Command Palette

Search for a command to run...

UnylyUnyly
Весь каталог

Defender (Mcp Msdefenderkql)

БесплатноНе проверен

An MCP server for Microsoft Defender Advanced Hunting that enables AI assistants to investigate security events using natural language by translating queries to

GitHubEmbed

Описание

An MCP server for Microsoft Defender Advanced Hunting that enables AI assistants to investigate security events using natural language by translating queries to KQL and executing them against Defender.

README

PyPI version License: MIT

mcp-name: io.github.trickyfalcon/mcp-msdefenderkql

An MCP (Model Context Protocol) server for Microsoft Defender Advanced Hunting. Enables AI assistants to investigate security events using natural language by translating queries to KQL and executing them against Defender.

How It Works

User: "Show me suspicious PowerShell activity in the last hour"
  ↓
AI translates to KQL using schema knowledge
  ↓
MCP executes query against Defender API
  ↓
AI interprets and explains the results

Features

  • Advanced Hunting: Execute KQL queries against Defender's Advanced Hunting API
  • Dynamic Schema Discovery: Fetch available tables and columns directly from your Defender instance
  • Natural Language Security Investigations: Let AI translate your questions into KQL
  • Certificate Authentication: Secure authentication using Azure AD certificates (recommended)

Prerequisites

  • Python 3.10+
  • Azure AD App Registration with WindowsDefenderATP permission:
    • AdvancedQuery.Read.All - Run advanced queries

Installation

From PyPI (Recommended)

pip install mcp-msdefenderkql

From Source

# Clone the repository
git clone https://github.com/trickyfalcon/mcp-defender.git
cd mcp-defender

# Create and activate virtual environment
python -m venv .venv
source .venv/bin/activate  # On Windows: .venv\Scripts\activate

# Install dependencies
pip install -e ".[dev]"

Configuration

  1. Copy .env.example to .env
  2. Fill in your Azure AD credentials:
AZURE_TENANT_ID=your-tenant-id
AZURE_CLIENT_ID=your-client-id

# Option 1: Certificate authentication (recommended)
AZURE_CLIENT_CERTIFICATE_PATH=/path/to/combined.pem

# Option 2: Client secret authentication
# AZURE_CLIENT_SECRET=your-client-secret

Certificate Setup

For certificate authentication, combine your private key and certificate:

cat private.key cert.pem > combined.pem

Usage

Running the Server

mcp-msdefenderkql

Testing with MCP Inspector

npx @modelcontextprotocol/inspector mcp-msdefenderkql

Claude Desktop Configuration

Add to your Claude Desktop config (~/Library/Application Support/Claude/claude_desktop_config.json):

{
  "mcpServers": {
    "defender": {
      "command": "/path/to/mcp-defender/.venv/bin/python",
      "args": ["-m", "mcp_defender.server"],
      "env": {
        "PYTHONPATH": "/path/to/mcp-defender/src",
        "AZURE_TENANT_ID": "your-tenant-id",
        "AZURE_CLIENT_ID": "your-client-id",
        "AZURE_CLIENT_CERTIFICATE_PATH": "/path/to/combined.pem"
      }
    }
  }
}

Available Tools

Tool Description
run_hunting_query Execute KQL queries against Advanced Hunting
get_hunting_schema Get available tables and columns dynamically

Example Natural Language Queries

Once connected to Claude, you can ask:

  • "Show me any suspicious PowerShell activity in the last hour"
  • "Find devices with failed login attempts"
  • "What processes are making network connections to external IPs?"
  • "List all devices that haven't checked in for 7 days"

Example KQL Queries

// Find failed logon attempts
DeviceLogonEvents
| where ActionType == "LogonFailed"
| where Timestamp > ago(24h)
| summarize FailedAttempts = count() by AccountName, DeviceName
| top 10 by FailedAttempts

// Detect suspicious PowerShell
DeviceProcessEvents
| where FileName in~ ("powershell.exe", "pwsh.exe")
| where ProcessCommandLine has_any ("encodedcommand", "bypass", "hidden", "downloadstring")
| project Timestamp, DeviceName, AccountName, ProcessCommandLine

// Network connections to external IPs
DeviceNetworkEvents
| where RemoteIPType == "Public"
| where Timestamp > ago(1h)
| summarize ConnectionCount = count() by DeviceName, RemoteIP
| top 20 by ConnectionCount

Development

# Run tests
pytest

# Lint code
ruff check .

# Type check
mypy src

# Security scan
bandit -r src

API Reference

This server uses the WindowsDefenderATP API:

  • Endpoint: https://api.securitycenter.microsoft.com
  • Advanced Hunting: POST /api/advancedqueries/run

License

MIT

from github.com/trickyfalcon/mcp-defender

Установить Defender (Mcp Msdefenderkql) в Claude Desktop, Claude Code, Cursor

Рекомендуется · одна команда, все IDE
unyly install mcp-defender-mcp-msdefenderkql

Ставит в Claude Desktop, Claude Code, Cursor и VS Code — сам разбирается с npx, uvx и сборкой из исходников.

Впервые? Поставь CLI: curl -fsSL https://unyly.org/install | sh

Или настроить вручную

Выполни в терминале:

claude mcp add mcp-defender-mcp-msdefenderkql -- uvx mcp-msdefenderkql

FAQ

Defender (Mcp Msdefenderkql) MCP бесплатный?

Да, Defender (Mcp Msdefenderkql) MCP бесплатный — установка в пару кликов через Unyly без оплаты.

Нужен ли API-ключ для Defender (Mcp Msdefenderkql)?

Нет, Defender (Mcp Msdefenderkql) работает без API-ключей и переменных окружения.

Defender (Mcp Msdefenderkql) — hosted или self-hosted?

Доступен hosted-вариант: Unyly запускает сервер в облаке, локальная установка не обязательна.

Как установить Defender (Mcp Msdefenderkql) в Claude Desktop, Claude Code или Cursor?

Открой Defender (Mcp Msdefenderkql) на unyly.org, выбери вкладку своего клиента (Claude Desktop, Claude Code, Cursor) и нажми Install — конфиг сгенерируется автоматически, без правки JSON.

Похожие MCP

Compare Defender (Mcp Msdefenderkql) with

Не уверен что выбрать?

Найди свой стек за 60 секунд

Автор?

Embed-бейдж для README

Похожее

Все в категории ai