Crowdsentinel Mcp Server

authSTDIOregistry active

Summary

This server bridges Claude to your Elasticsearch or OpenSearch cluster for security operations. It exposes 79 MCP tools covering threat hunting queries, EVTX log analysis with Chainsaw, PCAP inspection via tshark, and live endpoint forensics through Velociraptor integration. The server bundles 6,060 preconverted detection rules (Lucene, EQL, ES|QL) and maintains an 8GB investigation memory for IoC correlation across tools. It's built for IR workflows where you need an LLM to pivot through logs, network captures, and endpoint artifacts using natural language while preserving investigative context. Includes a standalone CLI mode and structured prompts that guide agents through proper DFIR methodology. Ships with Sigma rule support and forensic playbooks exposed as MCP resources.

CodeRabbit

AI writes the code. CodeRabbit catches the slop.

Try For Free →

Keep your Mac awake

Keep your Mac awake while Claude Code and 40+ AI agents run. Sleeps when they're idle.

One time payment $9 →

Context.dev

Integrate web data into your AI product. One API to scrape website & brand data.

Get API Key Now →

Make your agent a DeFi expert

Agent, run crypto. Access onchain data & trade routes via 1inch.

Install now →

Make money from your Skills

On Capafy, your Skill runs online 24/7 as an agent product, and you get paid every time someone uses it.

Start earning →

AppSignal

Monitor with ease. Code with confidence.

Start Free Trial →

CodeRabbit

AI writes the code. CodeRabbit catches the slop.

Try For Free →

Keep your Mac awake

Keep your Mac awake while Claude Code and 40+ AI agents run. Sleeps when they're idle.

One time payment $9 →

Context.dev

Integrate web data into your AI product. One API to scrape website & brand data.

Get API Key Now →

Make your agent a DeFi expert

Agent, run crypto. Access onchain data & trade routes via 1inch.

Install now →

Make money from your Skills

On Capafy, your Skill runs online 24/7 as an agent product, and you get paid every time someone uses it.

Start earning →

AppSignal

Monitor with ease. Code with confidence.

Start Free Trial →

CrowdSentinel MCP Server

AI-Powered Threat Hunting & Incident Response Framework

MCP Official Registry · PyPI Package

Open-source threat hunting orchestrator connecting LLMs to enterprise security data via Model Context Protocol (MCP)

Quick Start · Installation · CLI Usage · Features · Architecture · Documentation · Examples

Warning This project is in active development and intended for security testing, research, and educational purposes only. It is not production-ready. Do not deploy in production environments. APIs, tool interfaces, and data formats may change without notice. Use at your own risk.

Demo

https://github.com/user-attachments/assets/0d0381f0-5b68-43b2-8630-19ec130885b2

What is CrowdSentinel?

CrowdSentinel transforms traditional SIEM querying into intelligent, framework-driven investigations using natural language. It serves as a unified security intelligence layer that connects large language models to enterprise security data sources, enabling:

Natural Language Threat Hunting — Query Elasticsearch using plain English
AI-Guided Investigation Workflows — Built-in prompts guide agents through proper IR methodology
Persistent Investigation State — Memory-managed IoC tracking, forensic timelines, and cross-query correlation that survives across sessions (8GB FIFO storage)
Cross-Tool IoC Correlation — IoCs discovered in one tool are automatically available to all others
Multi-Source Analysis — Elasticsearch, EVTX logs (Chainsaw), PCAP files (Wireshark), live endpoint forensics (Velociraptor)
Velociraptor Endpoint Forensics — 20 MCP tools for live artefact collection (processes, network, persistence, execution evidence, NTFS MFT) with automatic IoC extraction
DFIR Knowledge Resources — 9 MCP resources exposing investigation playbooks, Pyramid of Pain reference, and cross-correlation guidance directly to connected AI agents
Standalone CLI — Full threat hunting from the terminal without an MCP client

Installation

Install from PyPI (recommended)

# Install with pip
pip install crowdsentinel-mcp-server

# Or install with uv
uv pip install crowdsentinel-mcp-server

# Download detection rules, Chainsaw, and Sigma rules (one-time)
crowdsentinel setup

Detection rules (6,060 Lucene + EQL + ES|QL) are bundled with the package — no download needed. The setup command downloads additional tools:

Chainsaw binary for EVTX analysis
3,000+ Sigma rules for Chainsaw

Downloaded tools are stored in ~/.crowdsentinel/ and persist across package upgrades.

System dependency for PCAP analysis:

# Required for network traffic analysis and cross-tool IoC correlation
sudo apt install tshark    # Debian/Ubuntu/Kali
sudo dnf install wireshark-cli  # Fedora/RHEL
brew install wireshark     # macOS

Run directly with uvx (no install needed)

# Elasticsearch 8.x (default)
uvx crowdsentinel-mcp-server

# Other backends
uvx crowdsentinel-mcp-server-es7   # Elasticsearch 7.x
uvx crowdsentinel-mcp-server-es9   # Elasticsearch 9.x
uvx opensearch-mcp-server          # OpenSearch 1.x/2.x/3.x

Install from source

git clone https://github.com/thomasxm/CrowdSentinels-AI-MCP.git
cd CrowdSentinels-AI-MCP
chmod +x setup.sh && ./setup.sh

The setup script will:

Install dependencies (pipx, uv, Claude Code CLI if needed)
Bundle 6,060 detection rules and download Chainsaw binary
Prompt for Elasticsearch credentials (never hardcoded)
Configure the MCP server with Claude Code
Validate your connection

Installed Size

CrowdSentinel bundles 6,060 detection rules and integrates with external analysis tools. Below is the full disk space breakdown so you can plan accordingly.

Core package (via pip or uvx):

Component	Size	Notes
CrowdSentinel package	49 MB	The server itself
— Bundled Sigma rules (`src/rules/`)	30 MB	6,060 pre-converted detection rules
— Elastic TOML rules (`src/detection-rules/`)	17 MB	Original TOML format rules + hunting queries
— Python code (clients, tools, etc.)	2 MB	Actual application code
Dependencies	64 MB	All transitive deps
— `cryptography`	14 MB	Largest dependency (TLS)
— `elasticsearch`	8.3 MB	ES Python client
— `pygments`	5.2 MB	Syntax highlighting
— `pydantic_core`	5 MB	Validation engine
— `opensearchpy`	3.6 MB	OpenSearch client
— Others (27 packages)	~28 MB	mcp, fastmcp, httpx, anthropic, etc.
Core total	113 MB	`pip install crowdsentinel-mcp-server`

Additional tools (via crowdsentinel setup):

Component	Download	Installed	Notes
Chainsaw binary (v2.13.1)	~3 MB	~15 MB	EVTX log analysis engine
Sigma rules (SigmaHQ)	~3 MB	~30 MB	3,000+ Sigma rules for Chainsaw
Chainsaw mappings	—	<1 MB	Event log source mappings
Setup total	~6 MB	~46 MB	Stored in `~/.crowdsentinel/`

System dependency (via package manager):

Component	Installed	Install Command	Notes
tshark + Wireshark libs	~132 MB	`sudo apt install tshark`	PCAP network analysis — required for cross-tool IoC correlation

Full installation summary:

Scenario	Total Disk Space
Core only (`pip install`)	~113 MB
Core + setup (`crowdsentinel setup`)	~159 MB
Full platform (+ tshark)	~291 MB

Note: PyPI download size is only 8.9 MB (wheel) thanks to compression of the bundled detection rules.

Quick Start

1. Set environment variables

export ELASTICSEARCH_HOSTS="https://localhost:9200"
export ELASTICSEARCH_API_KEY="your_api_key"
# Or use username/password:
# export ELASTICSEARCH_USERNAME="elastic"
# export ELASTICSEARCH_PASSWORD="your_password"
export VERIFY_CERTS="false"

2. Connect to an MCP Client

CrowdSentinel works with any MCP-compatible AI agent. Choose your client below:

Claude Code (CLI)

claude mcp add crowdsentinel \
  -e ELASTICSEARCH_HOSTS="https://localhost:9200" \
  -e ELASTICSEARCH_API_KEY="your_api_key" \
  -e VERIFY_CERTS="false" \
  -- uvx crowdsentinel-mcp-server

Claude Desktop

Edit ~/.config/Claude/claude_desktop_config.json (Linux) or ~/Library/Application Support/Claude/claude_desktop_config.json (macOS):

{
  "mcpServers": {
    "crowdsentinel": {
      "command": "uvx",
      "args": ["crowdsentinel-mcp-server"],
      "env": {
        "ELASTICSEARCH_HOSTS": "https://localhost:9200",
        "ELASTICSEARCH_API_KEY": "your_api_key",
        "VERIFY_CERTS": "false"
      }
    }
  }
}

VS Code Copilot

Create .vscode/mcp.json in your workspace:

{
  "servers": {
    "crowdsentinel": {
      "command": "uvx",
      "args": ["crowdsentinel-mcp-server"],
      "env": {
        "ELASTICSEARCH_HOSTS": "https://localhost:9200",
        "ELASTICSEARCH_API_KEY": "your_api_key",
        "VERIFY_CERTS": "false"
      }
    }
  }
}

Then enable MCP in VS Code settings: "chat.mcp.enabled": true

Cursor

Create or edit ~/.cursor/mcp.json:

{
  "mcpServers": {
    "crowdsentinel": {
      "command": "uvx",
      "args": ["crowdsentinel-mcp-server"],
      "env": {
        "ELASTICSEARCH_HOSTS": "https://localhost:9200",
        "ELASTICSEARCH_API_KEY": "your_api_key",
        "VERIFY_CERTS": "false"
      }
    }
  }
}

Roo Code (VS Code Extension)

Create .roo/mcp.json in your workspace:

{
  "mcpServers": {
    "crowdsentinel": {
      "command": "uvx",
      "args": ["crowdsentinel-mcp-server"],
      "env": {
        "ELASTICSEARCH_HOSTS": "https://localhost:9200",
        "ELASTICSEARCH_API_KEY": "your_api_key",
        "VERIFY_CERTS": "false"
      }
    }
  }
}

Or configure via Roo Code settings panel: Settings > MCP Servers > Add Server.

