Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@QRadar MCP ServerShow me the 5 most recent high priority offenses"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
QRadar MCP Server
Model Context Protocol (MCP) server for IBM QRadar SIEM - Access 728+ QRadar REST API endpoints through just 4 intelligent MCP tools.
π― What is This?
QRadar MCP Server bridges the gap between Large Language Models (LLMs) and IBM QRadar SIEM. It enables natural language interactions with your security dataβno need to memorize 728 API endpoints.
The Problem
QRadar has 728+ REST API endpoints β overwhelming for developers and LLMs alike
Traditional approach: Define each endpoint as a separate tool β massive token consumption
Result: Expensive API calls, slow responses, context limits exceeded
The Solution
Instead of exposing 728 tools, we expose just 4 intelligent tools:
Traditional Approach | MCP Server Approach |
728 tool definitions | 4 tool definitions |
~50,000 tokens/request | ~2,000 tokens/request |
Context overflow risk | Fits any LLM context |
Slow tool discovery | Instant endpoint lookup |
Token Efficiency
96% reduction in tool definition tokens
25x faster LLM processing
Works with any LLM (Claude, GPT, Gemini, Llama)
Who Should Use This?
Security analysts wanting natural language QRadar queries
DevOps teams automating security workflows
AI developers building QRadar-integrated applications
SOC teams needing quick incident data access
π Experience It Live
IBM MCP Client (Web UI)
Try the full experience with our React + FastAPI client:
Live Demo: http://9.30.147.112:8000 π
Container Registry: ghcr.io/addanuj/ibm-mcp-client:latest
Try: "Show me top 10 offenses", "How many assets?", "Get QRadar version", "List 5 rules"
ποΈ Architecture
graph TB
subgraph "Client Layer"
A[MCP Client/LLM]
end
subgraph "MCP Server Container"
B[Python FastAPI Server<br/>Port: 8001]
C[4 MCP Tools]
D[QRadar API Wrapper<br/>728 Endpoints]
end
subgraph "QRadar SIEM"
E[REST API<br/>v26.0+]
F[Offenses]
G[Assets]
H[Rules]
I[Ariel Search]
end
A -->|HTTP/SSE or stdio| B
B --> C
C --> D
D -->|HTTPS REST| E
E --> F
E --> G
E --> H
E --> I
style A fill:#e1f5ff
style B fill:#fff3e0
style C fill:#f3e5f5
style D fill:#e8f5e9
style E fill:#fce4ecπ¦ What's Inside
4 Intelligent Tools
Tool | Description | Example |
| Fetch data from 728 endpoints | Get offenses, assets, rules |
| Create/update resources | Create reference sets, update rules |
| Remove resources | Delete offense notes |
| Auto-discover endpoints | Find correct API paths |
Supported Endpoints (728 total)
SIEM: Offenses, sources, destinations
Assets: Asset model, vulnerabilities, compliance
Analytics: Rules, building blocks, searches
Ariel: AQL queries, searches, results
Reference Data: Sets, maps, collections
Config: Domains, log sources, users
System: Health, licensing, servers
π Quick Start
Option 1: Pull from Registry (Run as Container)
# Pull multi-architecture image
docker pull ghcr.io/addanuj/qradar-mcp-server:latest
# Run as container
docker run -d \
--name qradar-mcp-server \
-p 8001:8001 \
-e QRADAR_HOST="https://your-qradar-console.com" \
-e QRADAR_API_TOKEN="your-sec-token-here" \
-e QRADAR_VERIFY_SSL="false" \
ghcr.io/addanuj/qradar-mcp-server:latest \
--host 0.0.0.0 --port 8001Option 2: Build from Source (Run as Container)
# Clone repository
git clone https://github.ibm.com/ashrivastava/QRadar-MCP-Server.git
cd QRadar-MCP-Server
# Build container image
docker build -t qradar-mcp-server:latest -f container/Dockerfile .
# Run as container
docker run -d \
--name qradar-mcp-server \
-p 8001:8001 \
-e QRADAR_HOST="https://your-qradar.com" \
-e QRADAR_API_TOKEN="token" \
qradar-mcp-server:latest \
--host 0.0.0.0 --port 8001Option 3: Local Development (Run as Python Service)
# Install dependencies
pip install -e .
# Set environment variables
export QRADAR_HOST="https://your-qradar.com"
export QRADAR_API_TOKEN="your-token"
# Run in stdio mode (for Claude Desktop)
python -m src.server
# OR run in HTTP mode for local testing
python -m src.server --host 0.0.0.0 --port 8001π§ Configuration
Environment Variables
Variable | Required | Default | Description |
| β Yes | - | Full QRadar console URL (https://...) |
| β Yes | - | QRadar API authorization token |
| β No |
| Verify SSL certificates |
| β No |
| QRadar API version |
Runtime Modes
HTTP/SSE Mode (Recommended for Containers)
python -m src.server --host 0.0.0.0 --port 8001Exposes REST API on port 8001
Health check:
http://localhost:8001/healthTools list:
http://localhost:8001/toolsSSE streaming support
stdio Mode (for Claude Desktop)
python -m src.serverCommunicates via stdin/stdout
Use in Claude Desktop MCP configuration
No network exposure needed
Usage Examples
Check Server Health
curl http://localhost:8001/health
# Response: {"status":"healthy","mode":"http","tools":4,"endpoints":728}List Available Tools
curl http://localhost:8001/toolsCall a Tool (Get Offenses)
curl -X POST http://localhost:8001/tools/call \
-H "Content-Type: application/json" \
-d '{
"name": "qradar_get",
"arguments": {
"endpoint": "/siem/offenses",
"limit": 10,
"qradar_host": "https://your-qradar.com",
"qradar_token": "your-token"
}
}'Discover Endpoints
curl -X POST http://localhost:8001/tools/call \
-H "Content-Type: application/json" \
-d '{
"name": "qradar_discover",
"arguments": {
"search": "offenses",
"qradar_host": "https://your-qradar.com",
"qradar_token": "your-token"
}
}'π Project Structure
QRadar-MCP-Server/
βββ container/
β βββ Dockerfile # Multi-arch container definition
βββ src/
β βββ __init__.py
β βββ __main__.py # Entry point
β βββ server.py # FastAPI server (HTTP mode)
β βββ client.py # QRadar API client wrapper
β βββ tools.py # 4 MCP tools with 728 endpoint definitions
βββ pyproject.toml # Python package configπ¦ Supported QRadar Versions
QRadar 7.3.x β (tested)
QRadar 7.4.x β (tested)
QRadar 7.5.x β (tested)
π Support
Reporting Issues & Feature Requests
Found a bug?
Go to: https://github.ibm.com/ashrivastava/QRadar-MCP-Server/issues
Click "New Issue"
Provide: clear title, steps to reproduce, QRadar version, and logs (
docker logs qradar-mcp-server)
Have a suggestion?
Open issue with [Feature Request] prefix
Describe use case and expected behavior
Need help?
Check logs:
docker logs qradar-mcp-serverSearch existing issues: https://github.ibm.com/ashrivastava/QRadar-MCP-Server/issues
Contact: ashrivastava@ibm.com
β οΈ Disclaimer
This is a Minimum Viable Product (MVP) for testing and demonstration purposes only.
NOT for production use
No warranty or support guarantees
Use at your own risk
For production deployments, conduct thorough security review and testing
IBM is not responsible for any issues arising from the use of this software
This server cannot be installed
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.