Stellar Cyber · Capability

Stellar Cyber Security Operations

Unified security operations workflow combining Stellar Cyber's Open XDR API capabilities for incident response, threat hunting, case management, and automated playbook execution. Designed for SOC analysts and security engineers who need to investigate alerts, manage cases, monitor sensors, and automate response actions.

Run with Naftiko Stellar CyberCybersecuritySOCIncident ResponseThreat HuntingSOAR

What You Can Do

GET
List cases — List security cases with optional status filtering
/v1/cases
POST
Create case — Create a new security case for investigation
/v1/cases
GET
Get case — Retrieve details of a specific case
/v1/cases/{id}
PUT
Update case — Update case status and attributes
/v1/cases/{id}
GET
List alerts — Retrieve security alerts with filtering
/v1/alerts
POST
Ingest events — Ingest security event documents
/v1/events
GET
List watchlists — Retrieve all watchlists
/v1/watchlists
POST
Create watchlist — Create a watchlist for threat tracking
/v1/watchlists
GET
List sensors — List all registered sensors
/v1/sensors
GET
List playbooks — List all ATH playbooks
/v1/playbooks
POST
Create playbook — Create a new automated response playbook
/v1/playbooks
GET
List reports — Retrieve available security reports
/v1/reports
POST
Create report — Generate a new security report
/v1/reports

MCP Tools

list-cases

Retrieve security cases from Stellar Cyber. Use for investigating ongoing incidents and tracking case status.

read-only
create-case

Create a new security case in Stellar Cyber. Use when an alert or event requires formal investigation and tracking.

get-case

Get detailed information about a specific security case by ID.

read-only
update-case

Update a security case status, priority, or other attributes. Use to progress cases through investigation workflows.

list-alerts

Retrieve security alerts from Stellar Cyber Open XDR. Use for alert triage and identifying threats requiring investigation.

read-only
ingest-events

Ingest custom security event documents into Stellar Cyber for analysis and correlation.

list-watchlists

Retrieve all threat watchlists. Use to check what indicators and entities are currently being monitored.

read-only
create-watchlist

Create a new watchlist for tracking threat indicators such as malicious IPs, domains, or file hashes.

list-sensors

List all sensors registered with Stellar Cyber. Use to check sensor health and coverage across the environment.

read-only
list-playbooks

Retrieve all automated response playbooks. Use to review available automation workflows for threat response.

read-only
create-playbook

Create a new ATH Playbook response action for automated threat response.

list-reports

List available security reports. Use for compliance reporting and security posture reviews.

read-only
create-report

Generate a new security report for compliance or executive reporting.

APIs Used

stellar-cyber

Capability Spec

Raw ↑ 
naftiko: "1.0.0-alpha1"

info:
  label: "Stellar Cyber Security Operations"
  description: >-
    Unified security operations workflow combining Stellar Cyber's Open XDR API
    capabilities for incident response, threat hunting, case management, and
    automated playbook execution. Designed for SOC analysts and security engineers
    who need to investigate alerts, manage cases, monitor sensors, and automate
    response actions.
  tags:
    - Stellar Cyber
    - Cybersecurity
    - SOC
    - Incident Response
    - Threat Hunting
    - SOAR
  created: "2026-05-02"
  modified: "2026-05-02"

binds:
  - namespace: env
    keys:
      STELLAR_CYBER_JWT_TOKEN: STELLAR_CYBER_JWT_TOKEN
      STELLAR_CYBER_HOSTNAME: STELLAR_CYBER_HOSTNAME

capability:
  consumes:
    - import: stellar-cyber
      location: ./shared/stellar-cyber.yaml

