IBM QRadar MCP. Run deep forensic queries and map network flows.

Q: How do I list all active security incidents using the getoffenses tool?

Call getoffenses. This tool immediately returns a list of all currently detected security offenses in your environment.

Q: What is the best way to get detailed information for a specific offense using getoffensedetails?

Pass the specific offense ID to getoffensedetails. This provides a comprehensive report, including the severity, full description, and affected assets for that single incident.

Q: Can I map the network topology using getnetworkhierarchy?

Yes, call getnetworkhierarchy. It lists the entire network map, helping you visualize the potential lateral movement path during an attack.

Q: How do I run custom log searches with executeaql?

Use executeaql and provide your Ariel Query Language (AQL) query string. This returns a search ID, which you then use with getaqlstatus to track progress.

Q: What does getrules do?

The getrules tool lists all the correlation rules in QRadar. This is useful for compliance and understanding what logic is actively watching for threats.

Q: How do I check if an AQL search is finished using getaqlstatus?

You use getaqlstatus to check the search status. It returns the current state of your async query, letting you know when the results are ready to fetch.

Q: What is the process for listing all available log sources with getlogsources?

Call getlogsources to get a list of all QRadar log sources. This helps you identify exactly what data feeds are available for analysis.

Q: How do I update the details of an existing offense using updateoffense?

The updateoffense tool lets you change existing offense data. You pass the offense ID and the new details you want to write back into QRadar.

Claude

ChatGPT

Cursor

Gemini

Windsurf

VS Code

JetBrains

Vercel

See Vinkius in Action

Works with every AI agent you already use

…and any MCP-compatible client

Just plug in your AI agents and start using Vinkius.

IBM QRadar connects the platform to any AI agent via MCP. It lets your agent analyze security events, monitor network activity, and pull detailed offense data.

You can run AQL searches, check network maps, and get full reports on security offenses directly from your agent's chat or workflow.

What your AI agents can do

Execute aql

Runs a custom Ariel Query Language (AQL) search and returns a search ID for later retrieval.

Get aql results

Retrieves the final data results from an AQL search that has finished running.

Get aql status

Checks the current processing status of an asynchronous AQL search job.

+ 7 more capabilities included

Run deep log searches

Execute custom Ariel Query Language (AQL) searches and retrieve the results for analysis.

Check incident status

Determine the status of a background AQL search job or list all active security offenses.

Map network and data sources

List the network topology and the sources of log data ingested into QRadar.

Get offense details

Retrieve full context, including severity and description, for a specific security offense ID.

Manage security rules

List all defined QRadar correlation rules or reference sets for compliance review.

Update security records

Modify the details or status of an existing QRadar offense.

Ask AI about this MCP

Ask ChatGPT

Ask Claude

Ask Perplexity

Supported MCP Clients

OAuth 2.0 Compatible

Claude

ChatGPT

Cursor

Gemini

VS Code

JetBrains

Vercel

Zendesk

+ other MCP clients

IBM QRadar MCP Server: 10 Tools for Security Analysis

Use these tools to execute complex queries, map network flows, and retrieve forensic data from IBM QRadar directly through your AI agent.

Make your AI actually useful.

Add this MCP to Claude, Cursor, or Windsurf and your AI stops guessing. It gets real tools to look things up, take action, and handle the stuff you keep doing by hand.

Start using IBM QRadar on Vinkius

execute019d75b7

execute aql

Runs a custom Ariel Query Language (AQL) search and returns a search ID for later retrieval.

get019d75b7

get aql results

Retrieves the final data results from an AQL search that has finished running.

get019d75b7

get aql status

Checks the current processing status of an asynchronous AQL search job.

get019d75b7

get log sources

Lists every log source that is currently connected and monitored by QRadar.

get019d75b7

get network hierarchy

Maps and lists the physical or logical network structure connected to QRadar.

get019d75b7

get offense details

Pulls all detailed information—like severity and description—for a single, identified QRadar offense.

get019d75b7

get offenses

Lists all currently active and detected security offenses within QRadar.

get019d75b7

get reference sets

Lists predefined data sets or reference groups used by QRadar for correlation.

get019d75b7

get rules

Lists the specific correlation rules that QRadar uses to detect threats.

update019d75b7

update offense

Modifies the details or status of an existing QRadar offense.

Choose How to Get Started

Build a custom MCP for your own tools, or connect a ready-made integration from our catalog.

Build Your Own

Turn any API into an MCP. Import a spec, define Agent Skills, or deploy with MCPFusion.

Import from OpenAPI, Swagger, or YAML specs
Create Agent Skills with progressive disclosure
Deploy to edge with MCPFusion framework
Built in DLP, auth, and compliance on every call
Real time usage dashboard and cost metering
Publish to catalog or keep private

Start building

Make Your AI Do More

Start with IBM QRadar, then connect any of our 4,800+ other servers whenever your AI needs more. One click, no limits.

