Google SecOps SOAR MCP server
Project description
Chronicle SecOps SOAR MCP Server
This is an MCP (Model Context Protocol) server for interacting with Google's Chronicle Security Operations SOAR suite. MCP Info
Features
Core Tools (Case Management & Entities)
list_cases()- Lists available cases in the SOAR platform.post_case_comment(case_id, comment)- Adds a textual comment to a specific case.list_alerts_by_case(case_id)- Lists all alerts associated with a specific case ID.list_alert_group_identifiers_by_case(case_id)- Lists the unique group identifiers for alerts within a specific case.list_events_by_alert(case_id, alert_id)- Lists the events associated with a particular alert within a given case.change_case_priority(case_id, case_priority)- Modifies the priority level of a specific case.get_entities_by_alert_group_identifiers(case_id, alert_group_identifiers)- Retrieves entities involved in one or more alert groups.get_entity_details(entity_identifier, entity_type, entity_environment)- Fetches detailed information about a specific entity.search_entity(term=None, type=None, is_suspicious=None, is_internal_asset=None, is_enriched=None, network_name=None, environment_name=None)- Searches for entities within the SOAR platform.get_case_full_details(case_id)- Retrieves comprehensive details for a single case.
Dynamic Integration Tools (Marketplace)
This server can dynamically load additional tools based on integrations enabled via the --integrations command-line flag when the server is started. These tools correspond to modules found in the marketplace/ directory.
Available integrations include:
- ServiceNow
- CSV
- Jira
- Slack
- VirusTotal
- Active Directory
- Microsoft Defender ATP
- And many more
Installing in Claude Desktop
To use this MCP server with Claude Desktop:
-
Install Claude Desktop
-
Open Claude Desktop and select "Settings" from the Claude menu
-
Click on "Developer" in the lefthand bar, then click "Edit Config"
-
Update your
claude_desktop_config.jsonwith the following configuration (replace paths with your actual paths):NOTE: For OSX users, if you used this one-liner to install uv, use the full path to the uv binary for the "command" value below, as uv will not be placed in the system path for Claude to use! For example:
/Users/yourusername/.local/bin/uvinstead of justuv.Additionally, for the secops-soar MCP server, you will need use the CA list bundled with the certifi package. This can be done via the following command. Change the Python minor version to match whatever version you are currently running. (ex.
Python\ 3.11):/Applications/Python\ 3.12/Install\ Certificates.command
{
"mcpServers": {
"secops-soar": {
"command": "uv",
"args": [
"--env-file=/path/to/your/env",
"--directory",
"/path/to/the/repo/server/secops-soar/secops_soar_mcp",
"run",
"server.py"
],
"env": {
"SOAR_URL": "${SOAR_URL}",
"SOAR_APP_KEY": "${SOAR_APP_KEY}"
},
"disabled": false,
"autoApprove": []
}
}
}
To have the MCP server provide tools for specific marketplace integrations, use the integrations flag followed by a comma-separated string of the desired integration names. For example, for the ServiceNow, CSV, and Siemplify integrations:
{
"mcpServers": {
"secops-soar": {
"command": "uv",
"args": [
"--env-file=/path/to/your/env",
"--directory",
"/path/to/the/repo/server/secops-soar/secops_soar_mcp",
"run",
"server.py",
"--integrations",
"ServiceNow,CSV,Siemplify"
],
"env": {
"SOAR_URL": "${SOAR_URL}",
"SOAR_APP_KEY": "${SOAR_APP_KEY}"
},
"disabled": false,
"autoApprove": []
}
}
}
Environment Variable Setup
Set up these environment variables in your system:
For macOS/Linux:
export SOAR_URL="your-soar-url"
export SOAR_APP_KEY="your-soar-app-key"
export SOAR_INTEGRATIONS="ServiceNow,CSV,Siemplify"
For Windows PowerShell:
$Env:SOAR_URL = "your-soar-url"
$Env:SOAR_APP_KEY = "your-soar-app-key"
$Env:SOAR_INTEGRATIONS = "ServiceNow,CSV,Siemplify"
Requirements
- Python 3.11+
- SOAR URL and AppKey
License
Apache 2.0
Development
The project is structured as follows:
server.py: Main MCP server implementationmarketplace/: Directory containing integration modules
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file secops_soar_mcp-0.1.0.tar.gz.
File metadata
- Download URL: secops_soar_mcp-0.1.0.tar.gz
- Upload date:
- Size: 523.3 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.11.13
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
d3b51ef306685b48fbdb72be409a5d3d688648d84b609f7781b1cae2b5285fc6
|
|
| MD5 |
e010e51ec6b9ffe361fd7508bafc5dc8
|
|
| BLAKE2b-256 |
81573868c4b90075b25b87e3a32c43ab6fc3b79e811455107971eb0ad127e656
|
File details
Details for the file secops_soar_mcp-0.1.0-py3-none-any.whl.
File metadata
- Download URL: secops_soar_mcp-0.1.0-py3-none-any.whl
- Upload date:
- Size: 1.0 MB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.11.13
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
7cdd5dc3eb8569f8e5b06f8e651219db3e25af5cb15f9b59f7b2230fdcb4a038
|
|
| MD5 |
4b84994bdbe1d5ffa03863bc56d28160
|
|
| BLAKE2b-256 |
4237786035b4ffdb48fecda14f2bc0b6114d05ae9ff0c7c9929a78591fa1e0f3
|