  exposes:
    - type: rest
      port: 8080
      namespace: security-operations-api
      description: "Unified REST API for Stellar Cyber security operations workflows."
      resources:
        - path: /v1/cases
          name: cases
          description: Security case management operations
          operations:
            - method: GET
              name: list-cases
              description: List security cases with optional status filtering
              call: "stellar-cyber.list-cases"
              with:
                limit: "rest.limit"
                offset: "rest.offset"
                status: "rest.status"
              outputParameters:
                - type: object
                  mapping: "$."
            - method: POST
              name: create-case
              description: Create a new security case for investigation
              call: "stellar-cyber.create-case"
              with:
                name: "rest.name"
                description: "rest.description"
                priority: "rest.priority"
              outputParameters:
                - type: object
                  mapping: "$."
        - path: /v1/cases/{id}
          name: case
          description: Individual case operations
          operations:
            - method: GET
              name: get-case
              description: Retrieve details of a specific case
              call: "stellar-cyber.get-case"
              with:
                caseId: "rest.id"
              outputParameters:
                - type: object
                  mapping: "$."
            - method: PUT
              name: update-case
              description: Update case status and attributes
              call: "stellar-cyber.update-case"
              with:
                caseId: "rest.id"
                status: "rest.status"
                priority: "rest.priority"
              outputParameters:
                - type: object
                  mapping: "$."
        - path: /v1/alerts
          name: alerts
          description: Security alert management
          operations:
            - method: GET
              name: list-alerts
              description: Retrieve security alerts with filtering
              call: "stellar-cyber.list-alerts"
              with:
                limit: "rest.limit"
                status: "rest.status"
              outputParameters:
                - type: object
                  mapping: "$."
        - path: /v1/events
          name: events
          description: Security event ingestion
          operations:
            - method: POST
              name: ingest-events
              description: Ingest security event documents
              call: "stellar-cyber.ingest-events"
              with:
                events: "rest.events"
              outputParameters:
                - type: object
                  mapping: "$."
        - path: /v1/watchlists
          name: watchlists
          description: Threat watchlist management
          operations:
            - method: GET
              name: list-watchlists
              description: Retrieve all watchlists
              call: "stellar-cyber.list-watchlists"
              outputParameters:
                - type: object
                  mapping: "$."
            - method: POST
              name: create-watchlist
              description: Create a watchlist for threat tracking
              call: "stellar-cyber.create-watchlist"
              with:
                name: "rest.name"
                entries: "rest.entries"
              outputParameters:
                - type: object
                  mapping: "$."
        - path: /v1/sensors
          name: sensors
          description: Security sensor monitoring
          operations:
            - method: GET
              name: list-sensors
              description: List all registered sensors
              call: "stellar-cyber.list-sensors"
              outputParameters:
                - type: object
                  mapping: "$."
        - path: /v1/playbooks
          name: playbooks
          description: Automated response playbooks
          operations:
            - method: GET
              name: list-playbooks
              description: List all ATH playbooks
              call: "stellar-cyber.list-playbooks"
              outputParameters:
                - type: object
                  mapping: "$."
            - method: POST
              name: create-playbook
              description: Create a new automated response playbook
              call: "stellar-cyber.create-playbook"
              with:
                name: "rest.name"
                trigger: "rest.trigger"
                actions: "rest.actions"
              outputParameters:
                - type: object
                  mapping: "$."
        - path: /v1/reports
          name: reports
          description: Security reporting
          operations:
            - method: GET
              name: list-reports
              description: Retrieve available security reports
              call: "stellar-cyber.list-reports"
              outputParameters:
                - type: object
                  mapping: "$."
            - method: POST
              name: create-report
              description: Generate a new security report
              call: "stellar-cyber.create-report"
              with:
                name: "rest.name"
                type: "rest.type"
              outputParameters:
                - type: object
                  mapping: "$."