Use this MCP plus 4,800+ others, all in one place
Add new capabilities to your AI anytime you want
Every connection is secured and compliant automatically
Track usage and costs across all your servers
Works with Claude, ChatGPT, Cursor, and more
New servers added to the catalog every week

Independent Platform Disclaimer: Vinkius is an independent platform and is not affiliated with, endorsed by, sponsored by, verified by, or otherwise authorized by IBM QRadar. All third-party trademarks, logos, and brand names are the property of their respective owners. Their use on this website is strictly for informational purposes to identify service compatibility and interoperability.

VINKIUS INFRASTRUCTURE

Cloud Hosted

Managed infra

V8 Isolated

Sandboxed per request

Zero-Trust Proxy

No stored credentials

DLP Enforced

Policy on every call

GDPR Compliant

EU data residency

Token Compression

~60% cost reduction

Your data is protected. See how we built it.

Works with Claude, ChatGPT, Cursor, and more

The Model Context Protocol standardizes how applications expose capabilities to LLMs. Instead of operating in isolation, your AI gains direct access to external platforms, live data, and real-world actions through secure, standardized connections.

This server provides 10 capabilities that interface natively with Claude, ChatGPT, Cursor, and any MCP client. No middleware. No custom integration required.

Sifting through logs and dashboards is a time sink.

Today, finding a single piece of evidence means navigating multiple tabs: the main alert dashboard, the network map, the raw log stream, and the rule engine. You copy a suspicious IP address from the alert, paste it into the network tool, then export the logs, and finally, you run a separate search for the same IP. It's a painful, multi-system copy-paste job.

With the IBM QRadar MCP Server, you just tell your agent, 'Find all activity for this IP.' The agent runs the necessary tools—like `get_network_hierarchy` and `execute_aql`—and delivers a single, structured report containing the network path and the raw evidence. No clicking, no pasting, just the answer.

IBM QRadar MCP Server: Analyze security events and network flows.

You used to have to manually check the status of a long-running query in the web UI, wait for the job to finish, and then manually trigger the results page. This process adds minutes of waiting and clicking to an already stressful response.

Now, your agent handles the entire sequence. It calls `execute_aql`, then it monitors the status with `get_aql_status`, and finally, it pulls the results with `get_aql_results`. The entire workflow happens in the background, giving you the data without the UI friction.

Support 24/7 support@vinkius.com ↗

Security Vinkius Trust Center ↗

SLA Service Level Agreement ↗

Report Listing Send Report ↗

What you can do with this MCP connector

IBM QRadar lets your AI client talk to its security data. It hooks your agent up to run deep searches, check on network activity, and pull detailed info on security offenses, all without leaving your chat or workflow. You'll use the following tools:

get_offenses lists every active security offense QRadar has flagged.
get_offense_details pulls the full context—severity and description—for a specific offense ID.
update_offense lets you change the details or status of an existing offense.

execute_aql runs a custom Ariel Query Language (AQL) search and gives you a search ID you'll need to track it.
get_aql_status checks if that background AQL search job is finished.
get_aql_results retrieves the final data results once the AQL search is done.

get_log_sources lists every log source QRadar is monitoring and ingesting.
get_network_hierarchy maps out the physical or logical network structure connected to QRadar.

get_rules lists the specific correlation rules QRadar uses to detect threats.
get_reference_sets lists the predefined data sets QRadar uses for correlation.

You can run custom AQL searches and pull results for analysis. You can list all active security offenses and get detailed context for any specific offense. You can map the network and check what logs are coming in. You can also see the correlation rules and reference sets QRadar uses, or modify the details of an offense.

Built · Hosted · Managed by Vinkius IBM QRadar MCP Server - Analyze Security Events Server ID 019d75b7-0d81-700f-a2fb-f07d1ced8a24

Vinkius Inspector

Compliance Grade A+

Score 100/100

Report View Report ↗

How IBM QRadar MCP Works

1 Your agent calls the get_offenses tool to list active security incidents.
2 You select an offense ID, and the agent calls get_offense_details to pull the full incident report.
3 The agent uses execute_aql to run a custom search and then get_aql_results to get the final data set.

The bottom line is that your agent executes a sequence of API calls, gathering forensic data step-by-step to build a complete incident picture.

Who Is IBM QRadar MCP For?

The SOC Tier 2 analyst who needs to move fast and stop clicking through dashboards. Or the junior forensics engineer who struggles with complex log filtering. This server lets you run deep investigative queries and pull full incident reports without ever leaving your AI agent's chat window.

Security Operations Center (SOC) Analyst

Triages alerts by running get_offenses to scope the incident, then uses get_offense_details to understand the full impact and required remediation.

Incident Responder

Uses get_network_hierarchy to map lateral movement paths and execute_aql to pull specific evidence that triggers the investigation.