5ire

In 5ire settings (v0.15.0+), add an MCP server with:

Command: uvx
Arguments: crowdsentinel-mcp-server
Environment Variables:
- ELASTICSEARCH_HOSTS = https://localhost:9200
- ELASTICSEARCH_API_KEY = your_api_key
- VERIFY_CERTS = false

Note: 5ire v0.14.0 has known MCP compatibility issues. Use v0.15.0+ for reliable operation.

Any MCP Client (Generic)

stdio transport (default — works with most clients):

{
  "mcpServers": {
    "crowdsentinel": {
      "command": "uvx",
      "args": ["crowdsentinel-mcp-server"],
      "env": {
        "ELASTICSEARCH_HOSTS": "https://localhost:9200",
        "ELASTICSEARCH_API_KEY": "your_api_key",
        "VERIFY_CERTS": "false"
      }
    }
  }
}

SSE transport (for web-based clients):

crowdsentinel-mcp-server --transport sse --port 8001
# Connect to: http://localhost:8001/sse/

HTTP transport (for REST API clients):

crowdsentinel-mcp-server --transport streamable-http --port 8001
# Connect to: http://localhost:8001/mcp/

3. Or use the CLI directly

# Download rules and tools (one-time)
crowdsentinel setup

# Check cluster health
crowdsentinel health

# Hunt for threats
crowdsentinel hunt "powershell encoded" -i winlogbeat-*

# Run detection rules
crowdsentinel rules -p windows --tactic credential_access
crowdsentinel detect windows_builtin_win_alert_mimikatz_keywords_lucene -i winlogbeat-*

# Analyse PCAP files
crowdsentinel pcap overview capture.pcap
crowdsentinel pcap beaconing capture.pcap

# Hunt EVTX logs with Chainsaw
crowdsentinel chainsaw hunt /path/to/evtx/ --sigma-rules /path/to/sigma/

CLI Usage

CrowdSentinel provides a full CLI for threat hunting from the terminal:

pip install crowdsentinel-mcp-server
crowdsentinel setup    # Download rules, Chainsaw, Sigma (one-time)
crowdsentinel --help

Available Commands

Command	Description	Example
`setup`	Download detection rules, Chainsaw, and Sigma rules	`crowdsentinel setup`
`health`	Show cluster health	`crowdsentinel health`
`indices`	List all indices	`crowdsentinel indices`
`hunt`	IR-focused threat hunt with IoC extraction	`crowdsentinel hunt "powershell" -i winlogbeat-*`
`eql`	Execute an EQL query	`crowdsentinel eql "process where process.name == 'cmd.exe'" -i winlogbeat-*`
`esql`	Execute an ES\|QL query	`crowdsentinel esql "FROM logs-* \| LIMIT 10"`
`detect`	Execute a detection rule by ID	`crowdsentinel detect win_susp_logon -i winlogbeat-*`
`rules`	List available detection rules	`crowdsentinel rules -p windows --tactic credential_access --type eql`
`schema`	Detect schema for an index pattern	`crowdsentinel schema -i winlogbeat-*`
`ioc`	Hunt for a specific Indicator of Compromise	`crowdsentinel ioc 203.0.113.42 --type ip -i winlogbeat-*`
`analyse`	Analyse search results from stdin (JSON)	`cat results.json \| crowdsentinel analyse -c "context"`
`analyse --mcp`	AI agent analysis using all 97 MCP tools	`crowdsentinel hunt "query" \| crowdsentinel analyse --mcp -c "context"`
`auth`	Manage LLM authentication for agent mode	`crowdsentinel auth login`
`pcap`	Analyse PCAP files (overview, beaconing, lateral movement)	`crowdsentinel pcap beaconing capture.pcap`
`chainsaw`	Hunt EVTX logs with Chainsaw and Sigma rules	`crowdsentinel chainsaw hunt /path/to/evtx/`

Output Formats

All commands support --output/-o with three formats:

crowdsentinel hunt "failed login" -i winlogbeat-* -o json     # Structured JSON (default)
crowdsentinel hunt "failed login" -i winlogbeat-* -o table    # Human-readable table
crowdsentinel hunt "failed login" -i winlogbeat-* -o summary  # Condensed summary

Agent Mode (`--mcp`)

The analyse --mcp flag replaces deterministic analysis with an AI agent that autonomously uses all 97 MCP tools to investigate. The agent follows the 4-phase IR methodology: hunt, analyse, correlate, report.

Authentication:

# Option 1: Browser sign-in (ChatGPT subscription — no API billing)
crowdsentinel auth login

# Option 2: Anthropic (setup-token or API key)
crowdsentinel auth login --provider anthropic

# Option 3: Environment variable
export ANTHROPIC_API_KEY="sk-ant-..."   # or OPENAI_API_KEY

# Option 4: Local models (Ollama, vLLM — free)
crowdsentinel analyse --mcp --model-url http://localhost:11434/v1 --model llama3.1

# Check auth status
crowdsentinel auth status

Agent flags:

Flag	Default	Description
`--mcp`	off	Enable AI agent with MCP tools
`--mcp-server NAME:CMD`	none	Add external MCP server (e.g., VirusTotal)
`--model`	auto-detect	LLM model to use
`--model-url`	none	OpenAI-compatible API endpoint
`--max-steps`	30	Maximum tool calls
`--timeout`	300	Maximum seconds

Pipeline Examples

Deterministic analysis (no API key needed):

# Hunt then analyse
crowdsentinel hunt "powershell encoded" -i winlogbeat-* -o json | \
  crowdsentinel analyse -c "Encoded PowerShell commands" -o summary

# Investigate failed authentication attempts
crowdsentinel hunt "event.code:4625" -i winlogbeat-* -o json | \
  crowdsentinel analyse -c "Failed login brute force investigation" -o summary

# Triage process execution and privilege escalation
crowdsentinel hunt "event.code:4688 OR event.code:4672 OR event.code:1" -i winlogbeat-* -o json | \
  crowdsentinel analyse -c "Process execution and privilege escalation" -o summary

AI agent investigation (requires auth):

# Credential dumping investigation — agent hunts, analyses kill chain, checks adjacent stages
crowdsentinel hunt "mimikatz OR lsass OR procdump" -i winlogbeat-* -o json | \
  crowdsentinel analyse --mcp -c "Credential dumping tools investigation" --max-steps 15 -o summary

# Encoded PowerShell — full IR workflow with kill chain and adjacent stage hunting
crowdsentinel hunt "powershell -enc OR FromBase64String" -i winlogbeat-* -o json | \
  crowdsentinel analyse --mcp -c "Full IR workflow: encoded PowerShell" --max-steps 30 -o table

# Process execution with detection rules
crowdsentinel hunt "event.code:4688" -i winlogbeat-* -o json | \
  crowdsentinel analyse --mcp -c "Execute detection rules against process creation" --max-steps 20 -o summary

# PCAP beaconing — agent generates IoCs and maps to kill chain
crowdsentinel pcap beaconing capture.pcap -o json | \
  crowdsentinel analyse --mcp -c "Investigate beaconing for C2 infrastructure" --max-steps 10 -o summary

# Anti-forensics investigation
crowdsentinel hunt "event.code:1102" -i winlogbeat-* -o json | \
  crowdsentinel analyse --mcp -c "Security log cleared - anti-forensics" --max-steps 10 -o summary

# With external MCP server (e.g., VirusTotal)
crowdsentinel hunt "powershell" -i winlogbeat-* -o json | \
  crowdsentinel analyse --mcp --mcp-server "vt:uvx virustotal-mcp-server" \
  -c "Check IoCs against VirusTotal" -o summary

Key Features

125+ MCP Tools

Threat hunting, detection rules, forensics, endpoint collection, network analysis, cross-correlation, and IoC enrichment — all accessible via natural language

6,060 Detection Rules

Pre-built Lucene, EQL & ES|QL rules with automatic MITRE ATT&CK mapping

Investigation State

Persistent IoC tracking across tools and sessions with cross-source correlation and FIFO storage

4 Security Frameworks

Cyber Kill Chain (7 stages)
Pyramid of Pain (6 levels)
Diamond Model (4 vertices)
MITRE ATT&CK (automatic mapping)

4 Data Sources + Threat Intel

Elasticsearch / OpenSearch (SIEM)
Velociraptor (live endpoint forensics)
EVTX logs (Chainsaw + Sigma)
PCAP files (Wireshark/TShark)
IoC enrichment (Shodan, VirusTotal, AbuseIPDB, ThreatFox)

