Thank you so much for sharing this blog post! There are somethings which I've noticed when trying to implement the secops-soar mcp server. The server.py file attempts to find the "scopes" of the api key/user but the endpoint 

this is where I am stuck too.  The UI message is 

2025-06-10 14:05:39,370 - ERROR - __main__ - main - Error: Failed to fetch valid scopes from SOAR, please make sure you have configured the right SOAR credentials. Shutting down... MCP error -32000: Connection closed

but I added logging and found a 404 on the "/api/external/v1/settings/GetScopes"  endpoint.

DEBUG - secops_soar_mcp.http_client - get - HTTP error occurred: 404, message='Not Found', url='https://mytenantwashere.backstory.chronicle.security/api/external/v1/settings/GetScopes' 2025-06-10 17:42:19,214 - ERROR - __main__ - main - Error: Failed to fetch valid scopes from SOAR, please make sure you have configured the right SOAR credentials. Shutting down... MCP error -32000: Connection closed

I have a SOAR_APP_KEY that I created under the SOAR Settings/Advanced/Api Keys menu, and have assigned a permission group and a SOC role.

I have set application-default credentials in case it needs them too, but it looks like the request getting the 404 only uses the SOAR_APP_KEY in the header.

edit: corrected to SOAR_APP_KEY 

are you using the correct project ID or customer ID? the customer ID is located in your SecOps tenant, you can find them in settings.

yes, thank you.  I verified the CHRONCILE_PROJECT_ID and CHRONICLE_CUSTOMER_ID in the env match the values on the mytenant.backstory.chronicle[.]security/settings/profile page. 

Is there any issue that my SOAR is not under siemplify-soar[.]com like the example in secops/mcp-security/docs/usage_guide.md ?  My SIEM and SOAR are accessed via one URL under backstory.chronicle[.]security.   I am only having an issue with the secops-soar mcp.

Hey @mr345123 did you manage to figure this out? I'm getting the same error

no, not yet.  Is your soar under backstory[.]security or siemplify-soar[.]com ?  Anyone with confirmed success with a SOAR under backstory[.]security ?

Mine is also under backstory ^

Hi,

Thank you for your feedback and for highlighting this.

The endpoints the server is trying to access are specific to the SOAR platform and are not available on Backstory, which is why you don’t see it in your tenant’s Swagger documentation.

To resolve this, please ensure that the URL configured is the SOAR base URL, not Backstory. If you’re unsure of the correct URL, you can easily retrieve it using one of the following methods:

Option 1:
Navigate to Settings → Webhooks, create a new webhook (the parameters don’t matter), and copy the base URL from the generated Webhook URL (e.g., https://s4i0z.siemplify-soar.com ).

Option 2:
Open the browser’s Developer Tools (F12), go to the Network tab, and navigate to Cases in the UI. Look for a request such as GetCaseCardsByRequest, then check the Headers tab and copy the Base URL (e.g., https://s4i0z.siemplify-soar.com ).

Let me know if you need any further assistance.

Thanks!

Hi,

Thank you for your feedback and for highlighting this.

The endpoints the server is trying to access are specific to the SOAR platform and are not available on Backstory, which is why you don’t see it in your tenant’s Swagger documentation.

To resolve this, please ensure that the URL configured is the SOAR base URL, not Backstory. If you’re unsure of the correct URL, you can easily retrieve it using one of the following methods:

Option 1:
Navigate to Settings → Webhooks, create a new webhook (the parameters don’t matter), and copy the base URL from the generated Webhook URL (e.g., https://s4i0z.siemplify-soar.com ).

Option 2:
Open the browser’s Developer Tools (F12), go to the Network tab, and navigate to Cases in the UI. Look for a request such as GetCaseCardsByRequest, then check the Headers tab and copy the Base URL (e.g., https://s4i0z.siemplify-soar.com ).

Let me know if you need any further assistance.

Thanks!

Thank you!  I am able to use the secops-soar MCP server now by following your instructions. 

Great, happy to help!

@Liocoh are there plans to create OAuth2.0 scopes for Google SecOps? SCC has this option already: https://developers.google.com/identity/protocols/oauth2/scopes#securitycenter. 

Hi 

I followed this article, https://github.com/google/mcp-security/tree/main/run-with-google-adk
Only SCC mcp server is enabled. All IAM authorizations are set correctly. SCC API is also enabled for the project. The same problem occurs with environment variables gcloud auth application-default login or GOOGLE_APPLICATION_CREDENTIALS.
As shown.

How do I resolve the 403 Permission DENIED error?

Thanks

Looks like an issue with how your auth-ing the gemini model. Either the key is invalid or that project doesn't have gemini enabled.

Thanks for your reply,
I verified it using cloud shell command.
gcloud auth application-default login
gcloud auth application-default set-quota-project dgc-it-support

The following figure shows the GCP settings in .env, such as mode, project, and region.

The same 403 error appears as shown below:

Thanks team for posting this. I am able to get this running in VScode agent mode (as opposed with Cline) and I am mostly using Claude Sonnet 4. For now I am just testing the SecOps tools. 
I am finding the MCP tools for SecOps are incredibly helpful for triaging and investigating, while also providing threat intel data about a recent alert. So far some good results, but you must feed it the exact detection_ID, rule_ID or even IOC to get the output you need. It's also worth it to create a prompt template in order to get the output you want, especially for investigation, as it can spit out a lot of data about an alert. 

I am curious how others are utilizing the MCP SecOps tools? What have you found to be helpful when using the tools? any general recommendations on what you are thinking next for this?