7.3.1. Claude Desktop, Code, and other MCP Clients

You can connect an MCP Client, such as Claude Desktop or Claude Code, to Cyber Triage so that it can access your case data.

Cyber Triage provides “MCP over STDIO”. It is NOT over HTTP.

Note

You are responsible for knowing where your MCP client sends data and what the retention and sharing policies are of that server. For example, a default Claude Desktop installation will send data to Anthropic servers and their access to your data will depend on your settings.

You can read more about MCP here.

7.3.1.1. MCP and Cyber Triage Basics

  • Claude has read-only access to your Cyber Triage data. It can’t issue any commands to update or change your data set. We may change this in the future to allow it to add, but not remove, a score or label.

  • You need to run Cyber Triage on the same system that Claude Desktop is running on.

  • You need to open the incident in Cyber Triage first and then Claude can access that data. If you can’t open the incident, then Claude can’t see the data.

  • If you have a Team setup, you need to enable MCP on each client. The Cyber Triage server can’t have an MCP server.

  • This is using an LLM that is not from Cyber Triage. It is under your control. It can be from a paid Anthropic account, Claude within your cloud provider (AWS, Azure, GCP, etc.), or a local LLM. It’s Bring Your Own AI (BYOAI).

../../_images/integ_claude_flow.png

7.3.1.2. Enable the MCP Server

First, launch Cyber Triage, go to the Options panel, and navigate to the “Integrations” -> “GenAI MCP Server” option. Enable the feature.

../../_images/integ_claude_options.png

Copy the file path that you see and save it so that you can enter it into Claude Desktop. It should be something like:

C:\\Program Files\\Cyber Triage\\bin\\cybertriage-mcp-stdio.exe

You will need to preseve the double slashes.

Cyber Triage will need to restart for the MCP server to be enabled.

7.3.1.3. Configure Claude Desktop

Download Claude Desktop (or Code or other MCP Client) and install it. Launch it and log into your Anthropic account or point it at your private instance.

Next, find your claude_desktop_config.json file. These apps change quickly, but this is currently where to find it:

C:\Users\JDOE\AppData\Local\Packages\Claude_pzs8sxrjxfjjc\LocalCache\Roaming\Claude\claude_desktop_config.json

If not, then search your system for where that file is or see if Anthropic moved the data.

When you open that file in a text editor, you’ll see something like this if it is a new installation:

{
  "preferences": {
    "coworkScheduledTasksEnabled": false,
    "ccdScheduledTasksEnabled": true,
    "sidebarMode": "chat",
    "coworkWebSearchEnabled": false
  }
}

You need to:

  • Add a comma after the second to last }

  • Add an mcpServer section like the one below before the final }

It should look like this:

{
  "preferences": {
    "coworkScheduledTasksEnabled": false,
    "ccdScheduledTasksEnabled": true,
    "sidebarMode": "chat",
    "coworkWebSearchEnabled": false
  },
  "mcpServers": {
    "cybertriage": {
      "command": "c:\\Program Files\\CyberTriage\\bin\\cybertriage-mcp-stdio.exe"
    }
  }
}

Obviously make sure you use the same path that you copied out of the app. The double back slashes are required. You can re-open Cyber Triage to get the path.

Don’t forget to add the comma before you add the “mcpServer”. Thats the common mistake.

After you edit the configuration file, shut down Claude Desktop ENTIRELY.

Note

On Windows, Claude Desktop is still running even after you close the window. You need to go to your task bar and kill it from there before it fully shuts down and reloads the configuration file!

7.3.1.4. Using Claude Desktop To Analyze Data

After you restart Claude Desktop, you should be ready to go.

  1. Start Cyber Triage.

  2. Open an incident.

  3. In Claude Desktop (or other MCP client), type something like “Can you see the Cyber Triage MCP server?”. It should tell you if it can and what kinds of “tools” it supports. If that doesn’t work, refer to the Debugging section below. Starting with this prompt helps to debug early and signals to the client that you want to use that server.

../../_images/integ_claude_test.png

  1. Start asking questions.

7.3.1.5. What Makes a Good Prompt

With this GenAI integration, you are fully in control of what happens. That also means you are responsible for making sure the LLM goes in the right direction.

  • Make sure your prompts are specific about if they should be for a single host or all of them in the incident. For example: “make a timeline of all notable items” vs “make a timeline of notable items from host X”.

  • The LLM may focus too much on suspicious items as “fact”. Remind it to confirm those and not fully trust them.

  • Ask it to cite its reasons when it identifies something that Cyber Triage didn’t.

While not exhaustive, here are some of the types of “tools” that Cyber Triage exposes to the LLM and therefore what kinds of questions it can answer:

  • Basics of the open incident and hosts

  • Incident-level information on notable items

  • Host-level information on notable items

  • Host-level timelines

  • Host-level metadata searches

  • Host-level lists of data types (processes, triggered tasks, etc.)

  • String data from file content (not full or raw files)

The 3.17.0 release had 32 tools in it.

7.3.1.6. Prompt Errors

Claude may give you a message about a tool error, such as this:

../../_images/integ_claude_error1.png

If you see this, then please follow up with something like:

"Please describe how you tried to use tool X so that we can debug the error. Keep it anonymous and do not include any of my actual data."

And please send that to support@sleuthkitlabs.com.

Other limitations (from Claude at least): - You will need to confirm the use of each tool each time. There is currently not an override for this security setting. - There is a 1MB limit on data returned from the MCP query. If your query hits this, please let us know and we can try to optimize for that.

7.3.1.7. Debugging

If Claude Desktop can’t see the MCP server, then:

  • Verify you enabled the MCP server in the options panel and restarted Cyber Triage

  • Verify you REALLY stopped Claude Desktop fully by going to the Windows task bar and stopping it there (closing windows is not enough)

If the above are all confirmed, open a command prompt and go to the folder that you copied into the configuration file (such as c:\Program Files\CyberTriage\bin). Type in:

> cybertriage-mcp-stdio --test

That will attempt to connect to the server.

  • Pass: If it passes, then the server is running and cybertriage-mcp-stdio was able to connect. Therefore, the problem is with your Claude Desktop setup. Double check the configuration file and if your account can access MCP servers.

  • Fail: If cybertriage-mcp-stdio can’t connect, then the problem is the MCP server. Check the logs in your \AppData\Local\CyberTriage\MCP folder for any errors (the STDIO program logs here). Also see if a firewall could have blocked the connection. You can also check the Cyber Triage logs (the MCP Server logs here).

7.3.1.8. Architecture

To help with debugging and understanding how this all works, here is a quick run down:

  • If enabled, at startup, Cyber Triage opens TCP port 9765 for localhost connections only. It also generates a random token for each launch. All connections from other hosts or without the token are rejected.

  • The cybertriage-mcp-stdio.exe program can connect to the port. Claude Desktop communicates with it over STDIO and it acts as a transport between Claude Desktop and the running Cyber Triage application.