Architecture

┌─────────────────────────────────────────────────────────────────┐
│                 LLM Client / Claude Code CLI                    │
└─────────────────────────────┬───────────────────────────────────┘
                              │ MCP Protocol (stdio/SSE/HTTP)
                              ▼
┌─────────────────────────────────────────────────────────────────┐
│                    CrowdSentinel MCP Server                      │
│  ┌───────────────┐ ┌───────────────┐ ┌───────────────────────┐  │
│  │  125+ Tools   │ │ 6,060 Rules   │ │ Security Frameworks   │  │
│  │ - Hunting     │ │ - Lucene      │ │ - Cyber Kill Chain    │  │
│  │ - Detection   │ │ - EQL         │ │ - Pyramid of Pain     │  │
│  │ - Forensics   │ │ - Sigma       │ │ - Diamond Model       │  │
│  │ - Endpoint    │ │               │ │ - MITRE ATT&CK        │  │
│  │ - Network     │ │               │ │                       │  │
│  │ - Enrichment  │ │               │ │ 9 MCP Resources       │  │
│  │ - Correlation │ │               │ │ (DFIR knowledge base) │  │
│  └───────────────┘ └───────────────┘ └───────────────────────┘  │
│  ┌─────────────────────────────────────────────────────────────┐│
│  │              Investigation State (Persistent)                ││
│  │    Cross-source IoC sharing, auto-capture, STIX 2.1 export  ││
│  └─────────────────────────────────────────────────────────────┘│
└──────────┬──────────────┬───────────────────┬───────────────────┘
           │              │                   │
  ┌────────┼──────────────┼───────────────┐   │
  ▼        ▼              ▼               ▼   ▼
┌──────────────┐ ┌───────────────┐ ┌───────────────┐ ┌───────────────┐
│Elasticsearch │ │ Velociraptor  │ │   Chainsaw    │ │   Wireshark   │
│ /OpenSearch  │ │  (EDR/DFIR)   │ │  (EVTX/Sigma) │ │    (PCAP)     │
│   (SIEM)     │ │  (Endpoint)   │ │  (Offline)    │ │  (Network)    │
└──────────────┘ └───────────────┘ └───────────────┘ └───────────────┘
                          │
  ┌───────────────────────┼───────────────────────┐
  ▼                       ▼                       ▼
┌───────────────┐ ┌───────────────┐ ┌───────────────┐
│ Shodan        │ │  VirusTotal   │ │  AbuseIPDB    │
│ InternetDB    │ │     (v3)      │ │  + ThreatFox  │
│  (free/no key)│ │  (free tier)  │ │  (free tier)  │
└───────────────┘ └───────────────┘ └───────────────┘
                          │
                          ▼ (Roadmap)
┌───────────────┐ ┌───────────────┐ ┌───────────────┐
│    Splunk     │ │  Carbon Black │ │     Zeek      │
│               │ │  (EDR)        │ │   (NSM/IDS)   │
└───────────────┘ └───────────────┘ └───────────────┘

What's Included

Tool Categories (84 Tools)

Category	Tools	Description
Elasticsearch Core	18	Index, document, cluster, alias, data stream operations
Threat Hunting	12	Attack pattern detection, IoC hunting, timeline analysis
Detection Rules	9	6,060 rule library — list, execute, validate, suggest
Kill Chain Analysis	5	Stage hunting, progression tracking, adjacent stage prediction
Investigation Prompts	5	Fast triage spine — 10 critical IR questions
Chainsaw (EVTX)	6	Sigma rule hunting, iterative IoC discovery
Wireshark (PCAP)	11	Network forensics, beaconing, lateral movement detection
Threat Intelligence	5	IoC enrichment (Shodan, VirusTotal, AbuseIPDB, ThreatFox) + MISP export/search
Investigation State	13	Persistent IoCs, cross-tool sharing, STIX 2.1 export, reporting

Security Frameworks

Framework	Purpose
Cyber Kill Chain	Hunt by attack stage (7 stages), predict adversary's next move
Pyramid of Pain	Prioritise IoCs by difficulty for attackers to change (6 levels)
Diamond Model	Map adversary, capability, infrastructure, victim relationships
MITRE ATT&CK	Automatic technique mapping for all detections

Detection Rules (6,060 Rules)

Type	Count	Source	Description
Lucene	1,966	Sigma-converted	Fast pattern matching queries
EQL	3,963	Sigma-converted + Elastic	Event sequences and correlations
ES\|QL	131	Elastic TOML rules	Pipe-based query language (ES 8.11+)

Platforms: Windows, Linux, macOS, Cloud (AWS/Azure/GCP), Network, Identity

Log Sources: PowerShell, Sysmon, Security Events, Process Creation, Audit logs

Configuration

Environment Variables

# Connection (required — choose one)
ELASTICSEARCH_HOSTS="https://localhost:9200"       # Self-hosted
# OR
ELASTICSEARCH_CLOUD_ID="deployment:base64..."      # Elastic Cloud

# Authentication — choose one (in priority order):
ELASTICSEARCH_BEARER_TOKEN="service_token_here"    # Service/bearer token
ELASTICSEARCH_API_KEY="your_api_key"               # API key (recommended)
ELASTICSEARCH_USERNAME="elastic"                   # Basic auth
ELASTICSEARCH_PASSWORD="your_password"

# TLS / Certificate verification
VERIFY_CERTS="true"                                # Verify against system CA bundle
# VERIFY_CERTS="/path/to/ca.crt"                   # Verify against custom CA certificate
# ELASTICSEARCH_CA_CERT="/path/to/ca.crt"          # Explicit CA certificate path
# ELASTICSEARCH_CLIENT_CERT="/path/to/client.crt"  # Client certificate (mTLS)
# ELASTICSEARCH_CLIENT_KEY="/path/to/client.key"   # Client private key (mTLS)

# Options
REQUEST_TIMEOUT="30"                               # Request timeout in seconds
DISABLE_HIGH_RISK_OPERATIONS="true"                # Block all write operations

# Threat Intelligence (optional — Shodan InternetDB works without any key)
VIRUSTOTAL_API_KEY="your_vt_key"                   # Free: 500 lookups/day
ABUSEIPDB_API_KEY="your_abuse_key"                 # Free: 1,000 lookups/day
THREATFOX_API_KEY="your_tf_key"                    # Free: unlimited

# MISP Integration (optional — offline JSON export works without a server)
MISP_URL="https://misp.example.org"                # MISP instance URL
MISP_API_KEY="your_misp_key"                       # MISP API key (40-char hex)
# MISP_SSL_VERIFY="true"                           # Set "false" for self-signed (dev only)

Security Warning: Never use VERIFY_CERTS="false" or plain-text passwords in production. Use API keys or service tokens with TLS certificate verification enabled. For self-signed certificates, set ELASTICSEARCH_CA_CERT to your CA certificate path.

Production Configuration Examples

Elastic Cloud

ELASTICSEARCH_CLOUD_ID="my-deployment:dXMtY2VudHJhbC0x..."
ELASTICSEARCH_API_KEY="your_cloud_api_key"
VERIFY_CERTS="true"

Self-Hosted with Custom CA

ELASTICSEARCH_HOSTS="https://es-cluster.internal:9200"
ELASTICSEARCH_API_KEY="your_api_key"
ELASTICSEARCH_CA_CERT="/etc/elasticsearch/certs/ca.crt"
VERIFY_CERTS="true"

Mutual TLS (mTLS)

ELASTICSEARCH_HOSTS="https://es-cluster.internal:9200"
ELASTICSEARCH_CA_CERT="/etc/elasticsearch/certs/ca.crt"
ELASTICSEARCH_CLIENT_CERT="/etc/elasticsearch/certs/client.crt"
ELASTICSEARCH_CLIENT_KEY="/etc/elasticsearch/certs/client.key"
VERIFY_CERTS="true"

Development / Testing (insecure)

ELASTICSEARCH_HOSTS="http://localhost:9200"
ELASTICSEARCH_USERNAME="elastic"
ELASTICSEARCH_PASSWORD="test123"
VERIFY_CERTS="false"

This configuration is not suitable for production. Use API keys with TLS in production environments.

Transport Modes

Mode	Use Case	Command
stdio (default)	MCP clients (Claude Code, etc.)	Auto-configured by setup.sh
SSE	Web/streaming clients	`--transport sse --port 8000`
HTTP	REST API access	`--transport streamable-http`

Disabling Write Operations

For read-only access (recommended for production):

DISABLE_HIGH_RISK_OPERATIONS="true"

This hides destructive tools: create_index, delete_index, index_document, delete_document, delete_by_query, create_data_stream, delete_data_stream, put_alias, delete_alias, general_api_request

Usage Examples

Example 1: Hunt for Brute Force Attacks

You: Hunt for brute force attacks in the last hour

CrowdSentinel: Searching for failed authentication attempts...
[Calls hunt_by_timeframe with attack_types=["brute_force"]]

Found 47 failed login attempts from 3 source IPs targeting the "admin" account.
Top sources:
- 192.168.1.105: 28 attempts
- 10.0.0.42: 15 attempts
- 172.16.0.8: 4 attempts

Example 2: Investigate a Suspicious Host

You: Show me all activity on host DESKTOP-ABC123 in the last 24 hours

CrowdSentinel: Generating a forensic timeline for that host...
[Calls get_host_activity_timeline]

Timeline shows:
- 09:15: User "jsmith" logged in (Event 4624)
- 09:17: PowerShell executed encoded command
- 09:18: New scheduled task created "WindowsUpdate"
- 09:22: Outbound connection to 203.0.113.42:443
- 09:25: LSASS memory access detected

Example 3: Kill Chain Analysis

You: We found C2 beaconing. What should we hunt for next?

CrowdSentinel: Hunting adjacent kill chain stages...
[Calls hunt_adjacent_stages with current_stage="COMMAND_AND_CONTROL"]

Looking backwards (Installation stage):
- Found scheduled task persistence on 3 hosts
- Registry Run key modifications detected

Looking forwards (Actions on Objectives):
- Lateral movement to 2 additional hosts via SMB
- Credential dumping attempts detected

Example 4: Network Traffic Analysis

You: Analyse this PCAP for C2 beaconing

CrowdSentinel: Checking for regular connection intervals...
[Calls detect_beaconing on the PCAP file]

Detected beaconing pattern:
- Host: 192.168.1.50 → 203.0.113.100:443
- Interval: 60 seconds (±2s jitter)
- Duration: 4 hours
- Confidence: HIGH

Recommend blocking 203.0.113.100 and investigating 192.168.1.50.

