Welcome back, aspiring cyberwarriors! In our previous article, we examined the architecture of MCP and explained how to get started with it. Hundreds of MCP servers have been built for different services and tasks—some are dedicated to cybersecurity activities such as reverse engineering or reconnaissance. Those servers are impressive, and we’ll explore several of them […]
The post Using Artificial Intelligence (AI) in Cybersecurity: Creating a Custom MCP Server For Log Analysis first appeared on Hackers Arise.
Welcome back, aspiring cyberwarriors!
In our previous article, we examined the architecture of MCP and explained how to get started with it. Hundreds of MCP servers have been built for different services and tasks—some are dedicated to cybersecurity activities such as reverse engineering or reconnaissance. Those servers are impressive, and we’ll explore several of them in depth here at Hackers‑Arise.
However, before we start “playing” with other people’s MCP servers, I believe we should first develop our own. Building a server ourselves lets us see exactly what’s happening under the hood.
For that reason, in this article, we’ll develop an MCP server for analyzing security logs. Let’s get rolling!
Step #1: Fire Up Your Kali
In this tutorial, I will be using the Gemini CLI with MCP on Kali Linux. You can install Gemini using the following command:
kali> sudo npm install -g @google/gemini-cli
Now, we should have a working AI assistant, but it doesn’t yet have access to any of our security tools.
Step #2: Create a Security Operations Directory Structure
Before we start configuring MCP servers, let’s set up a proper directory structure for our security operations. This keeps everything organized and makes it easier to manage permissions and access controls.
Create a dedicated directory for security analysis work in your home directory.
kali> mkdir -p ~/security-ops/{logs,reports,malware-samples,artifacts}
This creates a security-ops directory with subdirectories for logs, analysis reports, malware samples, and other security artifacts.
Let’s also create a directory to store any custom MCP server configurations we build.
kali> mkdir -p ~/security-ops/mcp-servers
For testing purposes, let’s create some sample log files we can analyze. In a real environment, you’d be analyzing actual security logs from your infrastructure.
Firstly, let’s create a sample web application firewall log.
kali> vim ~/security-ops/logs/waf-access.log
This sample log contains various types of suspicious activity, including SQL injection attempts, directory traversal, authentication failures, and XSS attempts. We’ll use this to demonstrate MCP’s log analysis capabilities.
Let’s also create a sample authentication log.
kali> vim ~/security-ops/logs/auth.log
Now we have some realistic security data to work with. Let’s configure MCP to give Gemini controlled access to these files.
Step #3: Configure MCP Server for Filesystem Access
The MCP configuration file lives at ~/.gemini/settings.json. This JSON file tells Gemini CLI which MCP servers are available and how to connect to them. Let’s create our first MCP server configuration for secure filesystem access.
Check if the .gemini directory exists, and create it if it doesn’t.
kali> mkdir ~/.gemini
Now edit the settings.json file. We’ll start with a basic filesystem MCP server configuration.
{
"mcpServers": {
"security-filesystem": {
"command": "npx",
"args": [
"-y",
"@modelcontextprotocol/server-filesystem",
"/home/YOURUSERNAME/security-ops"
],
"env": {}
}
}
}
This sets up a filesystem MCP server with restricted access to only our security-ops directory. First, it uses npx to run the MCP server, which means it will automatically download and execute the official filesystem server from the Model Context Protocol project. The -y flag tells npx to proceed without prompting. The server-filesystem package is the official MCP server for file operations. Second, and most critically, we’re explicitly restricting access to only the /home/kali/security-ops directory. The filesystem server will refuse to access any files outside this directory tree, even if Gemini tries to. This is defense in depth, ensuring the AI cannot accidentally or maliciously access sensitive system files.
Now, let’s verify that the MCP configuration is valid and the server can connect. Start Gemini CLI again.
kali> gemini
After running, we can see that 1 MCP server is in use and Gemini is running in the required directory.
Now, use the /mcp command to list configured MCP servers.
/mcp list
You should see output showing the security-filesystem server with a “ready” status. If you see “disconnected” or an error, double-check your settings.json file for typos and check if you have nodejs, npm, and npx installed.
Now let’s test the filesystem access by asking Gemini to read one of our security logs. This demonstrates that MCP is working and Gemini can access files through the configured server.
> Read the file ~/security-ops/logs/waf-access.log and tell me what security events are present
Pretty clear summary. The key thing to understand here is that Gemini itself doesn’t have direct filesystem access. It’s asking the MCP server to read the file on its behalf, and the MCP server enforces the security policy we configured.
Step #4: Analyzing Security Logs with Gemini and MCP
Now that we have MCP configured for filesystem access, let’s do some real security analysis. Let’s start by asking Gemini to perform a comprehensive analysis of the web application firewall log we created earlier.
> Analyze ~/security-ops/logs/waf-access.log for attack patterns. For each suspicious event, identify the attack type, the source IP, and assess the severity. Then provide recommendations for defensive measures.
The analysis might take a few seconds as Gemini processes the entire log file. When it completes, you’ll get a detailed breakdown of the security events along with recommendations like implementing rate limiting for the attacking IPs, ensuring your WAF rules are properly configured to block these attack patterns, and investigating whether any of these attacks succeeded.
Now let’s analyze the authentication log to identify potential brute force attacks.
> Read ~/security-ops/logs/auth.log and identify any brute force authentication attempts. Report the attacking IP, number of attempts, timing patterns, and whether the attack was successful.
Let’s do something more advanced. We can ask Gemini to correlate events across multiple log files to identify coordinated attack patterns.
> Compare the events in ~/security-ops/logs/waf-access.log and ~/security-ops/logs/auth.log. Do any IP addresses appear in both logs? If so, describe the attack campaign and create a timeline of events.
The AI generated a formatted timeline of the attack showing the progression from SSH attacks to web application attacks, demonstrating how the attacker switched tactics after the initial approach failed.
Summary
MCP, combined with Gemini’s AI capabilities, serves as a powerful force multiplier. It enables us to automate routine analysis tasks, instantly correlate data from multiple sources, leverage AI for pattern recognition and threat hunting, and retain full transparency and control over the entire process.
In this tutorial, we configured an MCP server for file system access and tested it using sample logs.
Keep returning, aspiring hackers, as we continue to explore MCP and the application of artificial intelligence in cybersecurity.
The post Using Artificial Intelligence (AI) in Cybersecurity: Creating a Custom MCP Server For Log Analysis first appeared on Hackers Arise.
Source: HackersArise
Source Link: https://hackers-arise.com/using-artificial-intelligence-ai-in-cybersecurity-creating-a-custom-mcp-server-for-log-analysis/