Compliance Officer

Verifies system policies by listing available rules (get_rules) and checking which log sources are being monitored (get_log_sources).

What Changes When You Connect

See all active incidents instantly. Use get_offenses to list every detected security offense, giving you a single view of the current threat landscape.
Pinpoint exactly what happened. Call get_offense_details to pull the full context, including severity, affected assets, and the description of a single offense.
Investigate network paths quickly. get_network_hierarchy lists the full network map, letting you track how an attacker might move laterally.
Pull raw evidence on demand. Use execute_aql to run custom log searches and get_aql_results to get the exact data payload you need for a report.
Understand the policy. Check get_rules to see exactly which correlation logic is running, and get_reference_sets to see what data groups are used.
Triage and remediate fast. Use get_aql_status to check a long-running query, and update_offense to close or change the status of an incident once you confirm the fix.

Real-World Use Cases

A new alert pops up, but the scope is unknown.

The SOC analyst first runs get_offenses to get a list of all current incidents. They pick the most severe one and run get_offense_details to understand the full context. This immediately narrows the investigation from a vague alert to a specific, actionable incident report.

Need to prove a specific user was involved in a breach.

The investigator uses get_network_hierarchy to map the network paths leading to the compromised asset. They then use execute_aql with specific time ranges and IP addresses, followed by get_aql_results to pull the raw logs proving the connection.

Compliance audit requires proof of policy adherence.

The compliance officer runs get_rules to list all active correlation rules. They also use get_reference_sets to validate that all necessary data groups are included, ensuring the system meets regulatory standards.

A known attack pattern is suspected, but logs are sparse.

Instead of digging through dashboards, the agent runs a custom query using execute_aql (e.g., searching for specific user agents or geo-locations). They monitor the status with get_aql_status until the results are ready, then retrieve the data using get_aql_results.

The Tradeoffs

Listing every single tool.

The agent just calls get_log_sources then get_rules then get_reference_sets... just to see what they do. This creates a massive, slow, unnecessary chain of calls.

→ Start by scoping the problem. First, call get_offenses to identify the threat. Then, call get_offense_details for the context. Only after that, use get_network_hierarchy to map the blast radius. Don't run tools until you know why you need the data.

Relying on raw log browsing.

A manual review of the SIEM dashboard shows hundreds of raw log lines, making it impossible to spot the one critical line related to the attack vector.

→ Use execute_aql to build a specific query based on the evidence. Then, use get_aql_results to pull only the filtered, relevant data points, making the data actionable for your agent.

Assuming all data is live.

The agent calls get_offense_details and trusts the data without verifying the policy. The report suggests a fix that violates internal compliance rules.

→ Before taking action, run get_rules and get_reference_sets. This confirms the current policy context. Then, use get_offense_details to ensure the suggested remediation aligns with the established rules.

When It Fits, When It Doesn't

Use this server if your investigation needs to move beyond simple alert viewing and requires structured data extraction. You need to understand why an incident happened (policy rules), where the attacker moved (network hierarchy), and what the raw evidence is (AQL).

Don't use this if you just need a simple, high-level count of alerts. For that, a basic metrics dashboard is fine. Use this when you need to connect the dots: from a single get_offense_details to the full get_network_hierarchy and back to the evidence via get_aql_results.

If your goal is merely to search text across all logs, just use a basic search engine. You need the structure and the context that only QRadar provides.

Common Questions About IBM QRadar MCP

How do I list all active security incidents using the get_offenses tool? +

Call get_offenses. This tool immediately returns a list of all currently detected security offenses in your environment.

What is the best way to get detailed information for a specific offense using get_offense_details? +

Pass the specific offense ID to get_offense_details. This provides a comprehensive report, including the severity, full description, and affected assets for that single incident.

Can I map the network topology using get_network_hierarchy? +

Yes, call get_network_hierarchy. It lists the entire network map, helping you visualize the potential lateral movement path during an attack.

How do I run custom log searches with execute_aql? +

Use execute_aql and provide your Ariel Query Language (AQL) query string. This returns a search ID, which you then use with get_aql_status to track progress.

What does get_rules do? +

The get_rules tool lists all the correlation rules in QRadar. This is useful for compliance and understanding what logic is actively watching for threats.

How do I check if an AQL search is finished using get_aql_status? +

You use get_aql_status to check the search status. It returns the current state of your async query, letting you know when the results are ready to fetch.

What is the process for listing all available log sources with get_log_sources? +

Call get_log_sources to get a list of all QRadar log sources. This helps you identify exactly what data feeds are available for analysis.

How do I update the details of an existing offense using update_offense? +

The update_offense tool lets you change existing offense data. You pass the offense ID and the new details you want to write back into QRadar.

Use it with your favorite AI tools

Connect this server to Cursor, Claude, VS Code, and more.