IBM QRadar MCP. Run deep forensic queries and map network flows.
Gemini Works with every AI agent you already use
…and any MCP-compatible client
Just plug in your AI agents and start using Vinkius.
IBM QRadar connects the platform to any AI agent via MCP. It lets your agent analyze security events, monitor network activity, and pull detailed offense data.
You can run AQL searches, check network maps, and get full reports on security offenses directly from your agent's chat or workflow.
What your AI agents can do
Execute aql
Runs a custom Ariel Query Language (AQL) search and returns a search ID for later retrieval.
Get aql results
Retrieves the final data results from an AQL search that has finished running.
Get aql status
Checks the current processing status of an asynchronous AQL search job.
Execute custom Ariel Query Language (AQL) searches and retrieve the results for analysis.
Determine the status of a background AQL search job or list all active security offenses.
List the network topology and the sources of log data ingested into QRadar.
Retrieve full context, including severity and description, for a specific security offense ID.
List all defined QRadar correlation rules or reference sets for compliance review.
Modify the details or status of an existing QRadar offense.
Ask AI about this MCP
Supported MCP Clients
Gemini IBM QRadar MCP Server: 10 Tools for Security Analysis
Use these tools to execute complex queries, map network flows, and retrieve forensic data from IBM QRadar directly through your AI agent.
019d75b7execute aql
Runs a custom Ariel Query Language (AQL) search and returns a search ID for later retrieval.
019d75b7get aql results
Retrieves the final data results from an AQL search that has finished running.
019d75b7get aql status
Checks the current processing status of an asynchronous AQL search job.
019d75b7get log sources
Lists every log source that is currently connected and monitored by QRadar.
019d75b7get network hierarchy
Maps and lists the physical or logical network structure connected to QRadar.
019d75b7get offense details
Pulls all detailed information—like severity and description—for a single, identified QRadar offense.
019d75b7get offenses
Lists all currently active and detected security offenses within QRadar.
019d75b7get reference sets
Lists predefined data sets or reference groups used by QRadar for correlation.
019d75b7get rules
Lists the specific correlation rules that QRadar uses to detect threats.
019d75b7update offense
Modifies the details or status of an existing QRadar offense.
Choose How to Get Started
Build a custom MCP for your own tools, or connect a ready-made integration from our catalog.
Build Your Own
Turn any API into an MCP. Import a spec, define Agent Skills, or deploy with MCPFusion.
- Import from OpenAPI, Swagger, or YAML specs
- Create Agent Skills with progressive disclosure
- Deploy to edge with MCPFusion framework
- Built in DLP, auth, and compliance on every call
- Real time usage dashboard and cost metering
- Publish to catalog or keep private
Make Your AI Do More
Start with IBM QRadar, then connect any of our 4,700+ other servers whenever your AI needs more. One click, no limits.
- Use this MCP plus 4,700+ others, all in one place
- Add new capabilities to your AI anytime you want
- Every connection is secured and compliant automatically
- Track usage and costs across all your servers
- Works with Claude, ChatGPT, Cursor, and more
- New servers added to the catalog every week
What you can do with this MCP connector
IBM QRadar lets your AI client talk to its security data. It hooks your agent up to run deep searches, check on network activity, and pull detailed info on security offenses, all without leaving your chat or workflow. You'll use the following tools:
get_offenses lists every active security offense QRadar has flagged.get_offense_details pulls the full context—severity and description—for a specific offense ID.update_offense lets you change the details or status of an existing offense.
execute_aql runs a custom Ariel Query Language (AQL) search and gives you a search ID you'll need to track it.get_aql_status checks if that background AQL search job is finished.get_aql_results retrieves the final data results once the AQL search is done.
get_log_sources lists every log source QRadar is monitoring and ingesting.get_network_hierarchy maps out the physical or logical network structure connected to QRadar.
get_rules lists the specific correlation rules QRadar uses to detect threats.get_reference_sets lists the predefined data sets QRadar uses for correlation.
You can run custom AQL searches and pull results for analysis. You can list all active security offenses and get detailed context for any specific offense. You can map the network and check what logs are coming in. You can also see the correlation rules and reference sets QRadar uses, or modify the details of an offense.
