IBM QRadar MCP for AI. Investigate and act on network threats instantly.

Q: Can I see all my active security threats using getoffenses?

Yep. Running getoffenses gives you a list of current offenses. If you want the deep dive, you then need to pass one of those IDs into getoffensedetails.

Q: Which tool lists all available data sources? Is it getlogsources?

You're right. Use getlogsources to get a clean list of everything QRadar is monitoring, helping you confirm coverage for compliance.

Q: If I run a big query using executeaql, how do I know when it's finished, and what status tool should I use?

You must first call getaqlstatus with the search ID returned by executeaql. This tells you if the process is pending or complete. Once the status confirms completion, then you run getaqlresults to pull the actual data.

Q: What's the difference between using getrules and getreferencesets, and how do they impact offense detection?

Rules define correlation logic; they dictate how multiple events relate to each other. Reference sets, however, are static lists of known good or bad data points that rules can check against.

Claude

ChatGPT

Cursor

Gemini

Windsurf

VS Code

JetBrains

Vercel

See Vinkius in Action

Works with every AI agent you already use

…and any MCP-compatible client

Connect to your AI in seconds.

IBM QRadar connects your AI agent directly to its security data streams via MCP. Use this toolset to analyze log sources, map network activity, and investigate specific threat offenses without leaving your chat window.

It gives you deep visibility into what's happening in the network.

What your AI can do

Execute aql

Runs a custom query using Ariel Query Language (AQL) and returns a search ID for later retrieval.

Get aql results

Pulls the final data results from an AQL search that has already completed.

Get aql status

Checks and reports the current status (running, failed, complete) of a previously executed AQL query.

+ 7 more capabilities included

Execute custom log queries

Run an Ariel Query Language (AQL) search and track its progress.

List network assets and sources

Get a list of all available log data sources or map the entire QRadar network hierarchy.

Identify active security threats

Fetch a complete list of current offenses, then drill down to get specific details on any single threat.

Manage and update findings

Modify the status or information attached to an existing security offense record.

Ask an AI about this

IBM QRadar: 10 Tools for Deep Security Analysis

These ten tools let you perform the full lifecycle of a security investigation, from running complex queries to updating final offense records.

Make your AI actually useful.

Add this MCP to Claude, Cursor, or Windsurf and your AI stops guessing. It gets real tools to look things up, take action, and handle the stuff you keep doing by hand.

Start using IBM QRadar on Vinkius

Execute Aql

Runs a custom query using Ariel Query Language (AQL) and returns a search ID for later retrieval.

Get Aql Results

Pulls the final data results from an AQL search that has already completed.

Get Aql Status

Checks and reports the current status (running, failed, complete) of a previously...

Get Log Sources

Lists all available log sources that QRadar is actively monitoring.

Get Network Hierarchy

Retrieves a structured list of the network components and how they relate to each...

Get Offense Details

Fetches all specific details associated with one particular security offense ID.

Get Offenses

Provides a list of all current, open security offenses detected by QRadar.

Get Reference Sets

Lists the predefined reference sets used for correlation and data validation within...

Get Rules

Retrieves a list of all active correlation rules defined in the system.

Update Offense

Changes the status or adds new notes to an existing security offense record.

Security and governance baked right in.

Pick your AI client below to get set up. Just create a Vinkius account, subscribe, and you're instantly up and running. We handle the entire backend infrastructure, delivering out-of-the-box support for HTTPS Streamable, SSE, and OAuth2—zero messy routing required.

Claude AI

Open Claude Settings

Go to claude.ai, click your profile icon, then navigate to Customize → Connectors.

Add Custom Connector

Click the "+" button and select Add custom connector. Paste your Vinkius endpoint URL:

https://edge.vinkius.com/[YOUR_TOKEN_HERE]/mcp

Replace [YOUR_TOKEN_HERE] with your token from cloud.vinkius.com. For OAuth-protected servers, expand Advanced settings to add credentials.

Start a conversation

Open a new chat. The IBM QRadar integration is available immediately — no restart needed.

Antigravity

Configure Agent Environment

Open your Antigravity agent's workspace configuration or mcp-servers.json file.

