rapid7-mcp
Server Configuration
Describes the environment variables required to run the server.
| Name | Required | Description | Default |
|---|---|---|---|
| RAPID7_ORG_ID | No | Your Rapid7 organization ID (optional). | |
| RAPID7_REGION | Yes | The region of your InsightIDR instance (us, eu, ca, au, ap). | |
| RAPID7_API_KEY | Yes | Your Rapid7 InsightIDR API key. |
Capabilities
Features and capabilities supported by this server
| Capability | Details |
|---|---|
| tools | {
"listChanged": true
} |
| prompts | {
"listChanged": true
} |
| resources | {
"listChanged": true
} |
Tools
Functions exposed to the LLM to take actions
| Name | Description |
|---|---|
| search_investigationsA | List and filter InsightIDR investigations by status, priority, assignee, or date range |
| get_investigationA | Get full details of a specific InsightIDR investigation including its timeline |
| create_investigationA | Create a new InsightIDR investigation with a title, priority, and status |
| update_investigationB | Update an existing investigation's status, priority, assignee, or disposition |
| add_investigation_commentC | Add a comment or note to an InsightIDR investigation |
| get_investigation_alertsB | Get all alerts associated with a specific investigation |
| search_logsB | Execute a LEQL (Log Entry Query Language) query against a specific log set in InsightIDR |
| list_log_setsA | List all available log sets in InsightIDR (Firewall, DNS, DHCP, Endpoint, Cloud, etc.) |
| get_log_entryC | Retrieve a specific log entry by its ID from a given log set |
| get_log_statsA | Get aggregate statistics for a log set over a time range using a LEQL query |
| list_alertsC | List InsightIDR alerts with optional filters for severity, type, status, and date range |
| get_alertA | Get full details of a specific InsightIDR alert including its detection rule and metadata |
| update_alert_statusA | Update the status of an InsightIDR alert (open, investigating, or closed) |
| get_alert_evidenceC | Get evidence and indicators associated with an InsightIDR alert |
| search_assetsB | Search InsightIDR assets (endpoints) by hostname, IP address, OS, or agent status |
| get_assetA | Get full details of an InsightIDR asset including installed software, vulnerabilities, and network interfaces |
| get_asset_activityB | Get recent activity for an asset including logins, processes, and network connections |
| search_usersB | Search user accounts monitored by InsightIDR by name, email, domain, or department |
| get_user_activityC | Get user behavior analytics data: login times, locations, accessed assets, and anomalies |
| get_risky_usersA | Get users with abnormal behavior scores from InsightIDR's User Behavior Analytics (UBA) |
| list_threat_indicatorsC | List IOCs (IPs, domains, hashes) in the InsightIDR threat library |
| add_threat_indicatorB | Add a new IOC (IP, domain, hash, etc.) to the InsightIDR custom threat library |
| search_threat_activityB | Search for threat indicator matches in InsightIDR logs — find where known IOCs have been seen |
| list_saved_queriesB | List saved LEQL queries available in InsightIDR |
| create_saved_queryB | Save a LEQL query for reuse in InsightIDR |
| leql_helpA | Get LEQL (Log Entry Query Language) syntax reference, examples, and common patterns for InsightIDR log searches |
Prompts
Interactive templates invoked by user choice
| Name | Description |
|---|---|
| investigate-alert | Guided workflow for investigating an InsightIDR alert — gathers context, evidence, and recommends actions |
| hunt-ioc | Search for an IOC (IP, domain, hash, etc.) across all InsightIDR log sources and threat intelligence |
| user-behavior-review | Analyze a user's activity for anomalies using InsightIDR's User Behavior Analytics |
| incident-timeline | Build a chronological incident timeline from an InsightIDR investigation, correlating alerts, logs, and user activity |
Resources
Contextual data attached and managed by the client
| Name | Description |
|---|---|
| investigation-templates | Common investigation templates for InsightIDR incidents including phishing, malware, lateral movement, and data exfiltration workflows |
| leql-reference | LEQL (Log Entry Query Language) syntax reference with operators, functions, and common query patterns |
| detection-rules | Built-in InsightIDR detection rule descriptions organized by attack category |
Latest Blog Posts
- Your AI Chatbot Just Exposed Your CEO's Salary to an InternBy Om-Shree-0709 on .Agent IdentityMCP SecurityOAuth Delegation
- Why MCP Servers Need Execution Sandboxing (And Why Your Current Stack Isn't Enough)By Om-Shree-0709 on .Agentic AiPrompt InjectionWebAssembly
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/solomonneas/rapid7-mcp'
If you have feedback or need assistance with the MCP directory API, please join our Discord server