Enabling LLM interaction with your Detection repository
I recently setup an MCP server for our Detection and Response (DnR) repository and it's changed the way I interact with the content there. In this post I'll explain how I enabled Claude Desktop to interact with our detection repo, and the capabilities it has unlocked for me.
What is MCP?
The Model Context Protocol (MCP) is an open protocol in late 2024 that enables LLMs to interact with data and perform function calling in a standardized manner. The MCP website summarizes it well with this analogy:
Think of MCP like a USB-C port for AI applications. Just as USB-C provides a standardized way to connect your devices to various peripherals and accessories, MCP provides a standardized way to connect AI models to different data sources and tools.
MCP has SDKs for a bunch of different languages, including Python, Java, TypeScripe and C#. Open-source libraries exist for other languages including Go. In this post we'll be using Python.
Getting Started
After following the MCP Python SDK setup instructions I copied the template MCP application and started to implement my first Resource for a Detection. Most of our detections are implemented in YAML today so this involved writing a function that enables the detection YAML to be exposed to the LLM when requested. We also need to support a list function, so the LLM can understand the complete set of resources available.
After implementing these functions we install the MCP server in Claude Desktop and viola, we can now ask relevant questions about our detection codebase to the LLM.
Asking Questions about Detections
With this new capability I can ask questions in plain english about content in our library. Claude will combine the innate knowledge of the LLM with our existing codebase. For example, concepts around the MITRE ATT&CK framework are already known by the LLM but answers involving those tactics are improved with detailed knowledge of our codebase.
Here's a simple example, where I ask Claude to discuss our alerting and detection capabilities around the syslog datasource:
Claude is able to explain and summarize the capabilities at a high level as well as provide detailed descriptions of each detection capability.
Claude can also use its existing knowledge to reason about content that we have exposed to it. We can see this in action when we ask about detection coverage for a specific MITRE technique– T1567. Our detections are tagged with MITRE ATT&CK IDs which enables Claude to more quickly find relevant detections.
Claude can also do differential reasoning to find potential gaps in our detection strategies:
How its changed my workflow
Claude Desktop is now my go-to when I need to ask a question about something in our detection library. Instead of grepping through folder hierarchies its much faster to simply ask Claude in natural language what I am looking for. This saves time (and more importantly, focus)– allowing me to answer questions and complete tasks more effectively.
In summary, the MCP protocol provides a turnkey method to get complex content and tooling into LLMs. It enables us to ask context-specific questions about our codebase and can take actions via function calling if necessary. With SDKs available for many languages, integrating theese capabilities is pretty straightforward. I am excited to use these capabilities more in the future!