playbooks
Learn Rules MCPs Modes
AI Image Editor
Log in

Chronicle Security Operations MCP server

Integrates with Google's Chronicle Security Operations suite to enable security analysis tasks including event searches, alert retrieval, entity lookups, detection rule listing, and IoC matching for threat hunting and incident investigation.
Back to servers
Provider
Ray Emery
Release date
Mar 19, 2025
Language
Python
Stats
5 stars
View on GitHub

The Chronicle SecOps MCP Server provides an integration between Google's Chronicle Security Operations suite and Claude through the Model Context Protocol (MCP). This server enables Claude to perform security operations tasks such as searching security events, retrieving alerts, and looking up entity information.

Installation Options

Using Smithery (Automated Installation)

The easiest way to install the MCP server for Claude Desktop is via Smithery:

npx -y @smithery/cli install @emeryray2002/mcp-secops-v3 --client claude

Manual Setup for Claude Desktop

To manually configure this MCP server with Claude Desktop:

  1. Install Claude Desktop application
  2. Open Claude Desktop and access Settings from the Claude menu
  3. Navigate to "Developer" in the sidebar and click "Edit Config"
  4. Update your claude_desktop_config.json with the following configuration:
{
  "mcpServers": {
    "secops-mcp": {
      "command": "/path/to/your/uv",
      "args": [
        "--directory",
        "/path/to/your/mcp-secops-v3",
        "run",
        "secops_mcp.py"
      ],
      "env": {
        "CHRONICLE_PROJECT_ID": "your-google-cloud-project-id",
        "CHRONICLE_CUSTOMER_ID": "your-chronicle-customer-id",
        "CHRONICLE_REGION": "us"
      }
    }
  }
}

  1. Update these configuration elements:

    • Path to uv (find it using which uv command)
    • Directory path where you've cloned the repository
    • Your Chronicle credentials (project ID, customer ID, and region)

  2. Save the configuration file and restart Claude Desktop

  3. Look for the hammer icon in Claude Desktop interface, indicating the MCP server is active

Manual Installation via pip

You can also install the package directly:

pip install -e .

Then set up your environment variables:

export CHRONICLE_PROJECT_ID="your-google-cloud-project-id"
export CHRONICLE_CUSTOMER_ID="your-chronicle-customer-id"
export CHRONICLE_REGION="us"  # or your region

Authentication

The server uses Google's authentication. You'll need to set up one of these authentication methods:

  • Application Default Credentials (ADC)
  • GOOGLE_APPLICATION_CREDENTIALS environment variable pointing to a service account key
  • Run gcloud auth application-default login to authenticate

Available Security Capabilities

The MCP server provides these security operations functions:

  • search_security_events: Search Chronicle for security events using customizable queries
  • get_security_alerts: Retrieve security alerts from Chronicle
  • lookup_entity: Look up information about an entity (IP address, domain, file hash)
  • list_security_rules: List security detection rules from Chronicle
  • get_ioc_matches: Retrieve Indicators of Compromise (IoCs) matches

Running the MCP Server

To start the MCP server manually:

python main.py

Requirements

  • Python 3.11 or newer
  • Google Cloud account with Chronicle Security Operations enabled
  • Proper authentication configuration

How to add this MCP server to Cursor

There are two ways to add an MCP server to Cursor. The most common way is to add the server globally in the ~/.cursor/mcp.json file so that it is available in all of your projects.

If you only need the server in a single project, you can add it to the project instead by creating or adding it to the .cursor/mcp.json file.

Adding an MCP server to Cursor globally

To add a global MCP server go to Cursor Settings > MCP and click "Add new global MCP server".

When you click that button the ~/.cursor/mcp.json file will be opened and you can add your server like this:

{
    "mcpServers": {
        "cursor-rules-mcp": {
            "command": "npx",
            "args": [
                "-y",
                "cursor-rules-mcp"
            ]
        }
    }
}

Adding an MCP server to a project

To add an MCP server to a project you can create a new .cursor/mcp.json file or add it to the existing one. This will look exactly the same as the global MCP server example above.

How to use the MCP server

Once the server is installed, you might need to head back to Settings > MCP and click the refresh button.

The Cursor agent will then be able to see the available tools the added MCP server has available and will call them when it needs to.

You can also explictly ask the agent to use the tool by mentioning the tool name and describing what the function does.

Want to 10x your AI skills?

Get a free account and learn to code + market your apps using AI (with or without vibes!).

Nah, maybe later