LimaCharlie MCP would be a great start to allow developers to create and integrate AI SOC functionalities across all of LimaCharlie’s APIs and Python CLI/SDK.
You read my mind, it’s going to be my weekend.
We’re also rewriting the ext-ai-agent-engine
to use the new Google Agent Development Kit. So lots of new AI Agent stuff coming soon.
Would you do me the honors to be the first external person to give it a try?
I’ve been using it internally with the rebuild of our ext-ai-agent-engine that I should be able to get out shortly.
Yes, I would love to test out the MCP Server
MCP server working! @maximelb
Its awesome!
I tried to set it up using OpenAI Agent SDK, works fine as well.
Guess its just a matter of adding the capabilities now
Nice!
Is there a y capabilities you’d like to see before others?
Me personally, since I’m trying to create an AI SOC on top of LC, I think the following would be nice:
The essentials maybe:
-create/set/push D&R rules —> can be combined with LC RAG Knowledge Base and the detection alert webhooks to expand on specific D&R rules
-Seal and Isolate sensors
Nice to haves:
-create/set/push FP rules —> automatically push the FP rules the same way, when we click the “Mark False Positive” button from the Detections module from the web GUI
-Replay or LCQL (maybe)
Not too sure but these are the main capabilities from the top of my head
Great, should be easy to add.
Hi @maximelb I was testing the get_mitre_report MCP tool, but keep getting this error:
{“error”: “Failed to get JWT from API key oid= uid=None: No API key set”}
Do I need to provide a UID as well?
I was able to authenticate the MCPSSEServer session properly and use the other tools, but when I try to use the get_mitre_report tool, it keeps failing and giving me that response for some reason.
Is there a specific way to hit the get_mitre_report tool?
Thank you
Nah pretty sure it’s just not a helpful message after a re-auth where you’re missing a permission. That API required dr.list
as a permission, can you check you have it? Will make a note to rework the SDK to make that error more obvious.
Hi @maximelb I’m seem to be having issues with the “isolate_network” tool in the MCP.
It returns me:
2025-05-09 00:03:47,275 - INFO - Calling MCP tool isolate_network with parameters: {“sid”: “”}
2025-05-09 00:03:47,685 - INFO - HTTP Request: POST https://mcp.limacharlie.io/messages/?session_id=<session_id> “HTTP/1.1 202 Accepted”
2025-05-09 00:03:47,750 - INFO - Raw result from ‘isolate_network’ call: {‘tool’: ‘isolate_network’, ‘status’: ‘success’, ‘data’: {}, ‘parameters_used’: {‘sid’: ‘’}}
But then in the LimaCharlie Dashboard, I don’t see the sensor being isolated.
I also did a verification process using the “is_isolated” after that “isolate_network” tool call:
2025-05-09 00:03:47,750 - INFO - Calling MCP tool is_isolated with parameters: {“sid”: “”}
2025-05-09 00:03:48,172 - INFO - HTTP Request: POST https://mcp.limacharlie.io/messages/?session_id=<session_id>“HTTP/1.1 202 Accepted”
2025-05-09 00:03:48,240 - INFO - Post-isolation verification check: {‘status’: ‘success’, ‘is_isolated’: False, ‘sid’: ‘’}
Not too sure what’s happening in the background, no error messages
PS: I removed the sensitive information, but all the SIDs were correct.
Further testing also shows that even when I manually isolate the sensor via the web GUI.
Then run “is_isolated” it still shows me FALSE.
When you run “is_isolated”, that’s from the MCP too? Trying to narrow down if the issue is on Set or on Get.
Yeap, all was ran through the MCP
Ok cool, taking a look.
So I tried to replicate and it worked for me. Would you be able to DM me the SID (SensorID) and timestamp of the box where you tried this so I can see from our logs what was happening?
Hi @maximelb yea I think there was a mistake on my code. I was able to get it to work using a simple test script now.