Example 5: CLI Threat Hunt

# Hunt for encoded PowerShell
crowdsentinel hunt "powershell -enc" -i winlogbeat-* --timeframe 1440 -o json

# Pipe results to analysis
crowdsentinel hunt "event.code:4625" -i winlogbeat-* -o json | \
  crowdsentinel analyse -c "Failed authentication investigation"

# Search detection rules for lateral movement
crowdsentinel rules --tactic lateral_movement -p windows

Compatibility

Package	Backend	Install
`crowdsentinel-mcp-server`	Elasticsearch 8.x (default)	`pip install crowdsentinel-mcp-server`
`crowdsentinel-mcp-server-es7`	Elasticsearch 7.x	`pip install crowdsentinel-mcp-server-es7`
`crowdsentinel-mcp-server-es9`	Elasticsearch 9.x	`pip install crowdsentinel-mcp-server-es9`
`opensearch-mcp-server`	OpenSearch 1.x, 2.x, 3.x	`pip install opensearch-mcp-server`

For Developers

Project Structure

crowdsentinel-mcp-server/
├── src/
│   ├── server.py                 # MCP server entry point
│   ├── version.py                # Version constant
│   ├── risk_config.py            # Write operation controls
│   │
│   ├── cli/                      # Standalone CLI
│   │   └── main.py               # CLI entry point (argparse)
│   │
│   ├── clients/                  # Backend logic layer
│   │   ├── base.py               # Base client, authentication
│   │   ├── exceptions.py         # Exception handling decorators
│   │   └── common/
│   │       ├── client.py         # Unified SearchClient (multiple inheritance)
│   │       ├── threat_hunting.py # Threat hunting queries
│   │       ├── ioc_analysis.py   # IoC extraction & analysis
│   │       ├── cyber_kill_chain.py # Kill chain logic
│   │       ├── rule_loader.py    # Detection rule loading
│   │       └── chainsaw_client.py # EVTX/Sigma integration
│   │
│   ├── tools/                    # MCP tool interfaces (thin wrappers)
│   │   ├── register.py           # Dynamic tool registration
│   │   ├── threat_hunting.py     # Hunting tool definitions
│   │   ├── rule_management.py    # Rule management tools
│   │   ├── chainsaw_hunting.py   # Chainsaw tools
│   │   ├── wireshark_tools.py    # Network analysis tools
│   │   └── investigation_state_tools.py # State management tools
│   │
│   ├── storage/                  # Persistent investigation state
│   │   ├── investigation_state.py # Core state management
│   │   ├── storage_manager.py    # File system storage (8GB FIFO)
│   │   └── models.py             # Pydantic models (IoC, Investigation)
│   │
│   └── wireshark/                # Network traffic analysis
│       ├── core/                 # TShark execution, PCAP parsing
│       ├── hunting/              # Beaconing, lateral movement, IoC hunting
│       ├── baseline/             # Traffic baseline creation
│       ├── extraction/           # File carving from traffic
│       └── reporting/            # NCSC-style reports, timelines
│
├── rules/                        # 6,060 detection rules (EQL + Lucene)
├── chainsaw/                     # Chainsaw binary + 3,000+ Sigma rules
├── skills/                       # Claude Code agent skills
└── tests/                        # Test suites

Design Patterns

Pattern	Usage
Multiple Inheritance	`SearchClient` composes all specialised clients
Decorator	Exception handling via `@handle_exceptions`
Factory	`create_search_client()` creates appropriate client
Plugin Architecture	Tools registered dynamically via `ToolsRegister`
Auto-Capture	Tool results automatically analysed for IoCs

Adding a New Tool

Create client method in src/clients/common/your_module.py:

class YourClient(SearchClientBase):
    def your_method(self, param: str) -> dict:
        # Implementation
        return results

Add to SearchClient in src/clients/common/client.py:

class SearchClient(YourClient, OtherClients, ...):
    pass

Create tool wrapper in src/tools/your_tools.py:

class YourTools:
    def __init__(self, client, mcp):
        self.client = client
        self.mcp = mcp

    def register_tools(self):
        @self.mcp.tool()
        def your_tool(param: str) -> str:
            """Tool description for LLM."""
            result = self.client.your_method(param)
            return json.dumps(result)

Register in server in src/server.py:

from src.tools.your_tools import YourTools

def _register_tools(self):
    # ... existing tools ...
    YourTools(self.client, self.mcp).register_tools()

Running Tests

# All tests
uv run pytest

# Specific module
uv run pytest tests/test_investigation_state.py

# With coverage
uv run pytest --cov=src

Local Testing Environment

# Start Elasticsearch
docker-compose -f docker-compose-elasticsearch.yml up -d

# Start OpenSearch
docker-compose -f docker-compose-opensearch.yml up -d

Default credentials (testing only):

Elasticsearch: elastic / test123
OpenSearch: admin / admin

Roadmap

Feature	Status	Description
Velociraptor Integration	Planned	EDR/DFIR artifact collection and live response via Velociraptor API
Zeek Integration	Planned	Network security monitoring — parse Zeek logs (conn, dns, http, ssl, x509) for threat hunting
Splunk Integration	Planned	Add Splunk as a data source alongside Elasticsearch
Sigma Rule Converter	Planned	Convert Sigma rules to native ES/Splunk queries
Threat Intel Enrichment	Done	IoC enrichment via Shodan InternetDB, VirusTotal, AbuseIPDB, ThreatFox + STIX 2.1 export
Case Management	Planned	Export investigations to TheHive, JIRA
Custom Rule Builder	Planned	Create detection rules via natural language

See CHANGELOG.md for detailed version history.

Velociraptor Integration (Live Endpoint Forensics)

CrowdSentinel integrates with Velociraptor for live endpoint forensic artefact collection. When configured, 20 additional MCP tools and 3 cross-correlation tools become available.

Setup

# Install optional dependencies
pip install crowdsentinel-mcp-server[velociraptor]

# Set the Velociraptor API config path
export VELOCIRAPTOR_API_CONFIG="/path/to/api_client.yaml"

The API client config is generated from the Velociraptor server:

velociraptor config api_client --name crowdsentinel --role administrator,api \
  --config server.config.yaml /path/to/api_client.yaml

Available Tools

Category	Tools	Use Case
Discovery	`velociraptor_client_info`, `velociraptor_list_artifacts`	Resolve hostnames, discover available artefacts
Live State	`velociraptor_pslist`, `velociraptor_netstat`, `velociraptor_users`	Running processes, active network connections, user accounts
Execution Evidence	`velociraptor_prefetch`, `velociraptor_amcache`, `velociraptor_shimcache`, `velociraptor_userassist`, `velociraptor_bam`	Forensic proof of programme execution
Persistence	`velociraptor_services`, `velociraptor_scheduled_tasks`	Service and scheduled task persistence mechanisms
User Activity	`velociraptor_shellbags`, `velociraptor_recentdocs`, `velociraptor_evidence_of_download`	User browsing, document access, file downloads
Filesystem	`velociraptor_ntfs_mft`	MFT search for files by name, path, or timestamp
Cross-Correlation	`correlate_siem_with_endpoint`, `endpoint_to_siem_pivot`, `build_unified_timeline`	Validate SIEM findings on endpoints, pivot from endpoint IoCs to fleet-wide SIEM searches

Cross-Source IoC Sharing

IoCs extracted from Velociraptor artefacts are automatically captured into the active investigation alongside SIEM, Chainsaw, and Wireshark findings. Use get_shared_iocs to retrieve the combined indicator set for cross-source correlation.

SIEM (Elasticsearch)          Endpoint (Velociraptor)
       │                              │
  hunt_by_timeframe()         velociraptor_pslist()
       │                              │
  auto_capture ──────► Investigation State ◄────── auto_capture
                              │
                     get_shared_iocs()

DFIR Knowledge Resources

9 MCP resources provide structured investigation reference data directly to connected AI agents:

Resource	Content
`crowdsentinel://investigation-workflow`	Mandatory 4-phase IR workflow
`crowdsentinel://ioc-reference`	IoC types ranked by Pyramid of Pain
`crowdsentinel://cross-correlation-playbooks`	5 investigation playbooks (suspicious process, brute force, lateral movement, persistence, exfiltration)
`crowdsentinel://velociraptor-guide`	Artefact reference tables and "found X in SIEM → check Y on endpoint" decision tree
`crowdsentinel://data-sources`	All data source capabilities and investigation decision matrix

Documentation

User Guides

Document	Description
FIRST_TIME_SETUP.md	Detailed first-time setup instructions
HOW_TO_USE.md	Comprehensive usage guide
QUICK_START.md	5-minute quick start
TRANSPORT_MODES.md	stdio, SSE, HTTP configuration

Feature Guides

Document	Description
THREAT_HUNTING_GUIDE.md	Threat hunting workflows
DETECTION_RULES_GUIDE.md	Using 6,060 detection rules
CYBER_KILL_CHAIN_GUIDE.md	Kill chain analysis
CHAINSAW_GUIDE.md	EVTX log analysis with Sigma
INVESTIGATION_PROMPTS_GUIDE.md	Fast triage spine
AI_AGENT_INTEGRATION.md	Workflow guidance for AI agents

Developer Guides

Document	Description
ARCHITECTURE.md	Detailed architecture documentation
CONTRIBUTING.md	Contribution guidelines

Contributing

Contributions are welcome! Please see CONTRIBUTING.md for guidelines.

Licence

GNU General Public Licence v3.0 — See LICENSE for details.

Acknowledgements

MCP Framework: Model Context Protocol by Anthropic
Chainsaw: EVTX log analyser by WithSecure Labs
Detection Rules: Community-contributed Sigma and custom rules
Frameworks: Cyber Kill Chain (Lockheed Martin), Pyramid of Pain (David J. Bianco), Diamond Model, MITRE ATT&CK

Made for the security community by medjedtxm

Featured

CodeRabbit

AI writes the code. CodeRabbit catches the slop.

Try For Free →

Keep your Mac awake

Keep your Mac awake while Claude Code and 40+ AI agents run. Sleeps when they're idle.

One time payment $9 →

Context.dev

Integrate web data into your AI product. One API to scrape website & brand data.

Get API Key Now →

Make your agent a DeFi expert

Agent, run crypto. Access onchain data & trade routes via 1inch.

