This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Announcements
Check out the new Professional Security Operations Engineer certification beta!
Log in to ask a question

Build with Google Cloud Security MCP Servers

Posted on 04-28-2025 12:21 PM
benpeven
Staff
Reply posted on --/--/---- --:-- AM

Google Cloud Security announced open source Model Context Protocol (MCP) servers for Google SecOps (SIEM and SOAR), Google Threat Intelligence and Security Command Center. 

These MCP servers allow you to easily connect Google Cloud Security products and LLMs to create your own AI-powered workflows. Below is a video from Software Engineering Lead Brian Ray that connects Gemini to Google SecOps and Google Threat Intelligence with the Anthropic Cline AI coding assistant. 

If you have questions, want to contribute to the GitHub repo (for GitHub instructions check out our Community-Driven Detection Content for Google SecOps blog) or get feedback on a use-cases you're designing, respond to this post or create your own post use and use the MCP tag. Our engineering team is here to help. 

We look forward to seeing what you build with these open source MCP servers. 

8 16 2,172
Topic Labels
16 REPLIES 16

Posted on --/--/---- --:-- AM
jondis96
Bronze 2
Bronze 2
Reply posted on --/--/---- --:-- AM

Thank you so much for sharing this blog post! There are somethings which I've noticed when trying to implement the secops-soar mcp server. The server.py file attempts to find the "scopes" of the api key/user but the endpoint 

GET_SCOPES = "/api/external/v1/settings/GetScopes" does not exist. Perhaps it's related to our tenant but it is not in the swagger page. 
 
 

Posted on --/--/---- --:-- AM
Liocoh
Staff
In response to jondis96
Reply posted on --/--/---- --:-- AM

Hi,

Thank you for your feedback and for highlighting this.

The endpoints the server is trying to access are specific to the SOAR platform and are not available on Backstory, which is why you don’t see it in your tenant’s Swagger documentation.

To resolve this, please ensure that the URL configured is the SOAR base URL, not Backstory. If you’re unsure of the correct URL, you can easily retrieve it using one of the following methods:

Option 1:
Navigate to Settings → Webhooks, create a new webhook (the parameters don’t matter), and copy the base URL from the generated Webhook URL (e.g., https://s4i0z.siemplify-soar.com ).

Option 2:
Open the browser’s Developer Tools (F12), go to the Network tab, and navigate to Cases in the UI. Look for a request such as GetCaseCardsByRequest, then check the Headers tab and copy the Base URL (e.g., https://s4i0z.siemplify-soar.com ).

Let me know if you need any further assistance.

Thanks!

0 Likes

Posted on --/--/---- --:-- AM
mr345123
Bronze 3
Bronze 3
Reply posted on --/--/---- --:-- AM

this is where I am stuck too.  The UI message is 

2025-06-10 14:05:39,370 - ERROR - __main__ - main - Error: Failed to fetch valid scopes from SOAR, please make sure you have configured the right SOAR credentials. Shutting down... MCP error -32000: Connection closed

but I added logging and found a 404 on the "/api/external/v1/settings/GetScopes"  endpoint.

DEBUG - secops_soar_mcp.http_client - get - HTTP error occurred: 404, message='Not Found', url='https://mytenantwashere.backstory.chronicle.security/api/external/v1/settings/GetScopes' 2025-06-10 17:42:19,214 - ERROR - __main__ - main - Error: Failed to fetch valid scopes from SOAR, please make sure you have configured the right SOAR credentials. Shutting down... MCP error -32000: Connection closed

I have a SOAR_APP_KEY that I created under the SOAR Settings/Advanced/Api Keys menu, and have assigned a permission group and a SOC role.

I have set application-default credentials in case it needs them too, but it looks like the request getting the 404 only uses the SOAR_APP_KEY in the header.

edit: corrected to SOAR_APP_KEY 

Posted on --/--/---- --:-- AM
suzhuang
Staff
In response to mr345123
Reply posted on --/--/---- --:-- AM

are you using the correct project ID or customer ID? the customer ID is located in your SecOps tenant, you can find them in settings.

Posted on --/--/---- --:-- AM
Liocoh
Staff
In response to mr345123
Reply posted on --/--/---- --:-- AM

Hi,

Thank you for your feedback and for highlighting this.

The endpoints the server is trying to access are specific to the SOAR platform and are not available on Backstory, which is why you don’t see it in your tenant’s Swagger documentation.

