What is ProcmonMCP?
ProcmonMCP is a Model Context Protocol (MCP) server designed to allow Large Language Models (LLMs) to autonomously analyze Process Monitor (Procmon) log files (.pml) and configuration files (.pmc). It serves as an interface to the eronnen/procmon-parser library, enabling various functionalities for querying and analyzing log data.
How to use ProcmonMCP?
To use ProcmonMCP, you need to run the server with command-line arguments specifying the directory containing Procmon files and optionally pre-load a specific file for analysis. For example:
python procmon-mcp.py --allowed-dir /path/to/secure/logs --load-file my_capture.pml
Key features of ProcmonMCP?
- Load specific .pml or .pmc files at startup.
- Query event summaries with filtering capabilities.
- Retrieve detailed information for specific events and processes.
- Get stack traces for specific events.
- Perform basic analysis on log data.
- Supports multiple transport protocols (stdio and sse).
Use cases of ProcmonMCP?
- Analyzing malware behavior through Procmon logs.
- Investigating system performance issues by examining process activities.
- Conducting security audits by reviewing process relationships and events.
FAQ from ProcmonMCP?
- Can ProcmonMCP analyze any Procmon log file?
Yes, as long as the log files are in the supported .pml or .pmc formats.
- Is there a risk of exposing sensitive information?
Yes, Procmon logs can contain sensitive data, so it is crucial to restrict access appropriately.
- What are the prerequisites for running ProcmonMCP?
You need Python 3.10 or higher and the required dependencies installed via pip.