Securityinfrastructure
What is Securityinfrastructure
The Security Infrastructure MCP Servers project is a collection of server implementations designed for integrating various security platforms using the Model Context Protocol (MCP). It facilitates communication and data exchange between systems like Splunk SIEM, CrowdStrike EDR, and Microsoft MISP, providing a unified interface for querying security events and threat intelligence.
Use cases
This project can be utilized for multi-platform security monitoring, incident response, and threat intelligence gathering. Security analysts can execute customized search queries, retrieve real-time threat data, and manage detections across integrated platforms, enhancing visibility and response capabilities in security operations.
How to use
To use the MCP servers, clone the repository, install the required Python dependencies, and configure the necessary API credentials in the YAML configuration files. Start the individual server implementations or use Docker for easy deployment. Users can then perform various queries and analyses on the connected security platforms through the provided tools and APIs.
Key features
Key features include asynchronous operations for improved performance, support for flexible query languages across different platforms, structured JSON output, and comprehensive security with multiple authentication methods. The project also provides error recovery mechanisms, real-time search capabilities, and extensive logging and monitoring functions.
Where to use
This MCP server framework is ideal for use in security operations centers (SOCs), threat intelligence teams, and any organization looking to integrate multiple security tools for a cohesive defense strategy. The project is suitable for environments using Splunk, CrowdStrike, and MISP, allowing for enhanced security posture and efficient data handling.
Overview
What is Securityinfrastructure
The Security Infrastructure MCP Servers project is a collection of server implementations designed for integrating various security platforms using the Model Context Protocol (MCP). It facilitates communication and data exchange between systems like Splunk SIEM, CrowdStrike EDR, and Microsoft MISP, providing a unified interface for querying security events and threat intelligence.
Use cases
This project can be utilized for multi-platform security monitoring, incident response, and threat intelligence gathering. Security analysts can execute customized search queries, retrieve real-time threat data, and manage detections across integrated platforms, enhancing visibility and response capabilities in security operations.
How to use
To use the MCP servers, clone the repository, install the required Python dependencies, and configure the necessary API credentials in the YAML configuration files. Start the individual server implementations or use Docker for easy deployment. Users can then perform various queries and analyses on the connected security platforms through the provided tools and APIs.
Key features
Key features include asynchronous operations for improved performance, support for flexible query languages across different platforms, structured JSON output, and comprehensive security with multiple authentication methods. The project also provides error recovery mechanisms, real-time search capabilities, and extensive logging and monitoring functions.
Where to use
This MCP server framework is ideal for use in security operations centers (SOCs), threat intelligence teams, and any organization looking to integrate multiple security tools for a cohesive defense strategy. The project is suitable for environments using Splunk, CrowdStrike, and MISP, allowing for enhanced security posture and efficient data handling.
Content
Security Infrastructure MCP Servers
A comprehensive collection of MCP (Model Context Protocol) server implementations for security platform integrations.
š Supported Platforms
Splunk SIEM
- SPL Query Execution: Execute Search Processing Language queries with custom time ranges
- Event Search: Search security events across all indexes with flexible filtering
- Time-based Analysis: Support for relative time ranges (-24h, -1d) and custom time windows
- Asynchronous Job Management: Create and monitor search jobs with automatic result retrieval
- JSON Result Format: Structured output for seamless integration with other tools
CrowdStrike EDR
- Detection Search: Query detections using FQL (Falcon Query Language) with advanced filtering
- Detection Details: Retrieve comprehensive detection summaries and metadata
- OAuth 2.0 Authentication: Secure API access using client credentials flow
- Sorting and Pagination: Flexible result ordering and limit controls
- Real-time Threat Data: Access to latest endpoint detection and response information
Microsoft MISP
- Event Search: Query MISP events with customizable filters and event type targeting
- IOC Attribute Search: Search indicators of compromise by value, type, or category
- Multi-format Support: Handle various IOC types (IP addresses, domains, hashes, URLs)
- Published Status Filtering: Filter events by publication status
- RESTful API Integration: Native MISP REST API support with JSON responses
š Live Documentation
Complete documentation and code examples: https://jmstar85.github.io/SecurityInfrastructure
Features available in the live documentation:
- š Complete server implementation code
- š Real-time search and filtering
- š± Responsive mobile support
- š One-click code copying
- šļø Organized by categories
š Quick Start
For MCP Client Integration (Claude Desktop)
# 1. Clone the repository
git clone https://github.com/jmstar85/SecurityInfrastructure.git
cd SecurityInfrastructure
# 2. Install dependencies
pip install -r project-requirements.txt
# 3. Configure credentials
cp .env.example .env
# Edit .env with your platform credentials
# 4. Add to Claude Desktop configuration
# Copy config/mcp-settings.json content to your Claude Desktop config
# Location: ~/Library/Application Support/Claude/claude_desktop_config.json (macOS)
# Update the "cwd" paths and environment variables with your values
For Standalone Server Usage
