Skip to main content
Glama
knethteo

Tenable Identity Exposure MCP Server

by knethteo

Server Configuration

Describes the environment variables required to run the server.

NameRequiredDescriptionDefault
TIE_URLYesBase URL for the Tenable Identity Exposure API, e.g. https://your-host.tenable.ad
TIE_API_KEYYesAPI key from TIE console (System > Configuration > API key)
TIE_VERIFY_SSLNoSet to 'false' to disable SSL verification for self-signed certificatestrue

Capabilities

Features and capabilities supported by this server

CapabilityDetails
tools
{
  "listChanged": false
}
prompts
{
  "listChanged": false
}
resources
{
  "subscribe": false,
  "listChanged": false
}
experimental
{}

Tools

Functions exposed to the LLM to take actions

NameDescription
tie_catalogA

List all available Tenable Identity Exposure API resources and their paths.

Call this first to discover what resources exist before using other tools.

tie_requestA

Make a direct HTTP call to any Tenable Identity Exposure API endpoint.

Args: method: HTTP method (GET, POST, PUT, PATCH, DELETE). path: API path, e.g. "/api/directories" or "/api/attacks/123". params: Optional query string parameters as a dict. body: Optional request body as a dict (used with POST/PUT/PATCH).

Returns: Parsed JSON response from the TIE API.

tie_resource_actionB

Perform CRUD operations on a TIE resource.

Args: resource: Resource name from tie_catalog (e.g. "directories", "attacks", "users"). action: Operation — list, get, create, update, or delete. id: Resource ID for get/update/delete operations. body: Request body for create/update operations. params: Optional query parameters (e.g. pagination, filters).

Examples: List all directories: resource="directories", action="list" Get directory #5: resource="directories", action="get", id=5 List recent attacks: resource="attacks", action="list", params={"page": 1} Create a user: resource="users", action="create", body={...} Delete an alert: resource="alerts", action="delete", id=42

tie_deviances_by_checkerA

List IoE deviances for a given checker within a profile (full detail, no date filter).

For a time-bounded view use tie_deviances(hours=...) or tie_recent_activity instead. The TIE API models this as a POST with a filter expression body; an empty expression returns all deviances for the checker.

Args: checker_id: IoE checker id (see tie_resource_action resource="checkers"). profile_id: Security profile id (default 1). page: Page number (1-based). per_page: Results per page. expression: Optional filter expression object. Defaults to {} (no filter). verbose: If False (default), render descriptions and drop giant attribute values to save tokens. Set True for the full raw payload.

tie_deviances_by_directoryA

List IoE deviances for a specific directory (full detail, no date filter).

Args: infrastructure_id: Infrastructure (forest) id — see resource="infrastructures". directory_id: Directory id — see resource="directories". page: Page number (1-based). per_page: Results per page. verbose: If False (default), render descriptions and drop giant attribute values.

tie_deviancesA

Find AD objects with IoE deviances for a checker within a time window.

This is the time-filterable deviance query (server-side dateStart/dateEnd via the checker's ad-objects/search endpoint). Provide hours for a relative window (e.g. hours=12) or explicit date_start/date_end. With neither, defaults to the last 24h.

Args: checker_id: IoE checker id (see resource="checkers"). profile_id: Security profile id (default 1). Note: your console may use a non-default profile — call tie_profiles to list them. directory_ids: Restrict to these directory ids (default: all directories in scope). hours: Relative look-back window in hours (e.g. 12). Ignored if date_start given. date_start: Explicit ISO 8601 UTC start (e.g. "2026-07-07T16:00:00.000Z"). date_end: Explicit ISO 8601 UTC end (default: now). reasons: Optional reason ids to filter (see /api/profiles/{id}/checkers/{id}/reasons). show_ignored: Include deviances that are currently ignored (default False). page: Page number (1-based). per_page: Results per page. verbose: If False (default), truncate giant attribute values.

tie_attacksA

List IoA attack instances for a resource within a profile.

The TIE API requires scoping attacks to a resource. For example, to see attacks against directory id 8: resource_type="directory", resource_value="8".

Args: resource_type: What resource_value refers to — infrastructure, directory, hostname, or ip. resource_value: The id (for infrastructure/directory) or name/ip value to scope to. profile_id: Security profile id (default 1). attack_type_ids: Optional list of attack type ids to filter (e.g. DCSync, Kerberoasting). date_start: Optional ISO 8601 start of date range. date_end: Optional ISO 8601 end of date range. include_closed: Include closed attacks (default False). limit: Max results (default 50). order: Sort order by date, "desc" (newest first) or "asc". search: Optional free-text search filter.

tie_alertsB

List alerts for a security profile.

Args: profile_id: Security profile id (default 1). page: Page number (1-based). per_page: Results per page. archived: Optionally filter by archived status (True/False).

tie_scoresA

Get per-directory security scores for a profile.

Returns a list of {directoryId, score} reflecting the AD security posture (higher is better; scores reflect outstanding IoE deviances).

Args: profile_id: Security profile id (default 1).

tie_topologyA

Get the Active Directory topology (domains, forests, and trust relationships).

Args: profile_id: Security profile id (default 1).

tie_search_eventsA

Search AD security events within a date range.

Args: directory_ids: One or more directory ids to search (see resource="directories"). date_start: ISO 8601 start of range, e.g. "2026-07-01T00:00:00.000Z". date_end: ISO 8601 end of range. profile_id: Security profile id (default 1). expression: Optional filter expression object. Defaults to {} (no filter). order: Optional ordering object, e.g. {"column": "date", "direction": "desc"}.

tie_whoamiA

Get the current user's identity, roles, and permissions (from the API key).

tie_search_ad_objectsA

Search Active Directory objects (users, computers, groups, OUs) by name or attribute.

Args: query: Search string to match against AD object names/attributes. directory_id: Restrict search to a specific directory. object_type: Filter by object type: "user", "computer", "group", "ou". page: Page number (1-based). per_page: Results per page.

tie_profilesA

List security profiles (id + name).

IoE/IoA data is scoped to a profile. The console has a selected profile that the API does not expose, so pass the right profile_id explicitly to other tools.

tie_recent_activityA

Unified recent-activity timeline of IoE alerts and IoA attacks in one call.

Answers questions like "show me IoE/IoA in the last 12 hours". IoE is sourced from the profile's alert feed (time-ordered) and each in-window alert is enriched with its deviance detail (checker + rendered description). IoA is sourced from the attacks endpoint per directory. Results are merged and sorted newest-first. All timestamps are UTC.

Args: hours: Look-back window in hours (default 12). profile_id: Security profile id (default 1). See tie_profiles. include_ioe: Include IoE deviance alerts (default True). include_ioa: Include IoA attacks (default True). directory_ids: Restrict to these directory ids (default: all in scope). max_items: Cap on enriched items per category (default 50); truncation is reported. verbose: If False (default), attribute values are slimmed.

Prompts

Interactive templates invoked by user choice

NameDescription

No prompts

Resources

Contextual data attached and managed by the client

NameDescription

No resources

Latest Blog Posts

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/knethteo/tenable-identity-exposure-mcp'

If you have feedback or need assistance with the MCP directory API, please join our Discord server