Crowdsentinel Mcp Server
by thomasxmcommunityv0.5.6
202
33
CrowdSentinel MCP Server is an open-source threat hunting orchestrator that connects large language models to enterprise security data via the Model Context Protocol (MCP). It enables natural language querying and AI-guided investigation workflows.
From the registry: AI-powered threat hunting and incident response MCP server for Elasticsearch/OpenSearch
Install & configure
Prerequisites
- requiredElasticsearch accessRequires running Elasticsearch instance and API key or credentials.
- optionaltshark (for PCAP analysis)System dependency required for network traffic analysis tools.
- optionalRun crowdsentinel setupDownloads Chainsaw and Sigma rules (one-time).
$ crowdsentinel setup
Install in your client
Paste into the AI you're chatting with — it will figure out the rest
Please install the `crowdsentinel-mcp-server` MCP server into my current AI client (that's you).
Required prerequisites (do these first if not already done):
- **Elasticsearch access** — Requires running Elasticsearch instance and API key or credentials.
Optional prerequisites:
- tshark (for PCAP analysis) — System dependency required for network traffic analysis tools.
- Run crowdsentinel setup — Downloads Chainsaw and Sigma rules (one-time). Run: `crowdsentinel setup`
Canonical MCP server config (stdio transport):
- command: `uvx`
- args: ["crowdsentinel-mcp-server"]
- optional environment variables:
- `ELASTICSEARCH_HOSTS`: Self-hosted Elasticsearch URL. (example: `https://localhost:9200`)
- `ELASTICSEARCH_CLOUD_ID`: Elastic Cloud deployment ID. (example: `deployment:base64...`)
- `ELASTICSEARCH_API_KEY`: Elasticsearch API key (recommended auth). (example: `<your-api-key>`)
- `ELASTICSEARCH_BEARER_TOKEN`: Elasticsearch service/bearer token. (example: `<your-service-token>`)
- `ELASTICSEARCH_USERNAME`: Basic auth username. (example: `elastic`)
- `ELASTICSEARCH_PASSWORD`: Basic auth password. (example: `<your-password>`)
- `VERIFY_CERTS`: Verify TLS certs. (example: `false`)
- `VIRUSTOTAL_API_KEY`: VirusTotal API key for IoC enrichment. (example: `<your-vt-key>`)
- `ABUSEIPDB_API_KEY`: AbuseIPDB API key for IP reputation lookups. (example: `<your-abuse-key>`)
- `THREATFOX_API_KEY`: ThreatFox API key. (example: `<your-tf-key>`)
Add this MCP server to my current client's config in the correct format for you. If you need secrets or credentials I haven't provided, ASK me — do not invent values or leave raw placeholders. After adding it, tell me how to verify the server is connected.Tools (2)
Chainsaw
EVTX log analysis engine.
Sigma
Detection rules for various security scenarios.
Environment variables
ELASTICSEARCH_HOSTSrequiredThe URL of the Elasticsearch instance.ELASTICSEARCH_API_KEYrequiredAPI key for authenticating with Elasticsearch.VERIFY_CERTSFlag to verify SSL certificates.Packages
crowdsentinel-mcp-server
pypiv0.5.6transport: stdio
Details
- Language
- Python
- License
- GPL-3.0
- Released
- Mar 15, 2026
- Last commit
- Mar 31, 2026
- Registry name
- io.github.thomasxm/crowdsentinel-mcp-server