Install now →

Make money from your Skills

On Capafy, your Skill runs online 24/7 as an agent product, and you get paid every time someone uses it.

Start earning →

AppSignal

Monitor with ease. Code with confidence.

Start Free Trial →

Configuration

ELASTICSEARCH_HOSTSdefault: https://localhost:9200

Comma-separated Elasticsearch hosts. Supports HTTP/HTTPS, local/remote/cloud (e.g., http://localhost:9200, https://es.prod.example.com:9200)

ELASTICSEARCH_CLOUD_ID

Elastic Cloud deployment ID (alternative to ELASTICSEARCH_HOSTS for cloud deployments)

ELASTICSEARCH_API_KEYsecret

API key for authentication (recommended for production and Elastic Cloud)

ELASTICSEARCH_USERNAME

Username for basic authentication (alternative to API key)

ELASTICSEARCH_PASSWORDsecret

Password for basic authentication (used with ELASTICSEARCH_USERNAME)

ELASTICSEARCH_BEARER_TOKENsecret

Bearer/service token for authentication (alternative to API key)

VERIFY_CERTSdefault: false

TLS certificate verification: true (verify CA — production), false (skip — dev/test), or /path/to/ca.crt (custom CA)

REQUEST_TIMEOUT

Request timeout in seconds (e.g., 60 or 10.5)

CrowdSentinel MCP Server

AI-Powered Threat Hunting & Incident Response Framework

MCP Official Registry · PyPI Package

Open-source threat hunting orchestrator connecting LLMs to enterprise security data via Model Context Protocol (MCP)

Quick Start · Installation · CLI Usage · Features · Architecture · Documentation · Examples

Warning This project is in active development and intended for security testing, research, and educational purposes only. It is not production-ready. Do not deploy in production environments. APIs, tool interfaces, and data formats may change without notice. Use at your own risk.

Demo

https://github.com/user-attachments/assets/0d0381f0-5b68-43b2-8630-19ec130885b2

What is CrowdSentinel?

Natural Language Threat Hunting — Query Elasticsearch using plain English
AI-Guided Investigation Workflows — Built-in prompts guide agents through proper IR methodology
Persistent Investigation State — Memory-managed IoC tracking, forensic timelines, and cross-query correlation that survives across sessions (8GB FIFO storage)
Cross-Tool IoC Correlation — IoCs discovered in one tool are automatically available to all others
Multi-Source Analysis — Elasticsearch, EVTX logs (Chainsaw), PCAP files (Wireshark), live endpoint forensics (Velociraptor)
Velociraptor Endpoint Forensics — 20 MCP tools for live artefact collection (processes, network, persistence, execution evidence, NTFS MFT) with automatic IoC extraction
DFIR Knowledge Resources — 9 MCP resources exposing investigation playbooks, Pyramid of Pain reference, and cross-correlation guidance directly to connected AI agents
Standalone CLI — Full threat hunting from the terminal without an MCP client

Installation

Install from PyPI (recommended)

# Install with pip
pip install crowdsentinel-mcp-server

# Or install with uv
uv pip install crowdsentinel-mcp-server

# Download detection rules, Chainsaw, and Sigma rules (one-time)
crowdsentinel setup

Detection rules (6,060 Lucene + EQL + ES|QL) are bundled with the package — no download needed. The setup command downloads additional tools:

Chainsaw binary for EVTX analysis
3,000+ Sigma rules for Chainsaw

Downloaded tools are stored in ~/.crowdsentinel/ and persist across package upgrades.

System dependency for PCAP analysis:

# Required for network traffic analysis and cross-tool IoC correlation
sudo apt install tshark    # Debian/Ubuntu/Kali
sudo dnf install wireshark-cli  # Fedora/RHEL
brew install wireshark     # macOS

Run directly with uvx (no install needed)

# Elasticsearch 8.x (default)
uvx crowdsentinel-mcp-server

# Other backends
uvx crowdsentinel-mcp-server-es7   # Elasticsearch 7.x
uvx crowdsentinel-mcp-server-es9   # Elasticsearch 9.x
uvx opensearch-mcp-server          # OpenSearch 1.x/2.x/3.x

Install from source

git clone https://github.com/thomasxm/CrowdSentinels-AI-MCP.git
cd CrowdSentinels-AI-MCP
chmod +x setup.sh && ./setup.sh

The setup script will:

Install dependencies (pipx, uv, Claude Code CLI if needed)
Bundle 6,060 detection rules and download Chainsaw binary
Prompt for Elasticsearch credentials (never hardcoded)
Configure the MCP server with Claude Code
Validate your connection

Installed Size

CrowdSentinel bundles 6,060 detection rules and integrates with external analysis tools. Below is the full disk space breakdown so you can plan accordingly.

Core package (via pip or uvx):

Component	Size	Notes
CrowdSentinel package	49 MB	The server itself
— Bundled Sigma rules (`src/rules/`)	30 MB	6,060 pre-converted detection rules
— Elastic TOML rules (`src/detection-rules/`)	17 MB	Original TOML format rules + hunting queries
— Python code (clients, tools, etc.)	2 MB	Actual application code
Dependencies	64 MB	All transitive deps
— `cryptography`	14 MB	Largest dependency (TLS)
— `elasticsearch`	8.3 MB	ES Python client
— `pygments`	5.2 MB	Syntax highlighting
— `pydantic_core`	5 MB	Validation engine
— `opensearchpy`	3.6 MB	OpenSearch client
— Others (27 packages)	~28 MB	mcp, fastmcp, httpx, anthropic, etc.
Core total	113 MB	`pip install crowdsentinel-mcp-server`

Additional tools (via crowdsentinel setup):

Component	Download	Installed	Notes
Chainsaw binary (v2.13.1)	~3 MB	~15 MB	EVTX log analysis engine
Sigma rules (SigmaHQ)	~3 MB	~30 MB	3,000+ Sigma rules for Chainsaw
Chainsaw mappings	—	<1 MB	Event log source mappings
Setup total	~6 MB	~46 MB	Stored in `~/.crowdsentinel/`

System dependency (via package manager):

Component	Installed	Install Command	Notes
tshark + Wireshark libs	~132 MB	`sudo apt install tshark`	PCAP network analysis — required for cross-tool IoC correlation

Full installation summary:

Scenario	Total Disk Space
Core only (`pip install`)	~113 MB
Core + setup (`crowdsentinel setup`)	~159 MB
Full platform (+ tshark)	~291 MB

Note: PyPI download size is only 8.9 MB (wheel) thanks to compression of the bundled detection rules.

Quick Start

1. Set environment variables

export ELASTICSEARCH_HOSTS="https://localhost:9200"
export ELASTICSEARCH_API_KEY="your_api_key"
# Or use username/password:
# export ELASTICSEARCH_USERNAME="elastic"
# export ELASTICSEARCH_PASSWORD="your_password"
export VERIFY_CERTS="false"

2. Connect to an MCP Client

CrowdSentinel works with any MCP-compatible AI agent. Choose your client below:

Claude Code (CLI)

claude mcp add crowdsentinel \
  -e ELASTICSEARCH_HOSTS="https://localhost:9200" \
  -e ELASTICSEARCH_API_KEY="your_api_key" \
  -e VERIFY_CERTS="false" \
  -- uvx crowdsentinel-mcp-server

Claude Desktop

Edit ~/.config/Claude/claude_desktop_config.json (Linux) or ~/Library/Application Support/Claude/claude_desktop_config.json (macOS):

{
  "mcpServers": {
    "crowdsentinel": {
      "command": "uvx",
      "args": ["crowdsentinel-mcp-server"],
      "env": {
        "ELASTICSEARCH_HOSTS": "https://localhost:9200",
        "ELASTICSEARCH_API_KEY": "your_api_key",
        "VERIFY_CERTS": "false"
      }
    }
  }
}

VS Code Copilot

Create .vscode/mcp.json in your workspace:

{
  "servers": {
    "crowdsentinel": {
      "command": "uvx",
      "args": ["crowdsentinel-mcp-server"],
      "env": {
        "ELASTICSEARCH_HOSTS": "https://localhost:9200",
        "ELASTICSEARCH_API_KEY": "your_api_key",
        "VERIFY_CERTS": "false"
      }
    }
  }
}

Then enable MCP in VS Code settings: "chat.mcp.enabled": true

Cursor

Create or edit ~/.cursor/mcp.json:

{
  "mcpServers": {
    "crowdsentinel": {
      "command": "uvx",
      "args": ["crowdsentinel-mcp-server"],
      "env": {
        "ELASTICSEARCH_HOSTS": "https://localhost:9200",
        "ELASTICSEARCH_API_KEY": "your_api_key",
        "VERIFY_CERTS": "false"
      }
    }
  }
}

Roo Code (VS Code Extension)

Create .roo/mcp.json in your workspace:

{
  "mcpServers": {
    "crowdsentinel": {
      "command": "uvx",
      "args": ["crowdsentinel-mcp-server"],
      "env": {
        "ELASTICSEARCH_HOSTS": "https://localhost:9200",
        "ELASTICSEARCH_API_KEY": "your_api_key",
        "VERIFY_CERTS": "false"
      }
    }
  }
}

Or configure via Roo Code settings panel: Settings > MCP Servers > Add Server.

5ire

In 5ire settings (v0.15.0+), add an MCP server with:

Command: uvx
Arguments: crowdsentinel-mcp-server
Environment Variables:
- ELASTICSEARCH_HOSTS = https://localhost:9200
- ELASTICSEARCH_API_KEY = your_api_key
- VERIFY_CERTS = false

Note: 5ire v0.14.0 has known MCP compatibility issues. Use v0.15.0+ for reliable operation.

