LiteSOC MCP Server for AI Editors
The LiteSOC MCP Server (@litesoc/mcp-server) is an official Model Context Protocol server that gives AI editors direct, live access to your LiteSOC security data — alerts, forensic intelligence, event logs, and incident resolution.
What You Can Do
With the MCP Server connected, you can ask your AI editor questions like:
- "Show me all open critical alerts"
- "Analyze alert alt_abc123 — is this a real attack?"
- "Get the last 20 failed login events"
- "Resolve alert alt_abc123 as a false positive"
The AI gets live data from your LiteSOC project and can reason about threats, suggest remediation, and resolve incidents — all from your editor.
Prerequisites
- Node.js 18+
- A LiteSOC API key (
lsk_live_...) from Settings → API Keys - Pro or Enterprise plan for alert access and full forensic intelligence
Setup in Cursor
Go to Settings → MCP → Add Server and add:
{
"mcpServers": {
"litesoc": {
"command": "npx",
"args": ["-y", "@litesoc/mcp-server"],
"env": {
"LITESOC_API_KEY": "lsk_live_your_api_key_here"
}
}
}
}
Setup in Claude Desktop
Edit the config file:
- macOS:
~/Library/Application Support/Claude/claude_desktop_config.json - Windows:
%APPDATA%\Claude\claude_desktop_config.json
{
"mcpServers": {
"litesoc": {
"command": "npx",
"args": ["-y", "@litesoc/mcp-server"],
"env": {
"LITESOC_API_KEY": "lsk_live_your_api_key_here"
}
}
}
}
Restart Claude Desktop after saving.
Available Tools
The MCP Server exposes four tools:
| Tool | Description | Parameters |
|---|---|---|
| list_alerts | Fetch open security alerts | status, severity, alert_type, limit (1–50) |
| analyze_alert | Full forensic detail for a single alert — VPN/Tor detection, geolocation, ISP, threat score | alert_id |
| get_recent_events | Fetch latest raw security event logs | limit (1–50), event_name, actor_id, severity |
| resolve_incident | Mark an alert as resolved with SOC 2 audit trail | alert_id, resolution_type, notes |
Resolution Types
When resolving an incident, use one of:
blocked_ip— Source IP has been blockedreset_password— User password was resetcontacted_user— User was contacted to verifyfalse_positive— Not a real threatother— Custom resolution
Plan Requirements
| Feature | Free | Pro | Enterprise |
|---|---|---|---|
get_recent_events | ✅ (network intel redacted) | ✅ | ✅ |
list_alerts | ❌ | ✅ | ✅ |
analyze_alert | ❌ | ✅ | ✅ |
resolve_incident | ❌ | ✅ | ✅ |
Every response includes a footer showing your current plan, retention window, and data cutoff date.
Security
- All queries are scoped to your organization and project (tenant isolation enforced server-side)
- The API key is read from the environment at runtime — never persisted or logged by the server
- Uses stdio transport — no network ports are opened on your machine
Troubleshooting
"Check your LITESOC_API_KEY"
- Verify the key starts with
lsk_live_ - Ensure the key has not been revoked in your dashboard
- Check the
envblock in your MCP config
"Upgrade to Pro"
Alert-related tools (list_alerts, analyze_alert, resolve_incident) require a Pro or Enterprise plan.
"Outside retention window"
The alert or event ID may be older than your plan's retention period. Check the X-LiteSOC-Cutoff date in the response footer.
Need help? Check our API documentation or contact support.