How to Use the IBM QRadar MCP in CrewAI

Q: Can a CrewAI team autonomously resolve an IBM QRadar offense?

Yes, a remediation agent can call updateoffense to close benign alerts or assign high-priority incidents to specific analysts based on the findings of the investigator agent.

Q: How does CrewAI handle large-scale Ariel queries in IBM QRadar?

The hunting agent uses executeaql to start the search asynchronously. It polls getaqlstatus in a loop, and only triggers getaqlresults once the query is fully completed to avoid breaking API limits.

Q: How do I restrict which QRadar tools my CrewAI agents can use?

Use the MCPServerHTTP class from crewai.mcp and define a toolfilter. This lets you expose read-only tools like getrules to your research agents while keeping write access restricted on the MCP Server.

Deploy a collaborative CrewAI team to monitor, analyze, and escalate IBM QRadar offenses autonomously with shared memory.

See Vinkius in Action

Works with every AI agent you already use

…and any MCP-compatible client

MCP Servers - Free for Subscribers

Connect IBM QRadar MCP to CrewAI

Create your Vinkius account to connect IBM QRadar to CrewAI and route execution through our secure gateway. The platform manages server hosting, runtime updates, and security layers. Configuration requires no manual server provisioning.

GDPR Free for Subscribers

Setup IBM QRadar with CrewAI

Ask AI about this MCP

ChatGPT

Claude

Perplexity

Collaborative incident response with CrewAI

Run a multi-agent team where each agent has a specific job in your SOC using this MCP connection. One agent acts as the Triage Officer, calling `get_offenses` to spot new alerts, while the Analyst Agent uses `get_offense_details` to dissect the payload. The crew shares context in real-time, allowing them to coordinate complex investigations. Instead of a single model getting overwhelmed, specialized agents work together to isolate the threat.

Deep threat hunting via autonomous Ariel searches

Give your threat hunting agent the ability to run complex historical searches without human intervention via this MCP toolset. The agent uses `execute_aql` to search through billions of raw events based on indicators of compromise. It monitors progress with `get_aql_status` and retrieves the payload via `get_aql_results`. The agent then compares these logs against your `get_network_hierarchy` to see if the attacker is moving laterally.

Automated log source auditing via MCP Server

Keep your SIEM healthy by assigning an agent to audit your incoming telemetry. The auditing agent queries `get_log_sources` to locate silent systems that stopped sending events. It cross-references this list against `get_reference_sets` to verify if the inactive hosts are critical assets. The agent then writes a summary report and flags the broken log sources for your engineering team.

Setup guide

Set up IBM QRadar MCP in CrewAI

Prerequisites

Python 3.10+ installed
crewai package (pip install crewai)
Active Vinkius subscription with a valid endpoint token

1

Install CrewAI
Run pip install crewai to install the framework. MCP support is built-in via the mcps parameter.
2

Add the MCP URL to your agent
Pass your Vinkius endpoint directly to the mcps list. Replace [YOUR_TOKEN_HERE] with your token from cloud.vinkius.com. CrewAI handles tool discovery and caching automatically.
3

Kick off your crew
Create a Crew with your agent and tasks. Call crew.kickoff() — the agent will automatically invoke IBM QRadar tools as needed.

crew.py

from crewai import Agent, Task, Crew

agent = Agent(
    role="IBM QRadar Analyst",
    goal="Access and analyze IBM QRadar data via MCP.",
    backstory="Expert analyst with direct IBM QRadar access.",
    mcps=[
        "https://edge.vinkius.com/[YOUR_TOKEN_HERE]/mcp"
    ],
)

task = Task(
    description="List recent IBM QRadar transactions",
    agent=agent,
    expected_output="A summary of recent activity",
)

crew = Crew(agents=[agent], tasks=[task])
result = crew.kickoff()
print(result)

Get your connection token →

Prerequisites

Python 3.10+ installed
crewai + crewai-tools packages
Active Vinkius subscription with a valid endpoint token

1

Install dependencies
Run pip install crewai crewai-tools. The MCPServerAdapter handles lifecycle management and tool conversion.
2

Connect with MCPServerAdapter
Use MCPServerAdapter as a context manager with SseServerParameters pointing to your Vinkius endpoint. The adapter automatically manages connection lifecycle.
3

Assign tools and run
Pass the returned mcp_tools to your agent's tools parameter. The adapter converts MCP tools to native BaseTool objects compatible with all CrewAI agents.

crew.py

from crewai import Agent, Task, Crew
from crewai_tools import MCPServerAdapter
from mcp import SseServerParameters

server_params = SseServerParameters(
    url="https://edge.vinkius.com/[YOUR_TOKEN_HERE]/mcp"
)

with MCPServerAdapter(server_params) as mcp_tools:
    agent = Agent(
        role="IBM QRadar Analyst",
        goal="Access and analyze IBM QRadar data via MCP.",
        backstory="Expert analyst with direct IBM QRadar access.",
        tools=mcp_tools,
    )

    task = Task(
        description="List recent IBM QRadar transactions",
        agent=agent,
        expected_output="A summary of recent activity",
    )

    crew = Crew(agents=[agent], tasks=[task])
    result = crew.kickoff()
    print(result)

Get your connection token →

Independent Platform Disclaimer: Vinkius is an independent platform and is not affiliated with, endorsed by, sponsored by, verified by, or otherwise authorized by IBM QRadar. All third-party trademarks, logos, and brand names are the property of their respective owners. Their use on this website is strictly for informational purposes to identify service compatibility and interoperability.

Why Choose Vinkius

Vinkius connects your tools to AI with real-time monitoring and automatic cost savings — all from one dashboard.

Connect IBM QRadar now

Real-time monitoring

Live

visibility into every interaction

Connect your favorite tools to your AI and see exactly what's happening — every request, every response, in real time.

Built-in savings

60%

lower AI costs

Vinkius compresses data between your apps and your AI automatically. Lower bills every month — no configuration required.

Single dashboard

One

place for every integration

Every tool your AI connects to, managed from a single screen. One account, complete control.

Common questions about IBM QRadar MCP in CrewAI

CrewAI agents use shared memory to pass findings down the line. The triage agent retrieves the alert via `get_offenses`, and the analysis agent uses that ID to call `get_offense_details` without repeating the search.

Yes, a remediation agent can call `update_offense` to close benign alerts or assign high-priority incidents to specific analysts based on the findings of the investigator agent.

The hunting agent uses `execute_aql` to start the search asynchronously. It polls `get_aql_status` in a loop, and only triggers `get_aql_results` once the query is fully completed to avoid breaking API limits.

Use the `MCPServerHTTP` class from `crewai.mcp` and define a `tool_filter`. This lets you expose read-only tools like `get_rules` to your research agents while keeping write access restricted on the MCP Server.

All API traffic passes through an ephemeral, zero-trust V8 sandbox. This prevents sensitive network mappings from `get_network_hierarchy` or log payloads from being cached or exposed to external parties.

Use it with your favorite AI tools

Connect this server to Cursor, Claude, VS Code, and more.

OpenAI Agents SDK sdk-python

Google ADK sdk-python

Pydantic AI sdk-python

Vercel AI SDK sdk-typescript