Any MCP Client (Generic)

stdio transport (default — works with most clients):

{
  "mcpServers": {
    "crowdsentinel": {
      "command": "uvx",
      "args": ["crowdsentinel-mcp-server"],
      "env": {
        "ELASTICSEARCH_HOSTS": "https://localhost:9200",
        "ELASTICSEARCH_API_KEY": "your_api_key",
        "VERIFY_CERTS": "false"
      }
    }
  }
}

SSE transport (for web-based clients):

crowdsentinel-mcp-server --transport sse --port 8001
# Connect to: http://localhost:8001/sse/

HTTP transport (for REST API clients):

crowdsentinel-mcp-server --transport streamable-http --port 8001
# Connect to: http://localhost:8001/mcp/

3. Or use the CLI directly

# Download rules and tools (one-time)
crowdsentinel setup

# Check cluster health
crowdsentinel health

# Hunt for threats
crowdsentinel hunt "powershell encoded" -i winlogbeat-*

# Run detection rules
crowdsentinel rules -p windows --tactic credential_access
crowdsentinel detect windows_builtin_win_alert_mimikatz_keywords_lucene -i winlogbeat-*

# Analyse PCAP files
crowdsentinel pcap overview capture.pcap
crowdsentinel pcap beaconing capture.pcap

# Hunt EVTX logs with Chainsaw
crowdsentinel chainsaw hunt /path/to/evtx/ --sigma-rules /path/to/sigma/

CLI Usage

CrowdSentinel provides a full CLI for threat hunting from the terminal:

pip install crowdsentinel-mcp-server
crowdsentinel setup    # Download rules, Chainsaw, Sigma (one-time)
crowdsentinel --help

Available Commands

Command	Description	Example
`setup`	Download detection rules, Chainsaw, and Sigma rules	`crowdsentinel setup`
`health`	Show cluster health	`crowdsentinel health`
`indices`	List all indices	`crowdsentinel indices`
`hunt`	IR-focused threat hunt with IoC extraction	`crowdsentinel hunt "powershell" -i winlogbeat-*`
`eql`	Execute an EQL query	`crowdsentinel eql "process where process.name == 'cmd.exe'" -i winlogbeat-*`
`esql`	Execute an ES\|QL query	`crowdsentinel esql "FROM logs-* \| LIMIT 10"`
`detect`	Execute a detection rule by ID	`crowdsentinel detect win_susp_logon -i winlogbeat-*`
`rules`	List available detection rules	`crowdsentinel rules -p windows --tactic credential_access --type eql`
`schema`	Detect schema for an index pattern	`crowdsentinel schema -i winlogbeat-*`
`ioc`	Hunt for a specific Indicator of Compromise	`crowdsentinel ioc 203.0.113.42 --type ip -i winlogbeat-*`
`analyse`	Analyse search results from stdin (JSON)	`cat results.json \| crowdsentinel analyse -c "context"`
`analyse --mcp`	AI agent analysis using all 97 MCP tools	`crowdsentinel hunt "query" \| crowdsentinel analyse --mcp -c "context"`
`auth`	Manage LLM authentication for agent mode	`crowdsentinel auth login`
`pcap`	Analyse PCAP files (overview, beaconing, lateral movement)	`crowdsentinel pcap beaconing capture.pcap`
`chainsaw`	Hunt EVTX logs with Chainsaw and Sigma rules	`crowdsentinel chainsaw hunt /path/to/evtx/`

Output Formats

All commands support --output/-o with three formats:

crowdsentinel hunt "failed login" -i winlogbeat-* -o json     # Structured JSON (default)
crowdsentinel hunt "failed login" -i winlogbeat-* -o table    # Human-readable table
crowdsentinel hunt "failed login" -i winlogbeat-* -o summary  # Condensed summary

Agent Mode (`--mcp`)

Authentication:

# Option 1: Browser sign-in (ChatGPT subscription — no API billing)
crowdsentinel auth login

# Option 2: Anthropic (setup-token or API key)
crowdsentinel auth login --provider anthropic

# Option 3: Environment variable
export ANTHROPIC_API_KEY="sk-ant-..."   # or OPENAI_API_KEY

# Option 4: Local models (Ollama, vLLM — free)
crowdsentinel analyse --mcp --model-url http://localhost:11434/v1 --model llama3.1

# Check auth status
crowdsentinel auth status

Agent flags:

Flag	Default	Description
`--mcp`	off	Enable AI agent with MCP tools
`--mcp-server NAME:CMD`	none	Add external MCP server (e.g., VirusTotal)
`--model`	auto-detect	LLM model to use
`--model-url`	none	OpenAI-compatible API endpoint
`--max-steps`	30	Maximum tool calls
`--timeout`	300	Maximum seconds

Pipeline Examples

Deterministic analysis (no API key needed):

# Hunt then analyse
crowdsentinel hunt "powershell encoded" -i winlogbeat-* -o json | \
  crowdsentinel analyse -c "Encoded PowerShell commands" -o summary

# Investigate failed authentication attempts
crowdsentinel hunt "event.code:4625" -i winlogbeat-* -o json | \
  crowdsentinel analyse -c "Failed login brute force investigation" -o summary

# Triage process execution and privilege escalation
crowdsentinel hunt "event.code:4688 OR event.code:4672 OR event.code:1" -i winlogbeat-* -o json | \
  crowdsentinel analyse -c "Process execution and privilege escalation" -o summary

AI agent investigation (requires auth):

# Credential dumping investigation — agent hunts, analyses kill chain, checks adjacent stages
crowdsentinel hunt "mimikatz OR lsass OR procdump" -i winlogbeat-* -o json | \
  crowdsentinel analyse --mcp -c "Credential dumping tools investigation" --max-steps 15 -o summary

# Encoded PowerShell — full IR workflow with kill chain and adjacent stage hunting
crowdsentinel hunt "powershell -enc OR FromBase64String" -i winlogbeat-* -o json | \
  crowdsentinel analyse --mcp -c "Full IR workflow: encoded PowerShell" --max-steps 30 -o table

# Process execution with detection rules
crowdsentinel hunt "event.code:4688" -i winlogbeat-* -o json | \
  crowdsentinel analyse --mcp -c "Execute detection rules against process creation" --max-steps 20 -o summary

# PCAP beaconing — agent generates IoCs and maps to kill chain
crowdsentinel pcap beaconing capture.pcap -o json | \
  crowdsentinel analyse --mcp -c "Investigate beaconing for C2 infrastructure" --max-steps 10 -o summary

# Anti-forensics investigation
crowdsentinel hunt "event.code:1102" -i winlogbeat-* -o json | \
  crowdsentinel analyse --mcp -c "Security log cleared - anti-forensics" --max-steps 10 -o summary

# With external MCP server (e.g., VirusTotal)
crowdsentinel hunt "powershell" -i winlogbeat-* -o json | \
  crowdsentinel analyse --mcp --mcp-server "vt:uvx virustotal-mcp-server" \
  -c "Check IoCs against VirusTotal" -o summary

Key Features

125+ MCP Tools

Threat hunting, detection rules, forensics, endpoint collection, network analysis, cross-correlation, and IoC enrichment — all accessible via natural language

6,060 Detection Rules

Pre-built Lucene, EQL & ES|QL rules with automatic MITRE ATT&CK mapping

Investigation State

Persistent IoC tracking across tools and sessions with cross-source correlation and FIFO storage

4 Security Frameworks

Cyber Kill Chain (7 stages)
Pyramid of Pain (6 levels)
Diamond Model (4 vertices)
MITRE ATT&CK (automatic mapping)

4 Data Sources + Threat Intel

Elasticsearch / OpenSearch (SIEM)
Velociraptor (live endpoint forensics)
EVTX logs (Chainsaw + Sigma)
PCAP files (Wireshark/TShark)
IoC enrichment (Shodan, VirusTotal, AbuseIPDB, ThreatFox)

Architecture

┌─────────────────────────────────────────────────────────────────┐
│                 LLM Client / Claude Code CLI                    │
└─────────────────────────────┬───────────────────────────────────┘
                              │ MCP Protocol (stdio/SSE/HTTP)
                              ▼
┌─────────────────────────────────────────────────────────────────┐
│                    CrowdSentinel MCP Server                      │
│  ┌───────────────┐ ┌───────────────┐ ┌───────────────────────┐  │
│  │  125+ Tools   │ │ 6,060 Rules   │ │ Security Frameworks   │  │
│  │ - Hunting     │ │ - Lucene      │ │ - Cyber Kill Chain    │  │
│  │ - Detection   │ │ - EQL         │ │ - Pyramid of Pain     │  │
│  │ - Forensics   │ │ - Sigma       │ │ - Diamond Model       │  │
│  │ - Endpoint    │ │               │ │ - MITRE ATT&CK        │  │
│  │ - Network     │ │               │ │                       │  │
│  │ - Enrichment  │ │               │ │ 9 MCP Resources       │  │
│  │ - Correlation │ │               │ │ (DFIR knowledge base) │  │
│  └───────────────┘ └───────────────┘ └───────────────────────┘  │
│  ┌─────────────────────────────────────────────────────────────┐│
│  │              Investigation State (Persistent)                ││
│  │    Cross-source IoC sharing, auto-capture, STIX 2.1 export  ││
│  └─────────────────────────────────────────────────────────────┘│
└──────────┬──────────────┬───────────────────┬───────────────────┘
           │              │                   │
  ┌────────┼──────────────┼───────────────┐   │
  ▼        ▼              ▼               ▼   ▼
┌──────────────┐ ┌───────────────┐ ┌───────────────┐ ┌───────────────┐
│Elasticsearch │ │ Velociraptor  │ │   Chainsaw    │ │   Wireshark   │
│ /OpenSearch  │ │  (EDR/DFIR)   │ │  (EVTX/Sigma) │ │    (PCAP)     │
│   (SIEM)     │ │  (Endpoint)   │ │  (Offline)    │ │  (Network)    │
└──────────────┘ └───────────────┘ └───────────────┘ └───────────────┘
                          │
  ┌───────────────────────┼───────────────────────┐
  ▼                       ▼                       ▼
┌───────────────┐ ┌───────────────┐ ┌───────────────┐
│ Shodan        │ │  VirusTotal   │ │  AbuseIPDB    │
│ InternetDB    │ │     (v3)      │ │  + ThreatFox  │
│  (free/no key)│ │  (free tier)  │ │  (free tier)  │
└───────────────┘ └───────────────┘ └───────────────┘
                          │
                          ▼ (Roadmap)
┌───────────────┐ ┌───────────────┐ ┌───────────────┐
│    Splunk     │ │  Carbon Black │ │     Zeek      │
│               │ │  (EDR)        │ │   (NSM/IDS)   │
└───────────────┘ └───────────────┘ └───────────────┘

