playbooks

home / mcp / qradar mcp server

QRadar MCP Server

Bridges LLMs with IBM QRadar SIEM, enabling natural language access to 728+ REST endpoints via 4 MCP tools.

Installation
Add the following to your MCP client configuration file.

Configuration

View docs
{
  "mcpServers": {
    "addanuj-qradar-mcp-server": {
      "command": "docker",
      "args": [
        "run",
        "-d",
        "--name",
        "qradar-mcp-server",
        "-p",
        "8001:8001",
        "-e",
        "QRADAR_HOST=\"https://your-qradar-console.com\"",
        "-e",
        "QRADAR_API_TOKEN=\"your-sec-token-here\"",
        "-e",
        "QRADAR_VERIFY_SSL=\"false\"",
        "ghcr.io/addanuj/qradar-mcp-server:latest",
        "--host",
        "0.0.0.0",
        "--port",
        "8001"
      ],
      "env": {
        "QRADAR_HOST": "https://your-qradar-console.com",
        "QRADAR_API_TOKEN": "your-sec-token-here",
        "QRADAR_VERIFY_SSL": "false"
      }
    }
  }
}

You can use the QRadar MCP Server to interact with IBM QRadar SIEM through natural language by leveraging a compact set of MCP tools instead of hundreds of endpoints. It streamlines access to 728+ REST APIs, improves token efficiency, and enables smooth querying and automation with your preferred MCP client.

How to use

You will run the MCP server in your environment (as a Docker container) and connect your MCP client or LLM to it. Use the four MCP tools to fetch data, create or update resources, delete items, or discover endpoints. After starting the server, you can issue natural language requests through your client, and the server translates them into the appropriate QRadar API calls. Typical use cases include retrieving offenses or assets, listing rules, running Ariel searches, or applying configuration changes. The server provides a REST API plus a streaming option to receive updates, making it suitable for interactive workflows and automation.

How to install

Prerequisites: you need Docker installed on your system. You will run the MCP server using the provided container image and environment variables to point to your QRadar instance.

Additional sections

Configuration and execution below reflect the recommended option of running the MCP server via a public container image. The setup uses these environment variables to connect to QRadar: QRADAR_HOST for the full QRadar console URL, QRADAR_API_TOKEN for API authorization, and QRADAR_VERIFY_SSL to control SSL certificate verification. The server exposes port 8001 for HTTP/SSE communication and uses the host container’s port mapping to integrate with your network.

Troubleshooting

If you encounter connectivity issues, verify that QRADAR_HOST is reachable from the MCP container, that the API token is correct, and that the SSL verification flag matches your QRadar deployment’s certificate setup. Check container logs for errors and ensure the container is running and listening on port 8001.

Available tools

qradar_get

Fetch data from 728 endpoints such as offenses, assets, rules, and other SIEM data

qradar_execute

Create or update resources like reference sets and rules

qradar_delete

Remove resources such as offense notes or other items

qradar_discover

Auto-discover endpoints and discover correct API paths