LimaCharlie MCP

LimaCharlie MCP would be a great start to allow developers to create and integrate AI SOC functionalities across all of LimaCharlie’s APIs and Python CLI/SDK.

You read my mind, it’s going to be my weekend. :slight_smile:

We’re also rewriting the ext-ai-agent-engine to use the new Google Agent Development Kit. So lots of new AI Agent stuff coming soon.

2 Likes

Would you do me the honors to be the first external person to give it a try? :slight_smile:
I’ve been using it internally with the rebuild of our ext-ai-agent-engine that I should be able to get out shortly.

Yes, I would love to test out the MCP Server :smiley:

MCP server working! @maximelb

Its awesome!

I tried to set it up using OpenAI Agent SDK, works fine as well.

Guess its just a matter of adding the capabilities now :raising_hands:

Nice!
Is there a y capabilities you’d like to see before others?

Me personally, since I’m trying to create an AI SOC on top of LC, I think the following would be nice:

The essentials maybe:

-create/set/push D&R rules —> can be combined with LC RAG Knowledge Base and the detection alert webhooks to expand on specific D&R rules
-Seal and Isolate sensors

Nice to haves:

-create/set/push FP rules —> automatically push the FP rules the same way, when we click the “Mark False Positive” button from the Detections module from the web GUI
-Replay or LCQL (maybe)

Not too sure but these are the main capabilities from the top of my head :sweat_smile:

Great, should be easy to add.

1 Like

Hi @maximelb I was testing the get_mitre_report MCP tool, but keep getting this error:

{“error”: “Failed to get JWT from API key oid= uid=None: No API key set”}

Do I need to provide a UID as well?

I was able to authenticate the MCPSSEServer session properly and use the other tools, but when I try to use the get_mitre_report tool, it keeps failing and giving me that response for some reason.

Is there a specific way to hit the get_mitre_report tool?

Thank you :smiley:

Nah pretty sure it’s just not a helpful message after a re-auth where you’re missing a permission. That API required dr.list as a permission, can you check you have it? Will make a note to rework the SDK to make that error more obvious.

1 Like

Hi @maximelb I’m seem to be having issues with the “isolate_network” tool in the MCP.

It returns me:

2025-05-09 00:03:47,275 - INFO - Calling MCP tool isolate_network with parameters: {“sid”: “”}
2025-05-09 00:03:47,685 - INFO - HTTP Request: POST https://mcp.limacharlie.io/messages/?session_id=<session_id> “HTTP/1.1 202 Accepted”
2025-05-09 00:03:47,750 - INFO - Raw result from ‘isolate_network’ call: {‘tool’: ‘isolate_network’, ‘status’: ‘success’, ‘data’: {}, ‘parameters_used’: {‘sid’: ‘’}}

But then in the LimaCharlie Dashboard, I don’t see the sensor being isolated.

I also did a verification process using the “is_isolated” after that “isolate_network” tool call:

2025-05-09 00:03:47,750 - INFO - Calling MCP tool is_isolated with parameters: {“sid”: “”}
2025-05-09 00:03:48,172 - INFO - HTTP Request: POST https://mcp.limacharlie.io/messages/?session_id=<session_id>“HTTP/1.1 202 Accepted”
2025-05-09 00:03:48,240 - INFO - Post-isolation verification check: {‘status’: ‘success’, ‘is_isolated’: False, ‘sid’: ‘’}

Not too sure what’s happening in the background, no error messages :sweat_smile:

PS: I removed the sensitive information, but all the SIDs were correct.

1 Like

Further testing also shows that even when I manually isolate the sensor via the web GUI.

Then run “is_isolated” it still shows me FALSE.

When you run “is_isolated”, that’s from the MCP too? Trying to narrow down if the issue is on Set or on Get.

Yeap, all was ran through the MCP

Ok cool, taking a look.

So I tried to replicate and it worked for me. Would you be able to DM me the SID (SensorID) and timestamp of the box where you tried this so I can see from our logs what was happening?

Hi @maximelb yea I think there was a mistake on my code. I was able to get it to work using a simple test script now. :smiley:

1 Like