What's Included

Tool Categories (84 Tools)

Category	Tools	Description
Elasticsearch Core	18	Index, document, cluster, alias, data stream operations
Threat Hunting	12	Attack pattern detection, IoC hunting, timeline analysis
Detection Rules	9	6,060 rule library — list, execute, validate, suggest
Kill Chain Analysis	5	Stage hunting, progression tracking, adjacent stage prediction
Investigation Prompts	5	Fast triage spine — 10 critical IR questions
Chainsaw (EVTX)	6	Sigma rule hunting, iterative IoC discovery
Wireshark (PCAP)	11	Network forensics, beaconing, lateral movement detection
Threat Intelligence	5	IoC enrichment (Shodan, VirusTotal, AbuseIPDB, ThreatFox) + MISP export/search
Investigation State	13	Persistent IoCs, cross-tool sharing, STIX 2.1 export, reporting

Security Frameworks

Framework	Purpose
Cyber Kill Chain	Hunt by attack stage (7 stages), predict adversary's next move
Pyramid of Pain	Prioritise IoCs by difficulty for attackers to change (6 levels)
Diamond Model	Map adversary, capability, infrastructure, victim relationships
MITRE ATT&CK	Automatic technique mapping for all detections

Detection Rules (6,060 Rules)

Type	Count	Source	Description
Lucene	1,966	Sigma-converted	Fast pattern matching queries
EQL	3,963	Sigma-converted + Elastic	Event sequences and correlations
ES\|QL	131	Elastic TOML rules	Pipe-based query language (ES 8.11+)

Platforms: Windows, Linux, macOS, Cloud (AWS/Azure/GCP), Network, Identity

Log Sources: PowerShell, Sysmon, Security Events, Process Creation, Audit logs

Configuration

Environment Variables

# Connection (required — choose one)
ELASTICSEARCH_HOSTS="https://localhost:9200"       # Self-hosted
# OR
ELASTICSEARCH_CLOUD_ID="deployment:base64..."      # Elastic Cloud

# Authentication — choose one (in priority order):
ELASTICSEARCH_BEARER_TOKEN="service_token_here"    # Service/bearer token
ELASTICSEARCH_API_KEY="your_api_key"               # API key (recommended)
ELASTICSEARCH_USERNAME="elastic"                   # Basic auth
ELASTICSEARCH_PASSWORD="your_password"

# TLS / Certificate verification
VERIFY_CERTS="true"                                # Verify against system CA bundle
# VERIFY_CERTS="/path/to/ca.crt"                   # Verify against custom CA certificate
# ELASTICSEARCH_CA_CERT="/path/to/ca.crt"          # Explicit CA certificate path
# ELASTICSEARCH_CLIENT_CERT="/path/to/client.crt"  # Client certificate (mTLS)
# ELASTICSEARCH_CLIENT_KEY="/path/to/client.key"   # Client private key (mTLS)

# Options
REQUEST_TIMEOUT="30"                               # Request timeout in seconds
DISABLE_HIGH_RISK_OPERATIONS="true"                # Block all write operations

# Threat Intelligence (optional — Shodan InternetDB works without any key)
VIRUSTOTAL_API_KEY="your_vt_key"                   # Free: 500 lookups/day
ABUSEIPDB_API_KEY="your_abuse_key"                 # Free: 1,000 lookups/day
THREATFOX_API_KEY="your_tf_key"                    # Free: unlimited

# MISP Integration (optional — offline JSON export works without a server)
MISP_URL="https://misp.example.org"                # MISP instance URL
MISP_API_KEY="your_misp_key"                       # MISP API key (40-char hex)
# MISP_SSL_VERIFY="true"                           # Set "false" for self-signed (dev only)

Security Warning: Never use VERIFY_CERTS="false" or plain-text passwords in production. Use API keys or service tokens with TLS certificate verification enabled. For self-signed certificates, set ELASTICSEARCH_CA_CERT to your CA certificate path.

Production Configuration Examples

Elastic Cloud

ELASTICSEARCH_CLOUD_ID="my-deployment:dXMtY2VudHJhbC0x..."
ELASTICSEARCH_API_KEY="your_cloud_api_key"
VERIFY_CERTS="true"

Self-Hosted with Custom CA

ELASTICSEARCH_HOSTS="https://es-cluster.internal:9200"
ELASTICSEARCH_API_KEY="your_api_key"
ELASTICSEARCH_CA_CERT="/etc/elasticsearch/certs/ca.crt"
VERIFY_CERTS="true"

Mutual TLS (mTLS)

ELASTICSEARCH_HOSTS="https://es-cluster.internal:9200"
ELASTICSEARCH_CA_CERT="/etc/elasticsearch/certs/ca.crt"
ELASTICSEARCH_CLIENT_CERT="/etc/elasticsearch/certs/client.crt"
ELASTICSEARCH_CLIENT_KEY="/etc/elasticsearch/certs/client.key"
VERIFY_CERTS="true"

Development / Testing (insecure)

ELASTICSEARCH_HOSTS="http://localhost:9200"
ELASTICSEARCH_USERNAME="elastic"
ELASTICSEARCH_PASSWORD="test123"
VERIFY_CERTS="false"

This configuration is not suitable for production. Use API keys with TLS in production environments.

Transport Modes

Mode	Use Case	Command
stdio (default)	MCP clients (Claude Code, etc.)	Auto-configured by setup.sh
SSE	Web/streaming clients	`--transport sse --port 8000`
HTTP	REST API access	`--transport streamable-http`

Disabling Write Operations

For read-only access (recommended for production):

DISABLE_HIGH_RISK_OPERATIONS="true"

Usage Examples

Example 1: Hunt for Brute Force Attacks

You: Hunt for brute force attacks in the last hour

CrowdSentinel: Searching for failed authentication attempts...
[Calls hunt_by_timeframe with attack_types=["brute_force"]]

Found 47 failed login attempts from 3 source IPs targeting the "admin" account.
Top sources:
- 192.168.1.105: 28 attempts
- 10.0.0.42: 15 attempts
- 172.16.0.8: 4 attempts

Example 2: Investigate a Suspicious Host

You: Show me all activity on host DESKTOP-ABC123 in the last 24 hours

CrowdSentinel: Generating a forensic timeline for that host...
[Calls get_host_activity_timeline]

Timeline shows:
- 09:15: User "jsmith" logged in (Event 4624)
- 09:17: PowerShell executed encoded command
- 09:18: New scheduled task created "WindowsUpdate"
- 09:22: Outbound connection to 203.0.113.42:443
- 09:25: LSASS memory access detected

Example 3: Kill Chain Analysis

You: We found C2 beaconing. What should we hunt for next?

CrowdSentinel: Hunting adjacent kill chain stages...
[Calls hunt_adjacent_stages with current_stage="COMMAND_AND_CONTROL"]

Looking backwards (Installation stage):
- Found scheduled task persistence on 3 hosts
- Registry Run key modifications detected

Looking forwards (Actions on Objectives):
- Lateral movement to 2 additional hosts via SMB
- Credential dumping attempts detected

Example 4: Network Traffic Analysis

You: Analyse this PCAP for C2 beaconing

CrowdSentinel: Checking for regular connection intervals...
[Calls detect_beaconing on the PCAP file]

Detected beaconing pattern:
- Host: 192.168.1.50 → 203.0.113.100:443
- Interval: 60 seconds (±2s jitter)
- Duration: 4 hours
- Confidence: HIGH

Recommend blocking 203.0.113.100 and investigating 192.168.1.50.

Example 5: CLI Threat Hunt

# Hunt for encoded PowerShell
crowdsentinel hunt "powershell -enc" -i winlogbeat-* --timeframe 1440 -o json

# Pipe results to analysis
crowdsentinel hunt "event.code:4625" -i winlogbeat-* -o json | \
  crowdsentinel analyse -c "Failed authentication investigation"

# Search detection rules for lateral movement
crowdsentinel rules --tactic lateral_movement -p windows

Compatibility

Package	Backend	Install
`crowdsentinel-mcp-server`	Elasticsearch 8.x (default)	`pip install crowdsentinel-mcp-server`
`crowdsentinel-mcp-server-es7`	Elasticsearch 7.x	`pip install crowdsentinel-mcp-server-es7`
`crowdsentinel-mcp-server-es9`	Elasticsearch 9.x	`pip install crowdsentinel-mcp-server-es9`
`opensearch-mcp-server`	OpenSearch 1.x, 2.x, 3.x	`pip install opensearch-mcp-server`

