Mimecast Incydr MCP server

Updated

Overview

The Mimecast Incydr Model Context Protocol (MCP) server enables natural language querying of Incydr alerts and events and helps you to more easily integrate Incydr with your own AI tools and agentic workflows. This article explains how to set up the MCP server and establish an API connection to your environment.

Considerations

  • The MCP Bundle (.mcpb) linked below can be used with any compatible client, including the Claude desktop app, Claude Code, MCP for Windows, and more.
  • The .mcpb file linked below acts as a proxy server to simplify connecting to the actual MCP server, which is hosted in the Mimecast Incydr cloud. 
  • Incydr file events are large. For best results, use very specific and targeted queries.

Double-check results
When using an MCP server, be aware that your choice of underlying AI and large language models (LLMs) can make mistakes or misinterpret data. The server typically returns raw responses—such as JSON objects with result arrays—which are then summarized or formatted for easier consumption. However, these summaries or counts may not always perfectly match the raw output due to the non-deterministic nature of LLMs and potential formatting or interpretation errors. For critical use cases, always review the raw response data and verify that any summaries or counts accurately reflect the underlying results. Double-check important information before making decisions based on MCP server outputs.

Step 1: Create an API client in Incydr

Create a new Incydr API client for each user who accesses the MCP server:

  1. Sign in to the Incydr console.
  2. Go to Administration > Integrations > API Clients.
  3. Select Create new API Client.
  4. Enter a descriptive name (for example, "Mimecast MCP Server for Sarah").
  5. Add these permissions:
    • Alert Rules - Read
    • Alerts and Sessions - Read and Write
    • Events - Read
    • Saved Searches - Read
    • User - Read
  6. Click Save.
  7. Save the Client IDSecret, and Base URL in a secure location for future reference.
    Theses values are required to complete the MCP setup in the next section.

Step 2: Connect to the Mimecast MCP server

Option 1: Automatically connect with MCPB file

The steps below to download and configure the MCP Bundle (.mcpb) desktop extension are specific to Claude Desktop, but the same process and values can be used with any compatible AI desktop client.

  1. Click to download the MCP server proxy file: mimecast-mcp-remote.mcpb
  2. Open the downloaded .mcpb file. 
    If it does not launch automatically, open it with an application that supports MCPB desktop extensions, such as Claude Desktop.
  3. Click Install.
  4. Complete the form with the following values:
    • Remote MCP Url: https://incydr-mcp.<base_url_minus_api_prefix>/stream
      • Replace <base_url_minus_api_prefix> with the Base URL obtained in step 1 above, minus the api prefix. Do not include brackets in the URL. For example, if your Base URL is api.us2.code42.com, enter https://incydr-mcp.us2.code42.com/stream
    • OAuth Token URL: https://<base_url>/v1/oauth
      • Replace <base_url> with the Base URL obtained in step 1 above. Do not include brackets in the URL. For example, if your Base URL is api.us2.code42.com, enter https://api.us2.code42.com/v1/oauth
    • API Client ID: Enter the Incydr API Client ID obtained in step 1 above.
    • API Client Secret: Enter the Incydr API Secret obtained in step 1 above.
  5. Click Save.
  6. Click the toggle to Enable the MCP server.
  7. In Claude Desktop, start a new chat and click the settings menu.  
  8. Select mimecast-mcp-remote and select a tool.
  9. Enter a prompt or chose from the sample use cases below. 

Option 2: Manually connect with JSON

For clients that don't support .mcpb files, use the JSON below with a tool like Cursor:

{
  "mcpServers": {
    "incydr-mcp": {
      "command": "node",
      "args": [
        "/path/to/unzipped/mimecast-mcp-remote-1.0.0/build/index.js"
      ],
      "env": {
        "REMOTE_MCP_URL": "https://incydr-mcp.<base_url_minus_api_prefix>/stream",
        "OAUTH_TOKEN_URL": "https://<base_url>/v1/oauth",
        "API_CLIENT_ID": "your-id-here",
        "API_CLIENT_SECRET": "your-secret-here"
      }
    }
  }
}

Sample use cases

The Mimecast Incydr MCP server enables you to identify and investigate potential insider threats by querying data exfiltration events, unusual file access patterns, and policy violations in natural language. Use these example prompts as a starting point, and customize them to match your environment:

  • Show me all alerts where employees uploaded Confidential files to personal cloud storage in the last 30 days.
  • Find users that have triggered alerts for uploading data to AI tools.
  • Find me all events of users on the Departing Employee watchlist moving data to removable media devices.
  • Give me a summary of all Alerts and Events where Source Code files were exfiltrated in the past two weeks.
  • What departments have the highest concentration of alerts?

External Resources

Related topics

Was this article helpful?
0 out of 1 found this helpful

Comments

0 comments

Please sign in to leave a comment.