Bind the Endpoint

Add the Vinkius endpoint URL to your agent's MCP connections list:

"mcp_servers": {
  "ibm-qradar": {
    "serverUrl": "https://edge.vinkius.com/[YOUR_TOKEN_HERE]/mcp"
  }
}

Provide your secure token in place of [YOUR_TOKEN_HERE] to ensure your agent requests are authenticated.

Execute

Start your Antigravity session. The agent will autonomously discover and utilize the IBM QRadar tools with full Vinkius guardrails applied.

VS Code Copilot

⚡

One-Click Install (Recommended)

In your Vinkius Dashboard, simply click the Add to VS Code button for this server. We'll automatically configure your local workspace.

Or configure manually

Open MCP Settings

Open VS Code, press Ctrl/Cmd + Shift + P, and search for GitHub Copilot: MCP Servers.

Add Server Config

Add the Vinkius endpoint configuration to your mcp-servers.json file:

"ibm-qradar": {
  "url": "https://edge.vinkius.com/[YOUR_TOKEN_HERE]/mcp"
}

Ensure you replace [YOUR_TOKEN_HERE] with your token from cloud.vinkius.com.

LangChain

Install Dependencies

Install the LangChain MCP adapters for your environment:

pip install langchain-mcp-adapters

Connect the Server

Use the SSEClient in LangChain to connect to the Vinkius managed endpoint:

from langchain_mcp_adapters.client import SSEClient

# Connect to Vinkius
client = SSEClient(url="https://edge.vinkius.com/[YOUR_TOKEN_HERE]/mcp")
tools = client.get_tools()

CrewAI

Define the Tool

Load the Vinkius MCP tools into your CrewAI agents:

from crewai import Agent
from mcp_crewai import MCPTool

# Connect securely to Vinkius
vinkius_tools = MCPTool(url="https://edge.vinkius.com/[YOUR_TOKEN_HERE]/mcp")

# Assign to Agent
researcher = Agent(
    role='Data Researcher',
    tools=vinkius_tools.get_all()
)

Execute Task

Run your CrewAI process. The agent will autonomously route tasks to the Vinkius managed server.

Choose How to Get Started

Build a custom MCP for your own tools, or connect a ready-made integration from our catalog.

Build Your Own

Turn any API into an MCP. Import a spec, define Agent Skills, or deploy with MCPFusion.

Import from OpenAPI, Swagger, or YAML specs
Create Agent Skills with progressive disclosure
Deploy to edge with MCPFusion framework
Built in DLP, auth, and compliance on every call
Real time usage dashboard and cost metering
Publish to catalog or keep private

Start building

Make Your AI Do More

Start with IBM QRadar, then connect any of our 5,100+ other servers whenever your AI needs more. One click, no limits.

Use this MCP plus 5,100+ others, all in one place
Add new capabilities to your AI anytime you want
Every connection is secured and compliant automatically
Track usage and costs across all your servers
Works with Claude, ChatGPT, Cursor, and more
New servers added to the catalog every week

Independent Platform Disclaimer: Vinkius is an independent platform and is not affiliated with, endorsed by, sponsored by, verified by, or otherwise authorized by IBM QRadar. All third-party trademarks, logos, and brand names are the property of their respective owners. Their use on this website is strictly for informational purposes to identify service compatibility and interoperability.

VINKIUS INFRASTRUCTURE

Cloud Hosted

Managed infra

V8 Isolated

Sandboxed per request

Zero-Trust Proxy

No stored credentials

DLP Enforced

Policy on every call

GDPR Compliant

EU data residency

Token Compression

~60% cost reduction

Your data is protected. See how we built it.

Works with Claude, ChatGPT, Cursor, and more

The Model Context Protocol standardizes how applications expose capabilities to LLMs. Instead of operating in isolation, your AI gains direct access to external platforms, live data, and real-world actions through secure, standardized connections.

This connection provides 10 powerful capabilities that interface natively with Claude, ChatGPT, Cursor, and other compatible AI platforms. No middleware. No custom integration required.

Manual Incident Investigation: The Clipboard Nightmare

Today, when an alert hits, you open QRadar, run a query, copy the resulting IP addresses into a spreadsheet. Then, you have to manually navigate to another tab to check the network flow map for those IPs. You then jump back and find the specific offense ID, copying it over again just to see what details are attached.