# Start individual MCP servers
python src/splunk_server.py # Runs on localhost:8080
python src/crowdstrike_server.py # Runs on localhost:8081
python src/misp_server.py # Runs on localhost:8082
# Or use Docker for all services
docker-compose up -d
# Run tests to verify connectivity
pytest tests/test_mcp_servers.py -v
š§ MCP Server Tools
Splunk SIEM Tools
search-events: Execute SPL queries with time range filtering# Example: Search for failed login attempts in last 24 hours query = "index=security sourcetype=auth action=failure" earliest_time = "-24h"
CrowdStrike EDR Tools
search-detections: Query detections using FQL filtering# Example: Search for high severity detections filter_query = "max_severity:'high'" sort = "created_timestamp.desc"
MISP Tools
search-events: Query threat intelligence eventssearch-attributes: Search IOCs by type, value, or category# Example: Search for IP-based IOCs type = "ip-dst" category = "Network activity"
š Project Structure
SecurityInfrastructure/ āāā docs/ # GitHub Pages documentation ā āāā index.html # Main documentation page ā āāā assets/ # CSS, JS resources āāā src/ # MCP server source code ā āāā splunk_server.py # Splunk SIEM integration ā āāā crowdstrike_server.py # CrowdStrike EDR integration ā āāā misp_server.py # Microsoft MISP integration āāā config/ # Configuration files ā āāā mcp-settings.json # MCP client configuration template āāā tests/ # Unit tests āāā mcp-config.json # Basic MCP configuration āāā .env.example # Environment variables template āāā INSTALLATION.md # Detailed setup guide āāā docker-compose.yml # Container configuration āāā project-requirements.txt # Python dependencies
š§ MCP Client Configuration
Claude Desktop Setup
Configuration File Location:
- macOS:
~/Library/Application Support/Claude/claude_desktop_config.json - Windows:
%APPDATA%\Claude\claude_desktop_config.json
Basic Configuration:
{
"mcpServers": {
"security-infrastructure-splunk": {
"command": "python",
"args": [
"/path/to/SecurityInfrastructure/src/splunk_server.py"
],
"env": {
"SPLUNK_HOST": "your-splunk-host.com",
"SPLUNK_TOKEN": "your-api-token"
}
}
}
}Complete setup instructions: See INSTALLATION.md for detailed configuration guide.
Quick setup: See setup-guide.md for copy-paste configuration templates.
š» Usage Examples
Once configured with Claude Desktop, you can use natural language to interact with your security platforms:
Splunk SIEM Queries
"Search for failed SSH login attempts in the last 6 hours" "Find all authentication events from IP 192.168.1.100" "Show me high priority security alerts from yesterday" "Search for events in the security index containing 'malware'"
CrowdStrike EDR Queries
"Show me all high severity detections from today" "Find endpoint detections with 'ransomware' behavior" "List recent detections sorted by creation time" "Search for detections on hostname 'web-server-01'"
MISP Threat Intelligence
"Search for events related to APT29" "Find all IP address indicators of compromise" "Look up domain indicators from the last week" "Search for published threat intelligence events about phishing"
Cross-Platform Analysis
"Search Splunk for events related to this CrowdStrike detection ID" "Check MISP for threat intelligence on this suspicious IP from Splunk" "Correlate this endpoint detection with known threat indicators"
š§ Configuration Examples
Splunk Connection
splunk:
host: "your-splunk-server.com"
port: 8089
username: "admin"
token: "your-api-token"
verify_ssl: true
CrowdStrike Authentication
crowdstrike:
client_id: "your-client-id"
client_secret: "your-client-secret"
base_url: "https://api.crowdstrike.com"
MISP Setup
misp:
url: "https://your-misp-instance.com"
key: "your-api-key"
verifycert: true
š ļø Key Features
Core Functionality
- MCP Protocol Integration: Native Model Context Protocol server implementation
- Asynchronous Operations: Non-blocking API calls for optimal performance
- Multi-platform Support: Unified interface for Splunk, CrowdStrike, and MISP
- Flexible Query Language: Support for SPL, FQL, and MISP REST queries
Security & Authentication
- Multiple Auth Methods: Session-based, token-based, and OAuth 2.0 authentication
- SSL/TLS Support: Configurable certificate verification for secure connections
- API Key Management: Secure credential handling and rotation support
- Error Recovery: Automatic token refresh and connection retry mechanisms
Data Processing
- Real-time Search: Live querying across security platforms
- Structured Output: Consistent JSON response format across all integrations
- Time Range Flexibility: Custom time windows and relative time specifications
- Result Pagination: Configurable limits and sorting for large datasets
Development & Testing
- Comprehensive Testing: Unit tests with pytest framework
- Docker Support: Containerized deployment with docker-compose
- Configuration Management: YAML-based configuration with environment variable support
- Logging & Monitoring: Structured logging with configurable levels
š Requirements
- Python 3.11+
- Access credentials for security platforms (API keys, tokens)
- MCP-compatible client (Claude Desktop, or other MCP clients)
- Docker & Docker Compose (optional, for containerized deployment)
š Required Credentials
Splunk SIEM
- API Token (recommended) or Username/Password
- Host/Port information for your Splunk instance
- Search permissions on target indexes
CrowdStrike EDR
- Client ID and Client Secret from Falcon Console
- API permissions: Detections (READ), Hosts (READ), Incidents (READ)
- Appropriate Base URL for your region
Microsoft MISP
- API Key generated from MISP user profile
- MISP instance URL
- Read access to events and attributes
š¤ Contributing
- Fork the repository
- Create a feature branch (
git checkout -b feature/new-feature) - Commit your changes (
git commit -am 'Add new feature') - Push to the branch (
git push origin feature/new-feature) - Create a Pull Request
š License
This project is provided for security research and educational purposes.
š Related Links
- MCP Protocol Documentation
- Splunk API Documentation
- CrowdStrike API Documentation
- MISP API Documentation
ā If you find this useful, please give it a star!