The Tenzir MCP Server enables AI assistants to interact with Tenzir's data pipeline engine for security operations, providing tools across several areas:

• Pipeline Execution: Run TQL (Tenzir Query Language) pipelines inline or from files, with configurable timeouts and detailed diagnostics for debugging

• Test Execution: Run and debug TQL pipeline tests using the tenzir-test framework, update baselines, and run integration tests with fixtures

• Documentation Access: Search embedded Tenzir documentation by keyword or category (tutorials, guides, references), read specific pages for operators and functions, and traverse cross-references up to 3 levels deep

• OCSF Integration: List available OCSF schema versions, browse event classes and objects, and retrieve complete schema definitions for mapping security logs

• Package Management: Scaffold new packages with standard structure, add user-defined operators (UDOs) with namespace support, add tests with input/output pairs, and add changelog entries by type (breaking, feature, bugfix, change)

• Code Generation: Auto-generate TQL parsers from sample log events (JSON, CSV, syslog, key-value) and automatically create OCSF mapping packages to normalize security data to appropriate event classes and fields

Provides Docker-based deployment and execution of the Tenzir MCP server, enabling containerized operation of data pipeline tools for security operations.

Integrates with GitHub for package development workflows, including changelog attribution using GitHub handles and repository-based collaboration on Tenzir packages.

1. Click on "Install Server".

2. Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.

3. In the chat, type @ followed by the MCP server name and your instructions, e.g., "@Tenzir MCP Server show me recent OCSF security events from our firewall logs"

That's it! The server will respond to your query, and you can continue using it as needed.

Here is a step-by-step guide with screenshots.