When AI Tools Turn Against You: Operationalizing MCP Server Security with the Splunk MCP TA

The Model Context Protocol (MCP) is an open-source protocol developed by Anthropic and released in November 2024 to standardize how AI applications connect to external data sources and tools. The protocol emerged from Anthropic’s work on Claude Desktop, where they recognized the need for a universal standard that would allow AI systems to integrate with various data sources, APIs, and local resources without requiring custom implementations for each integration.

The protocol became popular in the AI development community due to its focus on ease of implementation and use with local resources. MCP uses JSON-RPC 2.0 for message formatting and supports multiple transport mechanisms including stdio, HTTP with Server-Sent Events (SSE), and WebSocket connections. MCP protocol is fundamental in connecting LLM reasoning and Agentic applications.

The use of MCP protocol enables LLM’s reasoning to connect to external services, local resources, and many other tools. All this functionality and reach have also brought a series of challenges, especially when it comes to securing the use and reach of MCP enabled applications. In this blog, we approach those challenges and introduce a tool that allows security analysts to see what was not visible before. The new Splunk MCP TA aims at providing light to all the behind-the-scenes exchanges that these MCP enabled workflows produce.

New Tool Brings New Security Challenges

As LLMs are now enabled to access internal, external resources and tools via MCP protocols it is important to understand several challenges posed by this enablement:

• MCP via agents may follow malicious instructions
• MCP Dynamic nature in creation of for example code may introduce vulnerable malicious code
• MCP interactions can lead to read, write modify or delete files
• Lack of authentication standard
• No visibility at all these MCP interactions
• Input validation in many scenarios cannot foresee LLM interpretations
• Multiple MCP servers connected and interacting make very complex authorization, authentication and network access.
• MCPs may connect to multiple data sources granting expanded access, making it difficult to enforce granular control. (i.e Jira, Email, Customer Service DB, etc)
• MCPs access external resources which many cases may be unvetted or malicious

The dynamic behavior of the usage of MCP servers cannot be anticipated or predicted, this introduces the need for strict monitoring of any prompts or instructions that may be directing the actions of these MCP enable tools and resources. In this sense MCP expands and introduces more risk and threats some of them expected to be seen at the edge (i.e firewalls, WAF) now in many cases these threats are now observed originating at the MCP layer (i.e SQL injection via interaction with MCP SQL Server).

Threats Faced by MCP Servers

Currently, there are several evolving frameworks to categorize threats one of them is the Coalition for Secure AI - Model Context Protocol Security which divides MCP Threat Surface into three categories:

• MCP Specific: Novel risks and threats due to MCP’s architecture and design decisions.
• MCP Contextualized: Known threats that manifest differently in MCP contexts or are amplified in MCP deployments.
• Conventional Security: Security threats that are broadly applicable or derive from legacy, infrastructure, or transport implementation decisions.

Where to Begin?

As stated previously in this blog, MCP as revision of 06-18-2025, encodes all messages using JSON-RPC 2.0. The Splunk Threat Research Team (STRT) has now published a Splunk Technology Add-On (TA) which allows direct parsing of the JSON-RPC output from MCP Servers; this allows security analysts to monitor metadata from these MCP interactions. The data ingested, is parsed, and analyzed from JSON-RPC protocol messages from Model Context Protocol (MCP) servers.

This TA provides:

• Standardized field extractions for JSON-RPC messages
• Pre-configured sourcetypes for MCP protocol data
• Wrapper scripts for easy MCP server output capture
• CIM compliance for Application State data model

The following screenshot shows parsed data from a MCP file system server:

As can be observed in this screenshot, this MCP Server can perform several operations including writing files; the following screenshot shows creation of a file. It is also important to remember that many times users grant elevated permissions to the MCP server or Agents in order to perform operations. This gets even more complicated to control and monitor if you have, for example, agents using multiple MCP servers.

