How to Use the IBM QRadar MCP in LangChain

Q: How does LangChain handle long-running IBM QRadar AQL queries?

Your LangChain agent runs executeaql to start the search and gets a search ID back. It then enters a polling loop using getaqlstatus until the query finishes, before calling getaqlresults to fetch the log data. This keeps the agent from timing out on massive datasets.

Q: Can a LangChain agent automatically close offenses in IBM QRadar?

Yes, by using the updateoffense tool within a reasoning chain. The agent evaluates the risk, checks getrules to understand the trigger, and issues an update to close or reassign the offense based on your team's playbook.

Q: How does this integration protect sensitive QRadar security log data?

All Ariel queries run via executeaql and offense details pulled through getoffensedetails run inside an isolated V8 sandbox via MCP. No log data or security event payloads are ever stored on Vinkius servers, keeping your raw SOC logs completely private.

Run multi-step threat hunts in IBM QRadar by chaining Ariel queries and offense updates inside your LangChain agent.

See Vinkius in Action

Works with every AI agent you already use

…and any MCP-compatible client

MCP Servers - Free for Subscribers

Connect IBM QRadar MCP to LangChain

Create your Vinkius account to connect IBM QRadar to LangChain and route execution through our secure gateway. The platform manages server hosting, runtime updates, and security layers. Configuration requires no manual server provisioning.

GDPR Free for Subscribers

Setup IBM QRadar with LangChain

Ask AI about this MCP

ChatGPT

Claude

Perplexity

Chain AQL searches dynamically with LangChain

LangChain agents handle complex security triage by linking multiple tool calls together. When a new alert hits your system, the agent uses `get_offenses` to pull the latest threats via the IBM QRadar MCP Server, then parses the payload to feed the offense ID straight into `get_offense_details`. You don't write glue code. The output of one step naturally becomes the input for the next. For deep investigations, your agent kicks off an Ariel query using `execute_aql`, checks the progress with `get_aql_status`, and pulls the final logs via `get_aql_results` once it's done. LangSmith traces every single hop in this chain. You see exactly which tool inputs and outputs triggered a specific security decision without guessing.

Automate offense remediation pipelines

This MCP Server integration lets your LangChain agent run closed-loop remediation workflows. The agent evaluates the threat level of an active offense, checks your internal IP rules using `get_reference_sets`, and then makes the call to modify the alert status with `update_offense`. Because LangChain supports multi-server setups, you can combine this security data with other tools in the same chain. Your agent pulls QRadar log sources with `get_log_sources` and instantly cross-references them against internal databases before updating the offense.

Map network context to active threats

Security events mean nothing without context. Your LangChain agent uses this MCP toolset to query `get_network_hierarchy` to instantly see if an attacking IP belongs to a critical database zone or a public guest network. It then uses `get_rules` to figure out which specific correlation rule triggered the event. This gives the agent the complete picture, allowing it to write precise summaries directly into the offense notes when calling `update_offense`.

Setup guide

Set up IBM QRadar MCP in LangChain

Prerequisites

Python 3.10+ installed
langchain-mcp-adapters + langgraph packages
Active Vinkius subscription with a valid endpoint token

1

Install dependencies
Run pip install langchain-mcp-adapters langgraph langchain-openai. The MCP adapters package converts MCP tools into native LangChain BaseTool objects.
2

Connect via HTTP transport
Use MultiServerMCPClient with "transport": "http" pointing to your Vinkius endpoint. Replace [YOUR_TOKEN_HERE] with your token from cloud.vinkius.com.
3

Create a ReAct agent
Pass the discovered tools to create_react_agent() from LangGraph. The agent automatically routes IBM QRadar tool calls through the MCP protocol.
4

Run with any LLM
Swap ChatOpenAI for ChatAnthropic, ChatGoogleGenerativeAI, or any LangChain-compatible model. The MCP tools work identically across all providers.

agent.py

from langchain_mcp_adapters.client import MultiServerMCPClient
from langgraph.prebuilt import create_react_agent
from langchain_openai import ChatOpenAI

async with MultiServerMCPClient({
    "ibm-qradar-mcp": {
        "transport": "http",
        "url": "https://edge.vinkius.com/[YOUR_TOKEN_HERE]/mcp",
    }
}) as client:
    tools = client.get_tools()

    agent = create_react_agent(
        ChatOpenAI(model="gpt-4o"),
        tools,
    )
    result = await agent.ainvoke({
        "messages": "List recent IBM QRadar transactions"
    })
    print(result["messages"][-1].content)

Get your connection token →

Independent Platform Disclaimer: Vinkius is an independent platform and is not affiliated with, endorsed by, sponsored by, verified by, or otherwise authorized by IBM QRadar. All third-party trademarks, logos, and brand names are the property of their respective owners. Their use on this website is strictly for informational purposes to identify service compatibility and interoperability.

Why Choose Vinkius

Vinkius connects your tools to AI with real-time monitoring and automatic cost savings — all from one dashboard.

Connect IBM QRadar now

Real-time monitoring

Live

visibility into every interaction

Connect your favorite tools to your AI and see exactly what's happening — every request, every response, in real time.

Built-in savings

60%

lower AI costs

Vinkius compresses data between your apps and your AI automatically. Lower bills every month — no configuration required.

Single dashboard

One

place for every integration

Every tool your AI connects to, managed from a single screen. One account, complete control.

Common questions about IBM QRadar MCP in LangChain

Your LangChain agent runs `execute_aql` to start the search and gets a search ID back. It then enters a polling loop using `get_aql_status` until the query finishes, before calling `get_aql_results` to fetch the log data. This keeps the agent from timing out on massive datasets.

Yes, every tool call made by the client is fully tracked. When your agent calls `get_offense_details` or `get_log_sources`, LangSmith logs the exact parameters and JSON payloads. This makes debugging complex multi-step security chains incredibly straightforward.

You configure the connection using a single Vinkius token in your MultiServerMCPClient setup. This MCP connection handles the underlying credentials securely, so your LangChain code only needs to call `get_tools()` to expose the QRadar tools.

Yes, by using the `update_offense` tool within a reasoning chain. The agent evaluates the risk, checks `get_rules` to understand the trigger, and issues an update to close or reassign the offense based on your team's playbook.

All Ariel queries run via `execute_aql` and offense details pulled through `get_offense_details` run inside an isolated V8 sandbox via MCP. No log data or security event payloads are ever stored on Vinkius servers, keeping your raw SOC logs completely private.

Use it with your favorite AI tools

Connect this server to Cursor, Claude, VS Code, and more.

OpenAI Agents SDK sdk-python

Google ADK sdk-python

Pydantic AI sdk-python

Vercel AI SDK sdk-typescript