Command Palette

Search for a command to run...

UnylyUnyly
Весь каталог

Edge Soc

БесплатноНе проверен

A Cloudflare Workers MCP server that puts a SOC analyst's enrichment, investigation, and detection-context workflow behind a single endpoint. It aggregates over

GitHubEmbed

Описание

A Cloudflare Workers MCP server that puts a SOC analyst's enrichment, investigation, and detection-context workflow behind a single endpoint. It aggregates over 20 threat-intel sources into 18 MCP tools for IP, domain, URL, hash, and CVE lookups.

README

A Cloudflare Workers MCP server that puts a SOC analyst's enrichment, investigation, and detection-context workflow behind a single endpoint, and runs on a free Cloudflare account.

Cloudflare Workers TypeScript MCP Free tier

Why it's built this way

  • One tool per task, not one tool per vendor. ip_lookup fans out across AbuseIPDB, GreyNoise, Shodan, IPinfo, and more, then returns a single verdict instead of five raw API payloads for you to reconcile.
  • Free by default. Runs entirely on Cloudflare's free tier (Workers, Durable Objects, KV, D1, R2, cron). Every paid or keyed source is optional.
  • Degrades cleanly. A missing API key just marks that source auth_missing; the tool still answers with whatever is available.
  • Verdict separated from evidence. Every tool returns the same normalized envelope, so an agent gets a clear answer and the operational notes behind it.

Under the hood it aggregates 20+ threat-intel and detection sources plus bundled corpora (ATT&CK, Sigma, LOLBAS, GTFOBins, HijackLibs, WADComs, D3FEND) into 18 MCP tools.

Tools

Observables

Tool What it does
health Service status and per-source availability
ip_lookup IP reputation, geo/ASN, and exposure
domain_lookup Domain reputation and registration context
url_lookup URL reputation and phishing checks
hash_lookup File-hash reputation and malware context
cve_lookup CVE severity with EPSS score and KEV status

Corpora-backed

Tool What it does
lolbin_lookup Living-off-the-land binaries (LOLBAS / GTFOBins)
dll_hijack_lookup DLL hijacking references (HijackLibs)
command_context Explain a suspicious command line or binary
attack_lookup MITRE ATT&CK technique lookup
sigma_lookup Matching Sigma detection rules

Identity & extras

Tool What it does
account_exposure Infostealer / account exposure (Hudson Rock)
password_check Pwned-password check via HIBP k-anonymity
ja3_lookup JA3 TLS fingerprint reputation (SSLBL)
dns_lookup DNS resolution over DoH
cert_lookup Certificate context (crt.sh / SSLBL)
yara_rule_lookup YARA rule lookup (YARAify)
defense_lookup D3FEND-style defensive countermeasures

What a tool returns

Each tool emits the same normalized envelope, keeping the verdict separate from the evidence behind it:

Field Purpose
query The observable that was looked up
verdict The summarized answer
behavior_tags Notable behaviors observed
attack_ids Related MITRE ATT&CK techniques
rule_refs Related detection rules (e.g. Sigma)
command_explanation Plain-language breakdown, when relevant
analyst_actions Suggested next steps
source_restrictions Usage limits on the data used
sources Raw evidence per source
meta Timing, cache, and diagnostic info

Quickstart

New to Cloudflare? Follow SETUP.md for a step-by-step walkthrough covering account creation, resource provisioning, and client configuration.

The condensed path for developers already familiar with Wrangler:

# 1. Install
bun install

# 2. Log in and create backing resources
bun x wrangler login
bun x wrangler kv namespace create CACHE
bun x wrangler kv namespace create OAUTH_KV
bun x wrangler d1 create edge-soc-mcp-db
bun x wrangler r2 bucket create edge-soc-mcp-corpora

# 3. Create your local config from the template (wrangler.jsonc is gitignored),
#    paste the returned IDs into it, then generate types.
# wrangler types generates worker-configuration.d.ts from your bindings.
# Re-run it any time wrangler.jsonc changes.
cp wrangler.jsonc.example wrangler.jsonc
bun x wrangler types

# 4. Seed corpora into R2 and deploy
bun run seed
bun x wrangler deploy

R2 must be enabled in the Cloudflare dashboard before uploads will work.

