# IBM QRadar MCP

> IBM QRadar connects your AI agent directly to its security data streams via MCP. Use this toolset to analyze log sources, map network activity, and investigate specific threat offenses without leaving your chat window. It gives you deep visibility into what's happening in the network.

## Overview
- **Category:** industry-titans
- **Price:** Free

## Description

Incident response shouldn't require jumping between a dozen dashboards. This connector lets your agent talk directly to IBM QRadar. You can start by listing available log sources or getting an overview of all active security offenses. Need to dig deeper? Run a complex query using AQL, check its status, and then pull the results into context. The whole process happens through natural conversation. If you're working in Vinkius, this MCP plugs directly into your existing agent setup, letting you analyze everything from network topology maps to specific correlation rules. You get the full investigative cycle—from broad data collection to targeted offense updates—all managed by a single interface.

## Tools

### execute_aql
Runs a custom query using Ariel Query Language (AQL) and returns a search ID for later retrieval.

### get_aql_results
Pulls the final data results from an AQL search that has already completed.

### get_aql_status
Checks and reports the current status (running, failed, complete) of a previously executed AQL query.

### get_log_sources
Lists all available log sources that QRadar is actively monitoring.

### get_network_hierarchy
Retrieves a structured list of the network components and how they relate to each other in QRadar.

### get_offense_details
Fetches all specific details associated with one particular security offense ID.

### get_offenses
Provides a list of all current, open security offenses detected by QRadar.

### get_reference_sets
Lists the predefined reference sets used for correlation and data validation within QRadar.

### get_rules
Retrieves a list of all active correlation rules defined in the system.

### update_offense
Changes the status or adds new notes to an existing security offense record.

## Capabilities

### Execute custom log queries
Run an Ariel Query Language (AQL) search and track its progress.

### List network assets and sources
Get a list of all available log data sources or map the entire QRadar network hierarchy.

### Identify active security threats
Fetch a complete list of current offenses, then drill down to get specific details on any single threat.

### Manage and update findings
Modify the status or information attached to an existing security offense record.

## Use Cases

### A critical alert pops up at 3 am.
The agent is prompted with a high-severity alert. It first calls `get_offenses` to confirm the threat, then uses `get_offense_details` to gather context on the affected user and asset. Finally, it runs `update_offense` to mark the incident as 'Investigating' for the SOC team.

### A new application is going live.
The DevSecOps engineer wants to ensure compliance. They use this MCP to check available rules via `get_rules`, validate expected inputs using `get_reference_sets`, and then manually verify the network path using `get_network_hierarchy` before signing off.

### Need to investigate a suspicious IP range.
The analyst doesn't know where to look. They start by calling `execute_aql` with the IP range, then use `get_aql_status` and `get_aql_results` until they have enough data points to determine if it’s a false positive.

### Audit log retention policy check.
A compliance officer needs an inventory. They call `get_log_sources` to list every active data stream and then use `get_reference_sets` to confirm that all required logging types are present across the environment.

## Benefits

- Automate complex queries: Instead of building a query in the UI, your agent runs `execute_aql` to perform deep dives into log data, saving time.
- Track findings statefully: You don't just get raw logs. By running `get_offenses`, you get a list of threats and can immediately use `get_offense_details` to understand the context behind each one.
- Map everything at once: Need to know what systems are talking to each other? Use `get_network_hierarchy`. It maps out your entire environment without needing manual diagramming.
- Maintain compliance records: The ability to call `update_offense` means you can record actions, changes, and findings directly into the system of record.
- Validate security controls: Before deployment, check what's covered by running `get_rules` against known standards listed in `get_reference_sets`.

## How It Works

The bottom line is, it gives your agent a complete workflow: search -> wait/check status -> receive data -> act on findings.

1. First, initiate a search query using `execute_aql` to define the scope of your investigation.
2. Next, use `get_aql_status` repeatedly until the process completes. Once done, call `get_aql_results` to pull the data into your agent's context.
3. Finally, if you need to act on findings, check for existing issues with `get_offenses`, then grab details using `get_offense_details`, and finally adjust the record via `update_offense`.

## Frequently Asked Questions

**How do I run a complex query using `execute_aql`?**
You provide your specific Ariel Query Language (AQL) statement. Remember, this function only sends the query; you must follow up with `get_aql_status` to track when it's done.

**Can I see all my active security threats using `get_offenses`?**
Yep. Running `get_offenses` gives you a list of current offenses. If you want the deep dive, you then need to pass one of those IDs into `get_offense_details`.

**What does `update_offense` actually do?**
It lets your agent modify a security offense record. This is how you update the status or add notes after investigation, ensuring an audit trail.

**Which tool lists all available data sources? Is it `get_log_sources`?**
You're right. Use `get_log_sources` to get a clean list of everything QRadar is monitoring, helping you confirm coverage for compliance.

**If I run a big query using `execute_aql`, how do I know when it's finished, and what status tool should I use?**
You must first call `get_aql_status` with the search ID returned by `execute_aql`. This tells you if the process is pending or complete. Once the status confirms completion, then you run `get_aql_results` to pull the actual data.

**When I call `get_network_hierarchy`, can I filter the results by specific IP ranges or subnet groups?**
Yes. While listing everything is possible, you should pass appropriate filters into the function call. This prevents overwhelming your AI agent with irrelevant network data and focuses on the segment you care about.

**What's the difference between using `get_rules` and `get_reference_sets`, and how do they impact offense detection?**
Rules define correlation logic; they dictate *how* multiple events relate to each other. Reference sets, however, are static lists of known good or bad data points that rules can check against.

**For `update_offense`, what critical fields must I provide, and what happens if the offense ID is incorrect?**
You need at minimum the unique QRadar offense ID and the specific field you want to change (like severity or status). If the ID is wrong or the data structure fails validation, the MCP returns an error code; nothing gets updated.