With this MCP, your agent handles that whole sequence. You tell it: 'Check all offenses related to this IP range.' It runs `get_offenses`, pulls the necessary context using `get_network_hierarchy` for visual confirmation, and gets you the full scope without ever leaving the chat window.

Getting Context with `get_offense_details`

Before this MCP, understanding an offense meant guessing. You'd get a list from `get_offenses`, copy the ID, and then hunt down the correct dashboard to see if it was resolved or what systems were involved.

Now you just ask your agent for the details. It uses `get_offense_details` immediately, giving you everything—the timeline, the rules that fired, and the associated network assets—in one structured response.

Support 24/7 support@vinkius.com ↗

Security Vinkius Trust Center ↗

SLA Service Level Agreement ↗

Report Listing Send Report ↗

What your AI can actually do with this

Incident response shouldn't require jumping between a dozen dashboards. This connector lets your agent talk directly to IBM QRadar. You can start by listing available log sources or getting an overview of all active security offenses. Need to dig deeper? Run a complex query using AQL, check its status, and then pull the results into context.

The whole process happens through natural conversation. If you're working in Vinkius, this MCP plugs directly into your existing agent setup, letting you analyze everything from network topology maps to specific correlation rules. You get the full investigative cycle—from broad data collection to targeted offense updates—all managed by a single interface.

Built · Hosted · Managed by Vinkius IBM QRadar MCP - Security Analysis & Event Data

Server ID 019d75b7-0d81-700f-a2fb-f07d1ced8a24

Vinkius Inspector

Compliance Grade A+

Score 100/100

Report View Report ↗

Here's how it actually works

The bottom line is, it gives your agent a complete workflow: search -> wait/check status -> receive data -> act on findings.

First, initiate a search query using execute_aql to define the scope of your investigation.

Next, use get_aql_status repeatedly until the process completes. Once done, call get_aql_results to pull the data into your agent's context.

Finally, if you need to act on findings, check for existing issues with get_offenses, then grab details using get_offense_details, and finally adjust the record via update_offense.

Who is this actually for?

This MCP is for the Tier 2 SOC Analyst who's tired of manually running reports and copy-pasting IDs between five different dashboards. It’s also built for DevSecOps engineers needing to validate security controls against code deployments.

SOC Analyst

They use this MCP to triage incoming alerts, running get_offenses first, then using get_network_hierarchy to understand the impacted systems. They're basically automating their entire incident playbook.

Incident Responder

When a high-priority alert hits, they need rapid context. They use this MCP to pull get_offense_details, check related log sources with get_log_sources, and document the findings immediately.

DevSecOps Engineer

They integrate it into CI/CD pipelines, using the agent to validate that new code changes don't break established security rules by checking get_rules against known reference sets.

What Changes When You Connect

Automate complex queries: Instead of building a query in the UI, your agent runs execute_aql to perform deep dives into log data, saving time.

Track findings statefully: You don't just get raw logs. By running get_offenses, you get a list of threats and can immediately use get_offense_details to understand the context behind each one.

Map everything at once: Need to know what systems are talking to each other? Use get_network_hierarchy. It maps out your entire environment without needing manual diagramming.

Maintain compliance records: The ability to call update_offense means you can record actions, changes, and findings directly into the system of record.

Validate security controls: Before deployment, check what's covered by running get_rules against known standards listed in get_reference_sets.

See it in action

01 01

A critical alert pops up at 3 am.

The agent is prompted with a high-severity alert. It first calls get_offenses to confirm the threat, then uses get_offense_details to gather context on the affected user and asset. Finally, it runs update_offense to mark the incident as 'Investigating' for the SOC team.

02 02

A new application is going live.

The DevSecOps engineer wants to ensure compliance. They use this MCP to check available rules via get_rules, validate expected inputs using get_reference_sets, and then manually verify the network path using get_network_hierarchy before signing off.

03 03

Need to investigate a suspicious IP range.

The analyst doesn't know where to look. They start by calling execute_aql with the IP range, then use get_aql_status and get_aql_results until they have enough data points to determine if it’s a false positive.

04 04

Audit log retention policy check.

A compliance officer needs an inventory. They call get_log_sources to list every active data stream and then use get_reference_sets to confirm that all required logging types are present across the environment.