Required secret

Set MCP_AUTH_TOKEN to a secret string of your choice. This becomes the password you paste on the OAuth consent screen when connecting a client for the first time. Without it the server will refuse all authorization attempts.

bun x wrangler secret put MCP_AUTH_TOKEN

Optional API secrets

Each key unlocks additional threat-intel sources. The server degrades cleanly without them.

bun x wrangler secret put ABUSEIPDB_API_KEY
bun x wrangler secret put ABUSE_CH_AUTH_KEY   # URLhaus, ThreatFox, MalwareBazaar, YARAify
bun x wrangler secret put GREYNOISE_API_KEY
bun x wrangler secret put IPINFO_TOKEN
bun x wrangler secret put URLSCAN_API_KEY
bun x wrangler secret put PULSEDIVE_API_KEY
bun x wrangler secret put OTX_API_KEY
bun x wrangler secret put NVD_API_KEY
bun x wrangler secret put HUDSONROCK_API_KEY
bun x wrangler secret put HIBP_API_KEY
bun x wrangler secret put SPUR_TOKEN
bun x wrangler secret put VT_API_KEY

Connecting an MCP client

ChatGPT / Claude custom connectors (OAuth 2.1)

ChatGPT (Actions) and Claude (custom connectors) support OAuth 2.1 + PKCE natively. Point them at the worker URL and they will walk through the consent flow automatically:

  1. In the connector settings, enter your worker URL as the server URL (e.g. https://edge-soc-mcp.<your-subdomain>.workers.dev).
  2. The client will redirect you to /authorize, which shows a password prompt.
  3. Paste your MCP_AUTH_TOKEN value and click Authorize.
  4. The client receives an OAuth access token and connects.

Dynamic client registration is supported at /register, so no manual client setup is required.

API clients (Bearer token)

Clients that support Bearer tokens can use the OAuth-issued access token directly, or go through the authorization code flow programmatically. For quick CLI testing, initiate the OAuth flow manually to obtain a token.

Legacy SSE clients can use /sse instead of /mcp.

Local development

This project uses Wrangler-generated runtime types (wrangler types) rather than @cloudflare/workers-types. The generated worker-configuration.d.ts is gitignored, so you must generate it before running type checks or tests.

bun install
bun x wrangler types
bun test
bun run typecheck
bun x wrangler dev

The worker exposes GET /health, POST /mcp, and GET /sse.

Full verification before deploy:

bun run typecheck && bun test && bun x wrangler deploy --dry-run --outdir dist

Sources & restrictions

Free and strongly recommended
Keyless sources, already supported
  • Shodan InternetDB
  • OpenPhish feed
  • PhishTank best-effort URL check
  • crt.sh
  • RDAP via rdap.org
  • EPSS
  • CISA KEV
  • Hudson Rock Cavalier OSINT
  • HIBP Pwned Passwords
  • Cloudflare DoH
  • Google DoH
  • SSLBL cached feeds
Paid or cautionary sources
  • Have I Been Pwned breach API: key purchase
  • Spur Context: pricing
  • VirusTotal Public API (signup): non-commercial and rate-limited
  • Shodan InternetDB: non-commercial

Most lookups are passive and low-volume, but public and community APIs still carry rate limits, and some free sources are non-commercial only.

Scheduled refresh

A cron-triggered job keeps fast-moving feeds current:

  • CISA KEV → KV
  • OpenPhish → R2
  • SSLBL IP, JA3, and certificate feeds → R2

Larger corpora are loaded with bun run seed. Re-run it to refresh ATT&CK, Sigma, LOLBAS, GTFOBins, HijackLibs, WADComs, or D3FEND data.

Implementation notes

  • McpAgent is bound to a SQLite Durable Object via new_sqlite_classes, the state path that stays free-plan compatible.
  • The Cloudflare free tier currently supports Durable Objects, KV, D1, R2, and cron, which is everything this server needs.

Non-goals

  • No detonation or sandbox execution
  • No public submission workflows for urlscan, VirusTotal, or YARAify
  • No Sigma query-language translation
  • No Threat Jammer integration

from github.com/ashwnn/edge-soc-mcp

Установка Edge Soc

У этого сервера нет опубликованного пакета — он собирается из исходников. Открой репозиторий и следуй инструкции в README.

▸ github.com/ashwnn/edge-soc-mcp

FAQ

Edge Soc MCP бесплатный?

Да, Edge Soc MCP бесплатный — установка в пару кликов через Unyly без оплаты.

Нужен ли API-ключ для Edge Soc?

Нет, Edge Soc работает без API-ключей и переменных окружения.

Edge Soc — hosted или self-hosted?

Доступен hosted-вариант: Unyly запускает сервер в облаке, локальная установка не обязательна.

Как установить Edge Soc в Claude Desktop, Claude Code или Cursor?

Открой Edge Soc на unyly.org, выбери вкладку своего клиента (Claude Desktop, Claude Code, Cursor) и нажми Install — конфиг сгенерируется автоматически, без правки JSON.

Похожие MCP

Compare Edge Soc with

Не уверен что выбрать?

Найди свой стек за 60 секунд

Автор?

Embed-бейдж для README

Похожее

Все в категории development