How IBM QRadar MCP Works
- 1 Your agent calls the
get_offensestool to list active security incidents. - 2 You select an offense ID, and the agent calls
get_offense_detailsto pull the full incident report. - 3 The agent uses
execute_aqlto run a custom search and thenget_aql_resultsto get the final data set.
The bottom line is that your agent executes a sequence of API calls, gathering forensic data step-by-step to build a complete incident picture.
Who Is IBM QRadar MCP For?
The SOC Tier 2 analyst who needs to move fast and stop clicking through dashboards. Or the junior forensics engineer who struggles with complex log filtering. This server lets you run deep investigative queries and pull full incident reports without ever leaving your AI agent's chat window.
Triages alerts by running get_offenses to scope the incident, then uses get_offense_details to understand the full impact and required remediation.
Uses get_network_hierarchy to map lateral movement paths and execute_aql to pull specific evidence that triggers the investigation.
Verifies system policies by listing available rules (get_rules) and checking which log sources are being monitored (get_log_sources).
What Changes When You Connect
- See all active incidents instantly. Use
get_offensesto list every detected security offense, giving you a single view of the current threat landscape. - Pinpoint exactly what happened. Call
get_offense_detailsto pull the full context, including severity, affected assets, and the description of a single offense. - Investigate network paths quickly.
get_network_hierarchylists the full network map, letting you track how an attacker might move laterally. - Pull raw evidence on demand. Use
execute_aqlto run custom log searches andget_aql_resultsto get the exact data payload you need for a report. - Understand the policy. Check
get_rulesto see exactly which correlation logic is running, andget_reference_setsto see what data groups are used. - Triage and remediate fast. Use
get_aql_statusto check a long-running query, andupdate_offenseto close or change the status of an incident once you confirm the fix.
Real-World Use Cases
A new alert pops up, but the scope is unknown.
The SOC analyst first runs get_offenses to get a list of all current incidents. They pick the most severe one and run get_offense_details to understand the full context. This immediately narrows the investigation from a vague alert to a specific, actionable incident report.
Need to prove a specific user was involved in a breach.
The investigator uses get_network_hierarchy to map the network paths leading to the compromised asset. They then use execute_aql with specific time ranges and IP addresses, followed by get_aql_results to pull the raw logs proving the connection.
Compliance audit requires proof of policy adherence.
The compliance officer runs get_rules to list all active correlation rules. They also use get_reference_sets to validate that all necessary data groups are included, ensuring the system meets regulatory standards.
A known attack pattern is suspected, but logs are sparse.
Instead of digging through dashboards, the agent runs a custom query using execute_aql (e.g., searching for specific user agents or geo-locations). They monitor the status with get_aql_status until the results are ready, then retrieve the data using get_aql_results.
The Tradeoffs
Listing every single tool.
The agent just calls get_log_sources then get_rules then get_reference_sets... just to see what they do. This creates a massive, slow, unnecessary chain of calls.
→
Start by scoping the problem. First, call get_offenses to identify the threat. Then, call get_offense_details for the context. Only after that, use get_network_hierarchy to map the blast radius. Don't run tools until you know why you need the data.
Relying on raw log browsing.
A manual review of the SIEM dashboard shows hundreds of raw log lines, making it impossible to spot the one critical line related to the attack vector.
→
Use execute_aql to build a specific query based on the evidence. Then, use get_aql_results to pull only the filtered, relevant data points, making the data actionable for your agent.
Assuming all data is live.
The agent calls get_offense_details and trusts the data without verifying the policy. The report suggests a fix that violates internal compliance rules.
→
Before taking action, run get_rules and get_reference_sets. This confirms the current policy context. Then, use get_offense_details to ensure the suggested remediation aligns with the established rules.
When It Fits, When It Doesn't
Use this server if your investigation needs to move beyond simple alert viewing and requires structured data extraction. You need to understand why an incident happened (policy rules), where the attacker moved (network hierarchy), and what the raw evidence is (AQL).
Don't use this if you just need a simple, high-level count of alerts. For that, a basic metrics dashboard is fine. Use this when you need to connect the dots: from a single get_offense_details to the full get_network_hierarchy and back to the evidence via get_aql_results.
If your goal is merely to search text across all logs, just use a basic search engine. You need the structure and the context that only QRadar provides.
