture ──────► Investigation State ◄────── auto_capture
│
get_shared_iocs()DFIR Knowledge Resources
9 MCP resources provide structured investigation reference data directly to connected AI agents:
Resource | Content |
| Mandatory 4-phase IR workflow |
| IoC types ranked by Pyramid of Pain |
| 5 investigation playbooks (suspicious process, brute force, lateral movement, persistence, exfiltration) |
| Artefact reference tables and "found X in SIEM → check Y on endpoint" decision tree |
| All data source capabilities and investigation decision matrix |
Documentation
User Guides
Document | Description |
Detailed first-time setup instructions | |
Comprehensive usage guide | |
5-minute quick start | |
stdio, SSE, HTTP configuration |
Feature Guides
Document | Description |
Threat hunting workflows | |
Using 6,060 detection rules | |
Kill chain analysis | |
EVTX log analysis with Sigma | |
Fast triage spine | |
Workflow guidance for AI agents |
Developer Guides
Document | Description |
Detailed architecture documentation | |
Contribution guidelines |
Contributing
Contributions are welcome! Please see CONTRIBUTING.md for guidelines.
Licence
GNU General Public Licence v3.0 — See LICENSE for details.
Acknowledgements
MCP Framework: Model Context Protocol by Anthropic
Chainsaw: EVTX log analyser by WithSecure Labs
Detection Rules: Community-contributed Sigma and custom rules
Frameworks: Cyber Kill Chain (Lockheed Martin), Pyramid of Pain (David J. Bianco), Diamond Model, MITRE ATT&CK
Made for the security community by medjedtxm
This server cannot be installed
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.
Latest Blog Posts
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/thomasxm/CrowdSentinels-AI-MCP'
If you have feedback or need assistance with the MCP directory API, please join our Discord server