The honest tradeoffs

Treating it like a simple search tool

Anti-pattern

The user just runs execute_aql and expects the results immediately. They forget that complex searches are asynchronous.

The Fix

Always follow up an initial query with get_aql_status. Wait for 'Complete' before calling get_aql_results. This ensures you aren't trying to retrieve data that hasn't finished processing.

Confusing listing with detail retrieval

Anti-pattern

The user sees a list of offenses from get_offenses and assumes they have all the information. They don't know which ones are actually critical.

The Fix

To get full context, you must call get_offense_details using the specific ID returned by get_offenses. Don't trust a list view alone.

Modifying data without context

Anti-pattern

An agent is told to 'close an offense' and immediately calls update_offense('closed') without any reason or notes.

The Fix

Always include a detailed rationale in the update. Use get_offense_details first, then use update_offense, making sure your input includes a comprehensive note on why you are closing it.

Questions you might have

How do I run a complex query using `execute_aql`? +

You provide your specific Ariel Query Language (AQL) statement. Remember, this function only sends the query; you must follow up with get_aql_status to track when it's done.

Can I see all my active security threats using `get_offenses`? +

Yep. Running get_offenses gives you a list of current offenses. If you want the deep dive, you then need to pass one of those IDs into get_offense_details.

What does `update_offense` actually do? +

It lets your agent modify a security offense record. This is how you update the status or add notes after investigation, ensuring an audit trail.

Which tool lists all available data sources? Is it `get_log_sources`? +

You're right. Use get_log_sources to get a clean list of everything QRadar is monitoring, helping you confirm coverage for compliance.

If I run a big query using `execute_aql`, how do I know when it's finished, and what status tool should I use? +

You must first call get_aql_status with the search ID returned by execute_aql. This tells you if the process is pending or complete. Once the status confirms completion, then you run get_aql_results to pull the actual data.

When I call `get_network_hierarchy`, can I filter the results by specific IP ranges or subnet groups? +

Yes. While listing everything is possible, you should pass appropriate filters into the function call. This prevents overwhelming your AI agent with irrelevant network data and focuses on the segment you care about.

What's the difference between using `get_rules` and `get_reference_sets`, and how do they impact offense detection? +

Rules define correlation logic; they dictate how multiple events relate to each other. Reference sets, however, are static lists of known good or bad data points that rules can check against.

For `update_offense`, what critical fields must I provide, and what happens if the offense ID is incorrect? +

You need at minimum the unique QRadar offense ID and the specific field you want to change (like severity or status). If the ID is wrong or the data structure fails validation, the MCP returns an error code; nothing gets updated.

Connect to your AI in seconds.

Execute aql

Get aql results

Get aql status

IBM QRadar: 10 Tools for Deep Security Analysis

Make your AI actually useful.

Execute Aql

Get Aql Results

Get Aql Status

Get Log Sources

Get Network Hierarchy

Get Offense Details

Get Offenses

Get Reference Sets

Get Rules

Update Offense

Security and governance baked right in.

Claude AI

Open Claude Settings

Add Custom Connector

Start a conversation

Claude Code

Open your terminal

Add the MCP Server

Start coding

Cursor

One-Click Install (Recommended)

Open Cursor Settings

Add New Server

Use in Composer

Antigravity

Configure Agent Environment

Bind the Endpoint

Execute

VS Code Copilot

One-Click Install (Recommended)

Open MCP Settings

Add Server Config

Windsurf

One-Click Install (Recommended)

Open Windsurf Settings

Add Server Endpoint

LangChain

Install Dependencies

Connect the Server

CrewAI

Define the Tool

Execute Task

Choose How to Get Started

Build Your Own

Make Your AI Do More

Works with Claude, ChatGPT, Cursor, and more

Manual Incident Investigation: The Clipboard Nightmare

Getting Context with `get_offense_details`

What your AI can actually do with this

Here's how it actually works

Who is this actually for?

What Changes When You Connect

See it in action

A critical alert pops up at 3 am.

A new application is going live.

Need to investigate a suspicious IP range.

Audit log retention policy check.

The honest tradeoffs

Treating it like a simple search tool

Confusing listing with detail retrieval

Modifying data without context

When It Fits, When It Doesn't

Questions you might have