To resolve this, please ensure that the URL configured is the SOAR base URL, not Backstory. If you’re unsure of the correct URL, you can easily retrieve it using one of the following methods:

Option 1:
Navigate to Settings → Webhooks, create a new webhook (the parameters don’t matter), and copy the base URL from the generated Webhook URL (e.g., https://s4i0z.siemplify-soar.com ).

Option 2:
Open the browser’s Developer Tools (F12), go to the Network tab, and navigate to Cases in the UI. Look for a request such as GetCaseCardsByRequest, then check the Headers tab and copy the Base URL (e.g., https://s4i0z.siemplify-soar.com ).

Let me know if you need any further assistance.

Thanks!

Posted on --/--/---- --:-- AM
mr345123
Bronze 3
Bronze 3
In response to Liocoh
Reply posted on --/--/---- --:-- AM

Thank you!  I am able to use the secops-soar MCP server now by following your instructions. 

0 Likes

Posted on --/--/---- --:-- AM
Liocoh
Staff
In response to mr345123
Reply posted on --/--/---- --:-- AM

Great, happy to help!

0 Likes

Posted on --/--/---- --:-- AM
mr345123
Bronze 3
Bronze 3
Reply posted on --/--/---- --:-- AM

yes, thank you.  I verified the CHRONCILE_PROJECT_ID and CHRONICLE_CUSTOMER_ID in the env match the values on the mytenant.backstory.chronicle[.]security/settings/profile page. 

Posted on --/--/---- --:-- AM
mr345123
Bronze 3
Bronze 3
Reply posted on --/--/---- --:-- AM

Is there any issue that my SOAR is not under siemplify-soar[.]com like the example in secops/mcp-security/docs/usage_guide.md ?  My SIEM and SOAR are accessed via one URL under backstory.chronicle[.]security.   I am only having an issue with the secops-soar mcp.

Posted on --/--/---- --:-- AM
_K_O
Silver 1
Silver 1
In response to mr345123
Reply posted on --/--/---- --:-- AM

Hey @mr345123 did you manage to figure this out? I'm getting the same error

0 Likes

Posted on --/--/---- --:-- AM
mr345123
Bronze 3
Bronze 3
In response to _K_O
Reply posted on --/--/---- --:-- AM

no, not yet.  Is your soar under backstory[.]security or siemplify-soar[.]com ?  Anyone with confirmed success with a SOAR under backstory[.]security ?

0 Likes

Posted on --/--/---- --:-- AM
_K_O
Silver 1
Silver 1
In response to mr345123
Reply posted on --/--/---- --:-- AM

Mine is also under backstory ^

Posted on --/--/---- --:-- AM
_K_O
Silver 1
Silver 1
In response to _K_O
Reply posted on --/--/---- --:-- AM

@Liocoh are there plans to create OAuth2.0 scopes for Google SecOps? SCC has this option already: https://developers.google.com/identity/protocols/oauth2/scopes#securitycenter

0 Likes

Posted on --/--/---- --:-- AM
darwin4322
Bronze 2
Bronze 2
Reply posted on --/--/---- --:-- AM

Hi 

I followed this article, https://github.com/google/mcp-security/tree/main/run-with-google-adk
Only SCC mcp server is enabled. All IAM authorizations are set correctly. SCC API is also enabled for the project. The same problem occurs with environment variables gcloud auth application-default login or GOOGLE_APPLICATION_CREDENTIALS.
As shown.

scc-mcp error.png

How do I resolve the 403 Permission DENIED error?

Thanks

Posted on --/--/---- --:-- AM
raybrian
Staff
In response to darwin4322
Reply posted on --/--/---- --:-- AM

Looks like an issue with how your auth-ing the gemini model. Either the key is invalid or that project doesn't have gemini enabled.

Posted on --/--/---- --:-- AM
darwin4322
Bronze 2
Bronze 2
In response to raybrian
Reply posted on --/--/---- --:-- AM

Thanks for your reply,
I verified it using cloud shell command.
gcloud auth application-default login
gcloud auth application-default set-quota-project dgc-it-support

The following figure shows the GCP settings in .env, such as mode, project, and region.

darwin4322_3-1750906268911.png

darwin4322_1-1750905758456.png

The same 403 error appears as shown below:

darwin4322_2-1750906185625.png

 

0 Likes
Top Solution Authors
View all