Chronicle SecOps MCP Server

The Chronicle SecOps MCP Server is a specialized implementation of the Model Context Protocol (MCP) designed to interact with Google's Chronicle Security Operations suite. This server enables seamless integration with security tools and APIs, providing advanced capabilities for managing and querying security data.

Overview

The Chronicle SecOps MCP Server is a Python-based server that facilitates interaction with Chronicle Security Operations. It is designed to be integrated with Claude Desktop, offering a range of security-related functionalities such as searching for security events, retrieving alerts, and looking up entities.

Features

Security Tools

• Search Security Events: Perform customizable queries to search for security events in Chronicle.
• Get Security Alerts: Retrieve security alerts from Chronicle.
• Lookup Entity: Look up detailed information about entities such as IPs, domains, and hashes.
• List Security Rules: List all security detection rules configured in Chronicle.
• Get IoC Matches: Retrieve matches for Indicators of Compromise (IoCs) from Chronicle.

Installation

Installing via Smithery

To install the Chronicle SecOps MCP Server automatically via Smithery, run the following command:

npx -y @smithery/cli install @emeryray2002/mcp-secops-v3 --client claude

Manual Installation

1. Install the package:

pip install -e .

1. Set up your environment variables:

export CHRONICLE_PROJECT_ID="your-google-cloud-project-id"
export CHRONICLE_CUSTOMER_ID="your-chronicle-customer-id"
export CHRONICLE_REGION="us"  # or your region

Configuration

To configure the MCP server in Claude Desktop:

1. Open Claude Desktop and navigate to Settings.
2. Select Developer from the left-hand bar, then click Edit Config.
3. Update your claude_desktop_config.json with the following configuration:

{
  "mcpServers": {
    "secops-mcp": {
      "command": "/path/to/your/uv",
      "args": [
        "--directory",
        "/path/to/your/mcp-secops-v3",
        "run",
        "secops_mcp.py"
      ],
      "env": {
        "CHRONICLE_PROJECT_ID": "your-google-cloud-project-id",
        "CHRONICLE_CUSTOMER_ID": "your-chronicle-customer-id",
        "CHRONICLE_REGION": "us"
      }
    }
  }
}

1. Save the file and restart Claude Desktop.

Usage

Running the MCP Server

To start the MCP server, run:

python main.py

API Capabilities

The MCP server provides the following capabilities:

1. Search Security Events: Search for security events in Chronicle.
2. Get Security Alerts: Retrieve security alerts.
3. Lookup Entity: Look up entity information (IP, domain, hash, etc.).
4. List Security Rules: List detection rules.
5. Get IoC Matches: Get Indicators of Compromise matches.

Example

Refer to example.py for a complete example of using the MCP server.

Authentication

The server uses Google's authentication. Ensure you have one of the following configured:

1. Application Default Credentials (ADC)
2. GOOGLE_APPLICATION_CREDENTIALS environment variable
3. Run gcloud auth application-default login

Requirements

• Python 3.11+
• A Google Cloud account with Chronicle Security Operations enabled
• Proper authentication configured

License

This project is licensed under the Apache 2.0 license.

Development

The project is structured as follows:

• secops_mcp.py: Main MCP server implementation
• example.py: Example usage of the MCP server

About

The Chronicle SecOps MCP Server is a personal project designed to enhance security operations by integrating with Google's Chronicle Security Operations API.

Resources

• Readme
• License