Unified Security Intelligence: Leverage Claude to automatically correlate Splunk security incidents with DeepTempo threat intelligence
This repository demonstrates how Claude Desktop can orchestrate multiple MCP (Model Context Protocol) servers to provide unified security intelligence. Instead of manually switching between Splunk and DeepTempo, security analysts can ask Claude natural language questions and get comprehensive, correlated security insights.
Security analysts traditionally need to:
- Query Splunk for high-confidence security incidents
- Manually extract impacted IP addresses
- Switch to DeepTempo to look up threat intelligence
- Correlate findings across both platforms
- Build a unified security report
This is time-consuming and error-prone.
With this demo, Claude becomes your intelligent security orchestration layer:
sequenceDiagram
participant Analyst
participant Claude
participant SplunkMCP as Splunk MCP
participant DeepTempoMCP as DeepTempo MCP
Analyst->>Claude: "Show me high-confidence incidents and threat intel"
Claude->>SplunkMCP: Query incidents
SplunkMCP-->>Claude: Incidents + IPs
Note over Claude: Extracts IP addresses
Claude->>DeepTempoMCP: Query threat intel for IPs
DeepTempoMCP-->>Claude: Threat intelligence
Claude-->>Analyst: Unified security report
Result: A single question to Claude produces a comprehensive security report combining data from both platforms.
- Python 3.10+
- Claude Desktop
- Access to Splunk instance
- DeepTempo environment configured
-
Clone this repository with submodules:
git clone --recursive https://github.com/mando222/DeepTempoUtils.git cd DeepTempoUtils -
Run the setup script:
./setup.sh
-
Configure Claude Desktop (see
config/claude_desktop_config.jsonfor example) -
Start using Claude! Open Claude Desktop and try the example queries in
DEMO_GUIDE.md
This demo uses two MCP server implementations:
-
Splunk MCP SOC - Query Splunk for security incidents, pivot by IP, detect lateral movement, and more
- Tools:
pivot_by_ip,search_splunk,find_lateral_movement,build_attack_timeline - Features: SOC investigation workflows, label harvesting, threat intel enrichment
- Tools:
-
DeepTempo MCP Servers - Access DeepTempo findings, cases, and threat intelligence
- Servers:
deeptempo-findings,tempo-flow,approval,attack-layer - Features: Finding management, MITRE ATT&CK mapping, investigation workflows
- Servers:
- DEMO_GUIDE.md - Step-by-step demo script with example prompts
- config/demo-queries.md - Pre-written queries to copy-paste
- examples/example-workflow.md - Sample outputs and expected results
Query: "Show me the highest confidence security incidents from Splunk in the last 24 hours"
Claude will use the Splunk MCP to pull incidents, extract key details, and present them in an organized format.
Query: "What does DeepTempo know about these IPs: 192.168.1.100, 10.0.0.50?"
Claude will query the DeepTempo MCP for threat intelligence, findings, and historical context about the specified IPs.
Query: "Give me a complete security report: pull high-confidence incidents from Splunk, extract the impacted IPs, and show me what DeepTempo says about them"
Claude will:
- Query Splunk for incidents
- Extract IP addresses from the results
- Query DeepTempo for each IP
- Combine everything into a unified report with recommendations
graph TB
subgraph userLayer [User Layer]
analyst[Security Analyst]
end
subgraph orchestration [Orchestration Layer]
claude[Claude Desktop]
end
subgraph mcpServers [MCP Server Layer]
splunkMCP[Splunk MCP Server]
deeptempoMCP[DeepTempo MCP Servers]
end
subgraph dataSources [Data Sources]
splunk[Splunk SIEM]
deeptempo[DeepTempo SOC]
end
analyst -->|Natural Language| claude
claude -->|MCP Protocol| splunkMCP
claude -->|MCP Protocol| deeptempoMCP
splunkMCP -->|SDK| splunk
deeptempoMCP -->|API| deeptempo
- Setup - Ensure both MCP servers are running and configured in Claude Desktop
- Query Splunk - Ask Claude to find high-confidence incidents
- Extract IPs - Claude automatically identifies impacted IP addresses
- Query DeepTempo - Claude enriches the data with threat intelligence
- Unified Report - Claude presents a comprehensive security analysis
See DEMO_GUIDE.md for detailed instructions.
Example Claude Desktop configuration:
{
"mcpServers": {
"splunk-soc": {
"command": "python",
"args": ["/path/to/DeepTempoUtils/splunk-mcp-soc/splunk_mcp.py", "stdio"],
"env": {
"SPLUNK_HOST": "localhost",
"SPLUNK_PORT": "8089",
"SPLUNK_USERNAME": "admin",
"SPLUNK_PASSWORD": "your-password"
}
},
"deeptempo-findings": {
"command": "python3",
"args": ["/path/to/DeepTempoUtils/deeptempo-mcp-servers/servers/deeptempo_findings.py"],
"env": {
"DEMO_MODE": "true"
}
}
}
}See config/claude_desktop_config.json for a complete example.
DeepTempoUtils/
βββ README.md # This file
βββ DEMO_GUIDE.md # Step-by-step demo instructions
βββ setup.sh # Quick setup script
βββ .gitmodules # Git submodule configuration
βββ config/
β βββ claude_desktop_config.json # Example Claude Desktop config
β βββ demo-queries.md # Ready-to-use demo queries
βββ examples/
β βββ example-workflow.md # Sample outputs and workflows
βββ deeptempo-mcp-servers/ # DeepTempo MCP servers (submodule)
βββ splunk-mcp-soc/ # Splunk MCP server (submodule)
- Splunk MCP SOC - MCP server for Splunk security operations
- DeepTempo MCP Servers - MCP servers for DeepTempo AI SOC
- FastMCP - Framework used to build these MCP servers
- Model Context Protocol - Protocol specification
This is a demonstration repository showing how to combine multiple MCP servers. Feel free to:
- Fork and customize for your environment
- Add additional MCP servers
- Extend the demo scenarios
- Submit issues or improvements
This demonstration repository follows the licenses of its submodules:
- Splunk MCP SOC: Apache 2.0
- DeepTempo MCP Servers: MIT
- MCP Protocol: https://modelcontextprotocol.io/
- Claude Desktop: https://claude.ai/desktop
- Splunk SDK: https://dev.splunk.com/python
- DeepTempo: See the deeptempo-mcp-servers README
Built for the AI-native SOC π | Demo-ready in 5 minutes β‘