MCP.so
登录
服务器

Illumio MCP Server

@alexgoller

The first MCP server for cybersecurity

概览

What is Illumio MCP Server?

A Model Context Protocol server that provides an interface to interact with Illumio PCE (Policy Compute Engine), enabling programmatic access to workload management, label operations, traffic flow analysis, automated ringfencing, and infrastructure service identification.

How to use Illumio MCP Server?

Clone the repository, install dependencies with uv sync, and configure environment variables for PCE host, port, org ID, API key, and secret. Run via uv command in Claude Desktop config or start the HTTP server with optional OAuth authentication and role-based authorization.

Key features of Illumio MCP Server

  • Full CRUD on workloads, labels, IP lists, services, and rulesets
  • Traffic flow analysis with filtering by policy decision
  • Automated ringfencing — app-to-app segmentation policies in one command
  • Selective enforcement with configurable consumer flavors
  • Infrastructure service identification via graph centrality analysis
  • Deny rule management including override deny for emergencies
  • Event monitoring with severity and type filters
  • PCE health checks for connectivity and credentials verification

Use cases of Illumio MCP Server

  • Automate workload onboarding and label assignment in Illumio PCE
  • Query and analyze traffic flows to understand application communication patterns
  • Implement ringfencing policies to secure application segments
  • Manage IP lists, rulesets, and deny rules across multiple environments
  • Enable conversational AI assistants to manage Illumio PCE interactively

FAQ from Illumio MCP Server

What prerequisites are needed?

Python 3.8+, access to an Illumio PCE instance, and valid API credentials for the PCE.

What are the two PCE modes for the HTTP server?

Per-user mode stores one PCE API key per authenticated user (encrypted in a keystore) for PCE-side audit attribution; shared mode uses a single service-account key from environment variables, providing zero-friction onboarding.

How does authentication and authorization work in HTTP mode?

The server validates OAuth 2.1 bearer tokens from an IdP and maps user groups to roles (reader, operator, admin). Unauthenticated requests receive a 401 with a Bearer challenge that clients can automatically follow for PKCE auth code flow.

What are confirm tokens and which tools require them?

Tools marked requires_confirm=True (currently provision-policy, ringfence-batch, register-pce-credentials, delete-pce-credentials) require a server-issued single-use confirm token when called over HTTP. Stdio mode is unaffected.

Where is the audit log stored and what does it contain?

The audit log is a SQLite database (default audit.db) with rows including timestamp, subject, issuer, tool name, decision, reason, role, and request ID. Tool arguments are never logged.

来自「其他」的更多内容