    - type: mcp
      port: 9090
      namespace: security-operations-mcp
      transport: http
      description: "MCP server for AI-assisted security operations on Stellar Cyber Open XDR."
      tools:
        - name: list-cases
          description: >-
            Retrieve security cases from Stellar Cyber. Use for investigating
            ongoing incidents and tracking case status.
          hints:
            readOnly: true
            openWorld: true
          call: "stellar-cyber.list-cases"
          with:
            limit: "tools.limit"
            status: "tools.status"
          outputParameters:
            - type: object
              mapping: "$."
        - name: create-case
          description: >-
            Create a new security case in Stellar Cyber. Use when an alert or
            event requires formal investigation and tracking.
          hints:
            readOnly: false
            destructive: false
          call: "stellar-cyber.create-case"
          with:
            name: "tools.name"
            description: "tools.description"
            priority: "tools.priority"
          outputParameters:
            - type: object
              mapping: "$."
        - name: get-case
          description: >-
            Get detailed information about a specific security case by ID.
          hints:
            readOnly: true
            openWorld: true
          call: "stellar-cyber.get-case"
          with:
            caseId: "tools.caseId"
          outputParameters:
            - type: object
              mapping: "$."
        - name: update-case
          description: >-
            Update a security case status, priority, or other attributes.
            Use to progress cases through investigation workflows.
          hints:
            readOnly: false
            destructive: false
          call: "stellar-cyber.update-case"
          with:
            caseId: "tools.caseId"
            status: "tools.status"
            priority: "tools.priority"
          outputParameters:
            - type: object
              mapping: "$."
        - name: list-alerts
          description: >-
            Retrieve security alerts from Stellar Cyber Open XDR. Use for
            alert triage and identifying threats requiring investigation.
          hints:
            readOnly: true
            openWorld: true
          call: "stellar-cyber.list-alerts"
          with:
            limit: "tools.limit"
            status: "tools.status"
          outputParameters:
            - type: object
              mapping: "$."
        - name: ingest-events
          description: >-
            Ingest custom security event documents into Stellar Cyber for
            analysis and correlation.
          hints:
            readOnly: false
            destructive: false
          call: "stellar-cyber.ingest-events"
          with:
            events: "tools.events"
          outputParameters:
            - type: object
              mapping: "$."
        - name: list-watchlists
          description: >-
            Retrieve all threat watchlists. Use to check what indicators
            and entities are currently being monitored.
          hints:
            readOnly: true
            openWorld: true
          call: "stellar-cyber.list-watchlists"
          outputParameters:
            - type: object
              mapping: "$."
        - name: create-watchlist
          description: >-
            Create a new watchlist for tracking threat indicators such as
            malicious IPs, domains, or file hashes.
          hints:
            readOnly: false
            destructive: false
          call: "stellar-cyber.create-watchlist"
          with:
            name: "tools.name"
            entries: "tools.entries"
          outputParameters:
            - type: object
              mapping: "$."
        - name: list-sensors
          description: >-
            List all sensors registered with Stellar Cyber. Use to check
            sensor health and coverage across the environment.
          hints:
            readOnly: true
            openWorld: true
          call: "stellar-cyber.list-sensors"
          outputParameters:
            - type: object
              mapping: "$."
        - name: list-playbooks
          description: >-
            Retrieve all automated response playbooks. Use to review
            available automation workflows for threat response.
          hints:
            readOnly: true
            openWorld: true
          call: "stellar-cyber.list-playbooks"
          outputParameters:
            - type: object
              mapping: "$."
        - name: create-playbook
          description: >-
            Create a new ATH Playbook response action for automated threat response.
          hints:
            readOnly: false
            destructive: false
          call: "stellar-cyber.create-playbook"
          with:
            name: "tools.name"
            trigger: "tools.trigger"
            actions: "tools.actions"
          outputParameters:
            - type: object
              mapping: "$."
        - name: list-reports
          description: >-
            List available security reports. Use for compliance reporting
            and security posture reviews.
          hints:
            readOnly: true
            openWorld: true
          call: "stellar-cyber.list-reports"
          outputParameters:
            - type: object
              mapping: "$."
        - name: create-report
          description: >-
            Generate a new security report for compliance or executive reporting.
          hints:
            readOnly: false
            destructive: false
          call: "stellar-cyber.create-report"
          with:
            name: "tools.name"
            type: "tools.type"
          outputParameters:
            - type: object
              mapping: "$."