For Developers

Project Structure

crowdsentinel-mcp-server/
├── src/
│   ├── server.py                 # MCP server entry point
│   ├── version.py                # Version constant
│   ├── risk_config.py            # Write operation controls
│   │
│   ├── cli/                      # Standalone CLI
│   │   └── main.py               # CLI entry point (argparse)
│   │
│   ├── clients/                  # Backend logic layer
│   │   ├── base.py               # Base client, authentication
│   │   ├── exceptions.py         # Exception handling decorators
│   │   └── common/
│   │       ├── client.py         # Unified SearchClient (multiple inheritance)
│   │       ├── threat_hunting.py # Threat hunting queries
│   │       ├── ioc_analysis.py   # IoC extraction & analysis
│   │       ├── cyber_kill_chain.py # Kill chain logic
│   │       ├── rule_loader.py    # Detection rule loading
│   │       └── chainsaw_client.py # EVTX/Sigma integration
│   │
│   ├── tools/                    # MCP tool interfaces (thin wrappers)
│   │   ├── register.py           # Dynamic tool registration
│   │   ├── threat_hunting.py     # Hunting tool definitions
│   │   ├── rule_management.py    # Rule management tools
│   │   ├── chainsaw_hunting.py   # Chainsaw tools
│   │   ├── wireshark_tools.py    # Network analysis tools
│   │   └── investigation_state_tools.py # State management tools
│   │
│   ├── storage/                  # Persistent investigation state
│   │   ├── investigation_state.py # Core state management
│   │   ├── storage_manager.py    # File system storage (8GB FIFO)
│   │   └── models.py             # Pydantic models (IoC, Investigation)
│   │
│   └── wireshark/                # Network traffic analysis
│       ├── core/                 # TShark execution, PCAP parsing
│       ├── hunting/              # Beaconing, lateral movement, IoC hunting
│       ├── baseline/             # Traffic baseline creation
│       ├── extraction/           # File carving from traffic
│       └── reporting/            # NCSC-style reports, timelines
│
├── rules/                        # 6,060 detection rules (EQL + Lucene)
├── chainsaw/                     # Chainsaw binary + 3,000+ Sigma rules
├── skills/                       # Claude Code agent skills
└── tests/                        # Test suites

Design Patterns

Pattern	Usage
Multiple Inheritance	`SearchClient` composes all specialised clients
Decorator	Exception handling via `@handle_exceptions`
Factory	`create_search_client()` creates appropriate client
Plugin Architecture	Tools registered dynamically via `ToolsRegister`
Auto-Capture	Tool results automatically analysed for IoCs

Adding a New Tool

Create client method in src/clients/common/your_module.py:

class YourClient(SearchClientBase):
    def your_method(self, param: str) -> dict:
        # Implementation
        return results

Add to SearchClient in src/clients/common/client.py:

class SearchClient(YourClient, OtherClients, ...):
    pass

Create tool wrapper in src/tools/your_tools.py:

class YourTools:
    def __init__(self, client, mcp):
        self.client = client
        self.mcp = mcp

    def register_tools(self):
        @self.mcp.tool()
        def your_tool(param: str) -> str:
            """Tool description for LLM."""
            result = self.client.your_method(param)
            return json.dumps(result)

Register in server in src/server.py:

from src.tools.your_tools import YourTools

def _register_tools(self):
    # ... existing tools ...
    YourTools(self.client, self.mcp).register_tools()

Running Tests

# All tests
uv run pytest

# Specific module
uv run pytest tests/test_investigation_state.py

# With coverage
uv run pytest --cov=src

Local Testing Environment

# Start Elasticsearch
docker-compose -f docker-compose-elasticsearch.yml up -d

# Start OpenSearch
docker-compose -f docker-compose-opensearch.yml up -d

Default credentials (testing only):

Elasticsearch: elastic / test123
OpenSearch: admin / admin

Roadmap

Feature	Status	Description
Velociraptor Integration	Planned	EDR/DFIR artifact collection and live response via Velociraptor API
Zeek Integration	Planned	Network security monitoring — parse Zeek logs (conn, dns, http, ssl, x509) for threat hunting
Splunk Integration	Planned	Add Splunk as a data source alongside Elasticsearch
Sigma Rule Converter	Planned	Convert Sigma rules to native ES/Splunk queries
Threat Intel Enrichment	Done	IoC enrichment via Shodan InternetDB, VirusTotal, AbuseIPDB, ThreatFox + STIX 2.1 export
Case Management	Planned	Export investigations to TheHive, JIRA
Custom Rule Builder	Planned	Create detection rules via natural language

See CHANGELOG.md for detailed version history.

Velociraptor Integration (Live Endpoint Forensics)

CrowdSentinel integrates with Velociraptor for live endpoint forensic artefact collection. When configured, 20 additional MCP tools and 3 cross-correlation tools become available.

Setup

# Install optional dependencies
pip install crowdsentinel-mcp-server[velociraptor]

# Set the Velociraptor API config path
export VELOCIRAPTOR_API_CONFIG="/path/to/api_client.yaml"

The API client config is generated from the Velociraptor server:

velociraptor config api_client --name crowdsentinel --role administrator,api \
  --config server.config.yaml /path/to/api_client.yaml

Available Tools

Category	Tools	Use Case
Discovery	`velociraptor_client_info`, `velociraptor_list_artifacts`	Resolve hostnames, discover available artefacts
Live State	`velociraptor_pslist`, `velociraptor_netstat`, `velociraptor_users`	Running processes, active network connections, user accounts
Execution Evidence	`velociraptor_prefetch`, `velociraptor_amcache`, `velociraptor_shimcache`, `velociraptor_userassist`, `velociraptor_bam`	Forensic proof of programme execution
Persistence	`velociraptor_services`, `velociraptor_scheduled_tasks`	Service and scheduled task persistence mechanisms
User Activity	`velociraptor_shellbags`, `velociraptor_recentdocs`, `velociraptor_evidence_of_download`	User browsing, document access, file downloads
Filesystem	`velociraptor_ntfs_mft`	MFT search for files by name, path, or timestamp
Cross-Correlation	`correlate_siem_with_endpoint`, `endpoint_to_siem_pivot`, `build_unified_timeline`	Validate SIEM findings on endpoints, pivot from endpoint IoCs to fleet-wide SIEM searches

Cross-Source IoC Sharing

SIEM (Elasticsearch)          Endpoint (Velociraptor)
       │                              │
  hunt_by_timeframe()         velociraptor_pslist()
       │                              │
  auto_capture ──────► Investigation State ◄────── auto_capture
                              │
                     get_shared_iocs()

DFIR Knowledge Resources

9 MCP resources provide structured investigation reference data directly to connected AI agents:

Resource	Content
`crowdsentinel://investigation-workflow`	Mandatory 4-phase IR workflow
`crowdsentinel://ioc-reference`	IoC types ranked by Pyramid of Pain
`crowdsentinel://cross-correlation-playbooks`	5 investigation playbooks (suspicious process, brute force, lateral movement, persistence, exfiltration)
`crowdsentinel://velociraptor-guide`	Artefact reference tables and "found X in SIEM → check Y on endpoint" decision tree
`crowdsentinel://data-sources`	All data source capabilities and investigation decision matrix

Documentation

User Guides

Document	Description
FIRST_TIME_SETUP.md	Detailed first-time setup instructions
HOW_TO_USE.md	Comprehensive usage guide
QUICK_START.md	5-minute quick start
TRANSPORT_MODES.md	stdio, SSE, HTTP configuration

Feature Guides

Document	Description
THREAT_HUNTING_GUIDE.md	Threat hunting workflows
DETECTION_RULES_GUIDE.md	Using 6,060 detection rules
CYBER_KILL_CHAIN_GUIDE.md	Kill chain analysis
CHAINSAW_GUIDE.md	EVTX log analysis with Sigma
INVESTIGATION_PROMPTS_GUIDE.md	Fast triage spine
AI_AGENT_INTEGRATION.md	Workflow guidance for AI agents

Developer Guides

Document	Description
ARCHITECTURE.md	Detailed architecture documentation
CONTRIBUTING.md	Contribution guidelines

Contributing

Contributions are welcome! Please see CONTRIBUTING.md for guidelines.

Licence

GNU General Public Licence v3.0 — See LICENSE for details.

Acknowledgements

MCP Framework: Model Context Protocol by Anthropic
Chainsaw: EVTX log analyser by WithSecure Labs
Detection Rules: Community-contributed Sigma and custom rules
Frameworks: Cyber Kill Chain (Lockheed Martin), Pyramid of Pain (David J. Bianco), Diamond Model, MITRE ATT&CK

Made for the security community by medjedtxm

Crowdsentinel Mcp Server

CrowdSentinel MCP Server

AI-Powered Threat Hunting & Incident Response Framework

Demo

What is CrowdSentinel?

Installation

Install from PyPI (recommended)

Run directly with uvx (no install needed)

Install from source

Installed Size

Quick Start

1. Set environment variables

2. Connect to an MCP Client

3. Or use the CLI directly

CLI Usage

Available Commands

Output Formats

Agent Mode (--mcp)

Pipeline Examples

Key Features

125+ MCP Tools

6,060 Detection Rules

Investigation State

4 Security Frameworks

4 Data Sources + Threat Intel

Architecture

What's Included

Tool Categories (84 Tools)

Security Frameworks

Detection Rules (6,060 Rules)

Configuration

Environment Variables

Production Configuration Examples

Transport Modes

Disabling Write Operations

Usage Examples

Example 1: Hunt for Brute Force Attacks

Example 2: Investigate a Suspicious Host

Example 3: Kill Chain Analysis

Example 4: Network Traffic Analysis

Example 5: CLI Threat Hunt

Compatibility

For Developers

Roadmap

Velociraptor Integration (Live Endpoint Forensics)

Setup

Available Tools

Cross-Source IoC Sharing

DFIR Knowledge Resources

Documentation

User Guides

Feature Guides

Developer Guides

Contributing

Licence

Acknowledgements

Configuration

Crowdsentinel Mcp Server

CrowdSentinel MCP Server

AI-Powered Threat Hunting & Incident Response Framework

Demo

What is CrowdSentinel?

Installation

Install from PyPI (recommended)

Run directly with uvx (no install needed)

Install from source

Installed Size

Quick Start

1. Set environment variables

2. Connect to an MCP Client

3. Or use the CLI directly

CLI Usage

Available Commands

Output Formats

Agent Mode (--mcp)

Pipeline Examples

Key Features

125+ MCP Tools

6,060 Detection Rules

Investigation State

Agent Mode (`--mcp`)

Agent Mode (`--mcp`)