Independent Platform Disclaimer: Vinkius is an independent platform and is not affiliated with, endorsed by, sponsored by, verified by, or otherwise authorized by IBM QRadar. All third-party trademarks, logos, and brand names are the property of their respective owners. Their use on this website is strictly for informational purposes to identify service compatibility and interoperability.
VINKIUS INFRASTRUCTURE
Cloud Hosted
Managed infra
V8 Isolated
Sandboxed per request
Zero-Trust Proxy
No stored credentials
DLP Enforced
Policy on every call
GDPR Compliant
EU data residency
Token Compression
~60% cost reduction
Works with Claude, ChatGPT, Cursor, and more
The Model Context Protocol standardizes how applications expose capabilities to LLMs. Instead of operating in isolation, your AI gains direct access to external platforms, live data, and real-world actions through secure, standardized connections.
This server provides 10 capabilities that interface natively with Claude, ChatGPT, Cursor, and any MCP client. No middleware. No custom integration required.
Available Capabilities
Sifting through logs and dashboards is a time sink.
Today, finding a single piece of evidence means navigating multiple tabs: the main alert dashboard, the network map, the raw log stream, and the rule engine. You copy a suspicious IP address from the alert, paste it into the network tool, then export the logs, and finally, you run a separate search for the same IP. It's a painful, multi-system copy-paste job.
With the IBM QRadar MCP Server, you just tell your agent, 'Find all activity for this IP.' The agent runs the necessary tools—like `get_network_hierarchy` and `execute_aql`—and delivers a single, structured report containing the network path and the raw evidence. No clicking, no pasting, just the answer.
IBM QRadar MCP Server: Analyze security events and network flows.
You used to have to manually check the status of a long-running query in the web UI, wait for the job to finish, and then manually trigger the results page. This process adds minutes of waiting and clicking to an already stressful response.
Now, your agent handles the entire sequence. It calls `execute_aql`, then it monitors the status with `get_aql_status`, and finally, it pulls the results with `get_aql_results`. The entire workflow happens in the background, giving you the data without the UI friction.
Common Questions About IBM QRadar MCP
How do I list all active security incidents using the get_offenses tool? +
Call get_offenses. This tool immediately returns a list of all currently detected security offenses in your environment.
What is the best way to get detailed information for a specific offense using get_offense_details? +
Pass the specific offense ID to get_offense_details. This provides a comprehensive report, including the severity, full description, and affected assets for that single incident.
Can I map the network topology using get_network_hierarchy? +
Yes, call get_network_hierarchy. It lists the entire network map, helping you visualize the potential lateral movement path during an attack.
How do I run custom log searches with execute_aql? +
Use execute_aql and provide your Ariel Query Language (AQL) query string. This returns a search ID, which you then use with get_aql_status to track progress.
What does get_rules do? +
The get_rules tool lists all the correlation rules in QRadar. This is useful for compliance and understanding what logic is actively watching for threats.
How do I check if an AQL search is finished using get_aql_status? +
You use get_aql_status to check the search status. It returns the current state of your async query, letting you know when the results are ready to fetch.
What is the process for listing all available log sources with get_log_sources? +
Call get_log_sources to get a list of all QRadar log sources. This helps you identify exactly what data feeds are available for analysis.
How do I update the details of an existing offense using update_offense? +
The update_offense tool lets you change existing offense data. You pass the offense ID and the new details you want to write back into QRadar.
Use it with your favorite AI tools
Connect this server to Cursor, Claude, VS Code, and more.
More in this category
Vivo Game Open Platform
Manage Vivo Game Open Platform distribution — validate logins, query orders, and report game data directly from any AI agent.
Voiceflow
Design, prototype, and launch conversational AI agents with a visual builder that handles complex dialog flows without code.
Amazon DSP
Demand-Side Platform orchestration — manage display campaigns, audiences, and creatives via AI.
You might also like
Facebook Pages
Manage your Facebook Pages via AI — publish posts, list feed, track insights, and engage with comments directly through your agent.
Eurostat Demographics — EU Population & Labor
EU demographics and labor market: population by age and sex, monthly unemployment rates, employment data, immigration by citizenship, life expectancy, and minimum wages for all 27 EU member states.
LoadNinja (Real-Browser Load Testing)
Manage performance tests via LoadNinja — trigger load scenarios, monitor metrics, and audit virtual user (VU) limits.