Build with Google Cloud Security MCP Servers

benpeven · 04-28-2025 12:21 PM

Google Cloud Security announced open source Model Context Protocol (MCP) servers for Google SecOps (SIEM and SOAR), Google Threat Intelligence and Security Command Center.

These MCP servers allow you to easily connect Google Cloud Security products and LLMs to create your own AI-powered workflows. Below is a video from Software Engineering Lead Brian Ray that connects Gemini to Google SecOps and Google Threat Intelligence with the Anthropic Cline AI coding assistant.

If you have questions, want to contribute to the GitHub repo (for GitHub instructions check out our Community-Driven Detection Content for Google SecOps blog) or get feedback on a use-cases you're designing, respond to this post or create your own post use and use the MCP tag. Our engineering team is here to help.

We look forward to seeing what you build with these open source MCP servers.

jondis96

Thank you so much for sharing this blog post! There are somethings which I've noticed when trying to implement the secops-soar mcp server. The server.py file attempts to find the "scopes" of the api key/user but the endpoint

GET_SCOPES = "/api/external/v1/settings/GetScopes" does not exist. Perhaps it's related to our tenant but it is not in the swagger page.

Liocoh

Hi,

Thank you for your feedback and for highlighting this.

The endpoints the server is trying to access are specific to the SOAR platform and are not available on Backstory, which is why you don’t see it in your tenant’s Swagger documentation.

To resolve this, please ensure that the URL configured is the SOAR base URL, not Backstory. If you’re unsure of the correct URL, you can easily retrieve it using one of the following methods:

Option 1:
Navigate to Settings → Webhooks, create a new webhook (the parameters don’t matter), and copy the base URL from the generated Webhook URL (e.g., https://s4i0z.siemplify-soar.com ).

Option 2:
Open the browser’s Developer Tools (F12), go to the Network tab, and navigate to Cases in the UI. Look for a request such as GetCaseCardsByRequest, then check the Headers tab and copy the Base URL (e.g., https://s4i0z.siemplify-soar.com ).

Let me know if you need any further assistance.

Thanks!

mr345123

this is where I am stuck too. The UI message is

2025-06-10 14:05:39,370 - ERROR - __main__ - main - Error: Failed to fetch valid scopes from SOAR, please make sure you have configured the right SOAR credentials. Shutting down... MCP error -32000: Connection closed

but I added logging and found a 404 on the "/api/external/v1/settings/GetScopes" endpoint.

DEBUG - secops_soar_mcp.http_client - get - HTTP error occurred: 404, message='Not Found', url='https://mytenantwashere.backstory.chronicle.security/api/external/v1/settings/GetScopes' 2025-06-10 17:42:19,214 - ERROR - __main__ - main - Error: Failed to fetch valid scopes from SOAR, please make sure you have configured the right SOAR credentials. Shutting down... MCP error -32000: Connection closed

I have a SOAR_APP_KEY that I created under the SOAR Settings/Advanced/Api Keys menu, and have assigned a permission group and a SOC role.

I have set application-default credentials in case it needs them too, but it looks like the request getting the 404 only uses the SOAR_APP_KEY in the header.

edit: corrected to SOAR_APP_KEY

suzhuang

are you using the correct project ID or customer ID? the customer ID is located in your SecOps tenant, you can find them in settings.

Liocoh

Hi,

Thank you for your feedback and for highlighting this.

The endpoints the server is trying to access are specific to the SOAR platform and are not available on Backstory, which is why you don’t see it in your tenant’s Swagger documentation.

To resolve this, please ensure that the URL configured is the SOAR base URL, not Backstory. If you’re unsure of the correct URL, you can easily retrieve it using one of the following methods:

Option 1:
Navigate to Settings → Webhooks, create a new webhook (the parameters don’t matter), and copy the base URL from the generated Webhook URL (e.g., https://s4i0z.siemplify-soar.com ).

Option 2:
Open the browser’s Developer Tools (F12), go to the Network tab, and navigate to Cases in the UI. Look for a request such as GetCaseCardsByRequest, then check the Headers tab and copy the Base URL (e.g., https://s4i0z.siemplify-soar.com ).

Let me know if you need any further assistance.

Thanks!

mr345123

Thank you! I am able to use the secops-soar MCP server now by following your instructions.

Liocoh

Great, happy to help!

mr345123

yes, thank you. I verified the CHRONCILE_PROJECT_ID and CHRONICLE_CUSTOMER_ID in the env match the values on the mytenant.backstory.chronicle[.]security/settings/profile page.

mr345123

Is there any issue that my SOAR is not under siemplify-soar[.]com like the example in secops/mcp-security/docs/usage_guide.md ? My SIEM and SOAR are accessed via one URL under backstory.chronicle[.]security. I am only having an issue with the secops-soar mcp.

_K_O

Hey @mr345123 did you manage to figure this out? I'm getting the same error

mr345123

no, not yet. Is your soar under backstory[.]security or siemplify-soar[.]com ? Anyone with confirmed success with a SOAR under backstory[.]security ?

_K_O

Mine is also under backstory ^

_K_O

@Liocoh are there plans to create OAuth2.0 scopes for Google SecOps? SCC has this option already: https://developers.google.com/identity/protocols/oauth2/scopes#securitycenter.