An open-source Model Context Protocol (MCP) server implementation for IBM QRadar SIEM that enables AI agents to interact with QRadar SIEM data through standardized tools and protocols.

This MCP server provides AI agents with the ability to interact with IBM QRadar SIEM through a comprehensive set of tools covering offenses, reference data, assets, log sources, analytics, and more. It can be deployed as a standalone service using Docker or run locally.

qradar-mcp/
├── client/            # QRadar REST API client
├── tools/             # MCP tools
├── resources/         # MCP resources
├── utils/             # Utilities (auth, logging, validation)
├── tests/             # Comprehensive test suite
├── server.py          # Main server entry point
└── Dockerfile         # Container configuration

• FastMCP Framework: Modern, async-first MCP server implementation with uvicorn (ASGI)
• MCP Protocol Compliance: Full implementation of Model Context Protocol specification
• 27 Tools (Phase 1): Read-only QRadar API coverage
  • Offense Management (7 tools) - List and retrieve offense data
  • Reference Data (6 tools) - Query reference sets, maps, and tables
  • Asset Management (2 tools) - List assets and properties
  • Log Sources (3 tools) - Query log source configurations
  • Analytics Rules (6 tools) - Retrieve rules, building blocks, and custom actions
  • System Administration (4 tools) - System info, servers, users, and roles
  • Forensics (2 tools) - Query forensics cases
  • QVM (2 tools) - Vulnerability and asset data
• Dual Authentication: Supports both user sessions and authorized service tokens

Phase 1 Release: This initial release includes 27 read-only tools focused on querying and retrieving QRadar data. Additional tools for data modification and advanced search capabilities will be rolled out in future releases.

Future Releases will include:

• Write Operations: Tools for creating, updating, and deleting QRadar data (POST/DELETE operations)
• Ariel Search: Full AQL query execution and saved search management (8 additional tools)
• Network Services: IP geolocation, DNS, and WHOIS lookups (5 additional tools)
• Enhanced Reference Data: Create and modify reference sets, maps, and tables

The QRadar MCP Server can be deployed in multiple ways depending on your needs.

• Docker 20.10+ and Docker Compose 2.0+ (for containerized deployment)
• Python 3.11+ (for local development)
• Access to a QRadar SIEM deployment
• QRadar SIEM authentication tokens (SEC/CSRF or Authorized Service token)

The easiest way to deploy the MCP server is using Docker Compose.

1. Clone the repository and navigate to the directory:

   git clone https://github.com/IBM/qradar-mcp.git
   cd qradar-mcp

2. Create configuration file:

   cp config.example.json config.json
   # Edit config.json with your QRadar credentials

3. Set environment variables:

   Create a .env file:

   cat > .env << EOF
   QRADAR_HOST=your-qradar-host.com
   LOG_LEVEL=info
   EOF

4. Start the server:

   docker-compose up -d

5. View logs:

   docker-compose logs -f qradar-mcp

6. Stop the server:

   docker-compose down

The server will be available at http://localhost:5001 (mapped from internal port 5000).

For more control over the Docker deployment:

1. Build the image:

   docker build -t qradar-mcp:latest .

2. Run the container:

   docker run -d \
     --name qradar-mcp-server \
     -p 5001:5000 \
     -e LOG_LEVEL=info \
     -v $(pwd)/config.json:/opt/app-root/config.json:ro \
     -v $(pwd)/logs:/opt/app-root/logs \
     qradar-mcp:latest

   Important: The config.json file must be mounted at /opt/app-root/config.json for authentication. Make sure you've created and configured config.json from config.example.json before running.

   The server will be available at http://localhost:5001 (mapped from internal port 5000).

3. Check status:

   docker ps
   docker logs qradar-mcp-server

For local development with Python without Docker:

1. Create virtual environment (recommended):

   python3 -m venv venv
   source venv/bin/activate

2. Install dependencies:

   pip install -e .

3. Configure authentication:

   cp config.example.json config.json
   # Edit config.json with your QRadar credentials
   
   # Copy config to parent directory (required for local mode)
   cp config.json ../config.json

4. Run the server:

   python server.py

The server will start at http://localhost:5000. The port can be modified in server.py if port conflicts occur.

Note: The config loader looks for config.json in the parent directory of the qradar-mcp folder when running locally. This is by design to support both Docker (where config is at /opt/app-root/config.json) and local Python modes.

Use the provided test script to verify your deployment:

# Run the connection test
python tests/local_mcp_connection.py

This script will:

1. Load authentication from your config.json
2. Connect to the MCP server at http://localhost:5001
3. Initialize the MCP session
4. List all available tools
5. Display the first 10 tools

Expected output:

QRadar MCP Server - Local Container Test
==================================================
Endpoint: http://localhost:5001/mcp
Auth: Using authorized service token from config.json
...
✅ Found 32 tools
==================================================
✅ MCP Server is fully operational in local mode!
==================================================

• QRADAR_HOST: QRadar instance hostname
• QRADAR_SEC_TOKEN: QRadar SEC token (for user sessions)
• QRADAR_CSRF_TOKEN: QRadar CSRF token (for user sessions)
• QRADAR_AUTH_TOKEN: Authorized service token (alternative to SEC/CSRF)

• config.json: Main configuration (not committed)
• config.example.json: Configuration template
• mcp_settings.json: MCP-specific settings (not committed)
• mcp_settings.example.json: Settings template

• Never commit config.json or mcp_settings.json - They contain sensitive tokens
• Tokens are session-based and expire - refresh as needed
• Use verify_ssl: true in production
• All endpoints require authentication
• Supports both user sessions and authorized service tokens

• Authentication errors (401): Refresh your QRadar tokens
• Connection refused: Verify QRadar host is accessible
• SSL errors: Set verify_ssl: false for testing
• Tool not found: Ensure MCP server is properly initialized

• Issues: Report bugs or request features via GitHub Issues

Copyright 2026 IBM Corporation

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

All content in these repositories including code has been provided by IBM under the associated open source software license and IBM is under no obligation to provide enhancements, updates, or support. IBM developers produced this code as an open source project (not as an IBM product), and IBM makes no assertions as to the level of quality nor security, and will not be maintaining this code going forward.