There are many types of MCP servers here are some examples of the most popular ones:

• Filesystem (@modelcontextprotocol/server-filesystem) - File operations
• GitHub (@modelcontextprotocol/server-github) - Repository management
• Memory (@modelcontextprotocol/server-memory) - Knowledge graph storage
• Fetch (@modelcontextprotocol/server-fetch) - Web content retrieval
• Git (@modelcontextprotocol/server-git) - Git repository tools

In the next example of data processed via Splunk MCP TA we can see that in the specific case of a Postgress SQL MCP server we can observe the actual queries performed via MCP. We can also observe that some of these queries may be malicious in nature, which brings another challenge with the use of MCP Servers. The dynamic nature of the instructions sent to the MCP server cannot be anticipated; this makes it even more risky when it comes to code generation or in this case a possible SQL injection.

To complicate matters even more in many cases semantically speaking, it is very hard to distinguish what instruction is malicious or benign as they are exactly the same instruction in a non-malicious context.

There are fundamentally three things that make MCP servers extremely dangerous, one direct and at times elevated access to internal resources (files, databases, applications), two access to external resources some of them unvetted or even vulnerable (websites, API, Internet Content), and three the ability to move data from the perimeter to outside the edge base on the granted access and privileges which sets the condition of a unknown unvetted flow of data from inside and outside of the perimeter, especially when involving Agents with multiple tools, APIs and MCP servers.

By having access to this data, we now can see and monitor data that was previously unseen and inaccessible, and using this data we can develop analytics to analyze and discover data with MCP interactions that may be malicious in nature.

Splunk Analytics

Now that we can view what happens during these MCP interactions we can also start to develop analytics to get a more detailed view of the nature of these flows of data and operations, the following are some examples of what we can see using Splunk targeting MCP operations via Splunk MCP TA.

Privilege Escalation Attempts

In the above screenshot, we can see a Postgres MCP Server with queries aiming to escalate privileges from specific users. One of the challenges of MCP is also the introduction of conventional threat vectors in a new wrapper, whereas before things such as a SQL injection could probably be seen at the edge in a WAF now it can be executed semantically using MCP servers and Agents to reach the internal or external backend.

In the next example, we can detect sensitive terms in mcp.method search_files via param.patterns field.

It is not difficult to imagine a MCP server with high privileges accessing api keys or ssh keys. This is also another example of the need for monitoring, especially when there are no official, formal or vetted MCP repositories.

Following the same logic, in the next screenshot we can see how a MCP Github Server can be potentially used to perform reconnaissance against an organization. This highlights the dangers of rogue MCP servers and hijacked Agents, as they can be used to access and exfiltrate sensitive information.

Now that we have seen firsthand the risk amplification brought by the use of MCP Servers, it is time to address how we can at the moment address or mitigate these risks.

• Prevent installation of unknown unvetted MCP Servers
• Block domains or API endpoints that are untrusted unvetted or unknown
• Restrict the privileges and interconnection of these MCP Servers
• Agent logic and workflows CANNOT overwrite principle of least privilege and separation of duties
• Authentication and Authorization must be ENFORCED (Most practical now is the use of OAUTH tokens)
• Mandatory logging and Monitoring of MCP Servers (this must include access, operations metadata and semantic data)
• Traditional security tools now will have also address the resources and tools these MCP Servers use (i.e. DB proxy, WAF, Firewall, EDR, etc.)
• Trust but verify training and outside tools and sources used by MCP Servers (Watch for Model poisoning, drift or resource hijacking)
• Implement timeout, rate limits and cost guards
• When possible, use sandboxing (i.e isolated containers)
• Red Team, Pentest, Vulnerability Assessment of MCP, LLM and Agents

The above items can help in the mitigation of risks brought using MCP and Agents, however there is still a lot of work to be done to establish a secure standard of MCP Servers.

The STRT  has now released a new powerful tool that allows organizations to have visibility and actionable data. STRT will also release content related to specific MCP Server threats.

Current rush and drive to adopt AI also bring significant risks that must be addressed. Proceed with caution.