Google MCP Security Project Detailed Introduction

Project Overview

Google MCP Security is an open-source project that provides Model Context Protocol (MCP) servers, enabling MCP clients (such as Claude Desktop or the cline.bot VS Code extension) to access Google's security products and services. The project aims to integrate Google's powerful security tools into the AI assistant ecosystem, providing security professionals with smarter and more efficient threat detection and response capabilities.

Core Functional Modules

The project includes four independent MCP servers, each corresponding to a different Google security product:

1. Google Security Operations (Chronicle)

• Purpose: Threat detection, investigation, and threat hunting
• Functionality: Provides large-scale security data analysis and threat detection capabilities
• Applicable Scenarios: SOC teams conducting threat investigations and proactive threat hunting

2. Google Security Operations SOAR

• Purpose: Security orchestration, automation, and response
• Functionality: Automates security incident response processes and workflow orchestration
• Integration Support: Supports various integration methods such as CSV and OKTA
• Applicable Scenarios: Automating security incident handling and response

3. Google Threat Intelligence (GTI)

• Purpose: Access to Google's threat intelligence data
• Functionality: Provides global threat intelligence information and malware analysis
• Data Source: VirusTotal API integration
• Applicable Scenarios: Threat intelligence analysis and malware detection

4. Security Command Center (SCC)

• Purpose: Cloud security and risk management
• Functionality: Google Cloud security posture management and vulnerability assessment
• Applicable Scenarios: Cloud environment security monitoring and compliance management

Technical Architecture

Supported Clients

• Claude Desktop
• Cline VS Code extension
• Google ADK (Agent Development Kit) agent
• Other MCP-compatible clients

Authentication Method

The project uses Google's standard authentication mechanisms:

• Application Default Credentials (ADC)
• GOOGLE_APPLICATION_CREDENTIALS environment variable
• gcloud auth application-default login command

Transport Protocol

Uses the stdio transport protocol for client-server communication

Installation and Configuration

Recommended Method: Using uv

{
  "mcpServers": {
    "secops": {
      "command": "uv",
      "args": [
        "--directory",
        "/path/to/the/repo/server/secops/secops_mcp",
        "run",
        "server.py"
      ],
      "env": {
        "CHRONICLE_PROJECT_ID": "your-project-id",
        "CHRONICLE_CUSTOMER_ID": "01234567-abcd-4321-1234-0123456789ab",
        "CHRONICLE_REGION": "us"
      },
      "disabled": false,
      "autoApprove": []
    }
  }
}

Alternative Method: Using pip

{
  "mcpServers": {
    "secops": {
      "command": "/bin/bash",
      "args": [
        "-c",
        "cd /path/to/the/repo/server/secops && pip install -e . && secops_mcp"
      ],
      "env": {
        "CHRONICLE_PROJECT_ID": "your-project-id",
        "CHRONICLE_CUSTOMER_ID": "01234567-abcd-4321-1234-0123456789ab",
        "CHRONICLE_REGION": "us"
      },
      "disabled": false,
      "autoApprove": []
    }
  }
}

Environment Variable Configuration

Key environment variables required for each server:

Chronicle (SecOps)

• CHRONICLE_PROJECT_ID: Google Cloud project ID
• CHRONICLE_CUSTOMER_ID: Chronicle customer ID
• CHRONICLE_REGION: Service region (e.g., us)

SOAR

• SOAR_URL: SOAR platform URL
• SOAR_APP_KEY: SOAR application key

GTI (Threat Intelligence)

• VT_APIKEY: VirusTotal API key

SCC (Security Command Center)

• Uses default Google Cloud authentication, no additional environment variables required

Deployment Options

Local Deployment

1. Clone the project repository
2. Configure the corresponding environment variables
3. Install dependencies (recommended to use uv)
4. Configure the MCP client (Claude Desktop or VS Code)
5. Restart the client to activate the MCP server

Cloud Deployment

The project supports cloud deployment via Google Cloud Run. Refer to the project documentation for specific configurations.

Usage Scenarios

SOC Teams

• Utilize Chronicle for large-scale threat detection
• Automate security incident response through SOAR
• Combine threat intelligence for contextual analysis

Cloud Security Teams

• Use SCC to monitor the security posture of the Google Cloud environment
• Automate vulnerability management and compliance checks
• Integrate threat intelligence to enhance detection capabilities

Security Researchers

• Access global threat intelligence through GTI
• Conduct malware analysis and threat research
• Automate threat hunting activities

Project Advantages

1. Modular Design: Four independent servers, which can be flexibly enabled according to needs
2. Enterprise-Grade Security: Based on Google's mature security products and services
3. AI Integration: Seamless integration with advanced AI assistants such as Claude
4. Open Source Transparency: Apache 2.0 license, code is completely open source
5. Easy to Deploy: Supports multiple installation and deployment methods
6. Rich Documentation: Provides detailed documentation and usage guides

Technical Requirements

• Python 3.8+
• uv or pip package manager
• Google Cloud project and related API access permissions
• Corresponding security product subscriptions and API keys

Community and Support

The project is hosted on GitHub, providing:

• Detailed README and documentation
• Online documentation website: https://google.github.io/mcp-security/
• Sample configurations and best practices
• Community support and contribution guidelines

This project represents Google's significant investment in AI security tool integration, providing security professionals with powerful automated and intelligent security analysis capabilities.