playbooks

home / mcp / soc sher mcp server

SOC Sher MCP Server

AI SOC Security Threat analysis using MCP Server

Installation
Add the following to your MCP client configuration file.

Configuration

View docs
{
  "mcpServers": {
    "akramiot-mcp_ai_soc_sher": {
      "command": "mcp-ai-soc",
      "args": [
        "--type",
        "local",
        "--stdio"
      ],
      "env": {
        "MCP_DB_URI": "sqlite:///your_database.db",
        "OPENAI_API_KEY": "YOUR_OPENAI_API_KEY",
        "MCP_SECURITY_ENABLE_THREAT_ANALYSIS": "true"
      }
    }
  }
}

You can run the MCP AI SOC Sher server locally to translate natural language prompts into SQL queries, while enjoying built‑in security analysis and real‑time streaming feedback. It supports multiple interfaces and straightforward configuration, enabling you to query your databases securely and monitor SOC events from a single, adaptable MCP server.

How to use

Start by running the local server from your command line to enable STDIO or SSE interfaces, or use the REST API for remote access. You will interact with the server by sending natural language prompts describing the data you want, and the server will return optimized SQL along with execution results when requested.

To run locally with the STDIO interface, execute the CLI variant that starts the local MCP server in STDIO mode. You can also enable SSE to receive streaming progress updates during query processing.

If you need remote access, you can start a REST API server that exposes endpoints to submit prompts and receive SQL results. The server supports secure operation through configured keys and threat analysis as part of its workflow.

How to install

Prerequisites: ensure you have Python installed on your system so you can install the MCP package with pip.

Install the MCP package with the following command.

Create a local environment file to supply your OpenAI API key and database connection details.

pip install mcp-ai-soc-sher

Configuration and quick start

Set your OpenAI API key and configure your MCP instance to point to your data source. You can run the server locally and choose the interface you prefer (STDIO, SSE, or REST API).

Environment variables you may configure include the OpenAI API key and the MCP database URI. The following snippet shows an example configuration file.

OPENAI_API_KEY=your_openai_api_key_here
MCP_DB_URI=sqlite:///your_database.db
MCP_SECURITY_ENABLE_THREAT_ANALYSIS=true

Usage example

Begin by querying the server with a natural language prompt to find relevant data, and request the server to return the corresponding SQL and, if desired, execute it to obtain results.

Example usage pattern involves sending a prompt to the server endpoint and handling the response, which includes the generated SQL and any results if execution was requested.

import json
import requests

response = requests.post(
    "http://localhost:8000/api/sql",
    headers={"Content-Type": "application/json", "X-API-Key": "your-api-key"},
    json={
        "query": "Find all suspicious login attempts in the last 24 hours",
        "optimize": True,
        "execute": True
    }
)

result = response.json()
print(f"SQL Query: {result['sql']}")
if result['results']:
    print("Results:")
    for row in result['results']:
        print(row)

Available tools

text2sql

Converts natural language prompts into optimized SQL queries using AI-assisted parsing and query generation.

threat_analysis

Performs rule-based and AI-powered security checks on generated SQL to detect injections, sensitive table access, and risky patterns.

streaming

Provides real-time streaming feedback during query processing so you can monitor progress as results are prepared.

soc_monitoring

Offers Security Operations Center monitoring capabilities to track queries, usage, and potential threats.