shanto12/splunk-soar-mcp
If you are the rightful owner of splunk-soar-mcp and would like to certify it and/or have it hosted online, please leave a comment on the right or send an email to dayong@mcphub.com.
The Splunk SOAR MCP Server connects AI assistants directly to your Splunk SOAR instance, enabling seamless interaction and automation.
Splunk SOAR MCP Server
Model Context Protocol (MCP) server for Splunk SOAR - Connect AI assistants like Claude, ChatGPT, and Cursor directly to your Splunk SOAR instance.
🚀 Quick Start
Test with Your SOAR Instance
You have been provided with test credentials:
- SOAR Server:
smatthew-soar.west.buttercup.cloud - Auth Token:
Qv1mmOnZdDU7grzw32y0SXmdcWiZ+0UR6UeOG49Bfg8=
Installation
# Clone the repository
git clone https://github.com/shanto12/splunk-soar-mcp.git
cd splunk-soar-mcp
# Run the automated setup script
python setup_repo.py
# Install the package
pip install -e .
Configuration
For Claude Desktop
Add to your config file (~/Library/Application Support/Claude/claude_desktop_config.json on Mac, %APPDATA%\Claude\claude_desktop_config.json on Windows):
{
"mcpServers": {
"splunk-soar": {
"command": "python",
"args": ["-m", "splunk_soar_mcp"],
"env": {
"SOAR_SERVER": "smatthew-soar.west.buttercup.cloud",
"SOAR_AUTH_TOKEN": "Qv1mmOnZdDU7grzw32y0SXmdcWiZ+0UR6UeOG49Bfg8="
}
}
}
}
For Cursor / Other MCP Clients
Similar configuration in your MCP settings file.
🎯 Features
✅ 7 Powerful Tools for complete SOAR interaction
✅ Secure - Your credentials never leave your machine
✅ Fast - Direct REST API integration
✅ Free & Open Source - MIT licensed
✅ Works with any SOAR instance - Cloud or on-premise
📋 Available Tools
| Tool | Description |
|---|---|
get_containers | Search and filter containers by severity, status, time range |
get_container_details | Get comprehensive details about a specific container |
get_artifacts | Retrieve artifacts (IOCs, evidence) from containers |
list_playbooks | List available automation playbooks |
run_playbook | Execute playbooks on containers |
search_containers | Full-text search across container fields |
get_action_results | View results from security actions |
💡 Usage Examples
Once configured, simply ask your AI assistant:
Finding Incidents:
- "Show me all high-severity containers created today"
- "List open phishing cases"
- "Find containers related to ransomware"
Investigating:
- "Get detailed information about container 456"
- "Show me artifacts for container 123"
- "What IP addresses are in container 789?"
Taking Action:
- "List available investigation playbooks"
- "Run the email_investigation playbook on container 123"
- "Show recent action results for container 456"
🔧 Development Setup
The repository includes an automated setup script that creates all necessary files:
python setup_repo.py
This will create:
src/splunk_soar_mcp/- Main MCP server codeexamples/- Configuration examples and sample queriestests/- Unit tests- All necessary package files
🔒 Security
Your Splunk SOAR credentials are stored only in your local configuration file and never transmitted to any third party. The MCP server runs locally on your machine and connects directly to your SOAR instance.
📝 License
MIT License - see file for details.
👤 Author
Shanto Mathew
- Email: shanto12@gmail.com
- GitHub: @shanto12
- Company: Galaxor AI
🤝 Contributing
Contributions welcome! Please feel free to submit a Pull Request.
📞 Support
- 🐛 Bug Reports: GitHub Issues
- 💬 Discussions: GitHub Discussions
Like this project? Give it a ⭐ on GitHub!