IBM QRadar MCP Server - Official
May 13, 2026 · View on GitHub
An open-source Model Context Protocol (MCP) server implementation for IBM QRadar SIEM that enables AI agents to interact with QRadar SIEM data through standardized tools and protocols.
Overview
This MCP server provides AI agents with the ability to interact with IBM QRadar SIEM through a comprehensive set of tools covering offenses, reference data, assets, log sources, analytics, and more. It can be deployed as a standalone service using Docker or run locally.
Project Structure
qradar-mcp/
├── client/ # QRadar REST API client
├── tools/ # MCP tools
├── resources/ # MCP resources
├── utils/ # Utilities (auth, logging, validation)
├── tests/ # Comprehensive test suite
├── server.py # Main server entry point
└── Dockerfile # Container configuration
Features
- FastMCP Framework: Modern, async-first MCP server implementation with uvicorn (ASGI)
- MCP Protocol Compliance: Full implementation of Model Context Protocol specification
- 27 Tools (Phase 1): Read-only QRadar API coverage
- Offense Management (7 tools) - List and retrieve offense data
- Reference Data (6 tools) - Query reference sets, maps, and tables
- Asset Management (2 tools) - List assets and properties
- Log Sources (3 tools) - Query log source configurations
- Analytics Rules (6 tools) - Retrieve rules, building blocks, and custom actions
- System Administration (4 tools) - System info, servers, users, and roles
- Forensics (2 tools) - Query forensics cases
- QVM (2 tools) - Vulnerability and asset data
- Dual Authentication: Supports both user sessions and authorized service tokens
Phase 1 Release: This initial release includes 27 read-only tools focused on querying and retrieving QRadar data. Additional tools for data modification and advanced search capabilities will be rolled out in future releases.
Roadmap
Future Releases will include:
- Write Operations: Tools for creating, updating, and deleting QRadar data (POST/DELETE operations)
- Ariel Search: Full AQL query execution and saved search management (8 additional tools)
- Network Services: IP geolocation, DNS, and WHOIS lookups (5 additional tools)
- Enhanced Reference Data: Create and modify reference sets, maps, and tables
Deployment
The QRadar MCP Server can be deployed in multiple ways depending on your needs.
Prerequisites
- Docker 20.10+ and Docker Compose 2.0+ (for containerized deployment)
- Python 3.11+ (for local development)
- Access to a QRadar SIEM deployment
- QRadar SIEM authentication tokens (SEC/CSRF or Authorized Service token)
Option 1: Docker Compose (Recommended)
The easiest way to deploy the MCP server is using Docker Compose.
-
Clone the repository and navigate to the directory:
git clone https://github.com/IBM/qradar-mcp.git cd qradar-mcp -
Create configuration file:
cp config.example.json config.json # Edit config.json with your QRadar credentials -
Set environment variables:
Create a
.envfile:cat > .env << EOF QRADAR_HOST=your-qradar-host.com LOG_LEVEL=info EOF -
Start the server:
docker-compose up -d -
View logs:
docker-compose logs -f qradar-mcp -
Stop the server:
docker-compose down
The server will be available at http://localhost:5001 (mapped from internal port 5000).
Option 2: Manual Docker Build
For more control over the Docker deployment:
-
Build the image:
docker build -t qradar-mcp:latest . -
Run the container:
docker run -d \ --name qradar-mcp-server \ -p 5001:5000 \ -e LOG_LEVEL=info \ -v $(pwd)/config.json:/opt/app-root/config.json:ro \ -v $(pwd)/logs:/opt/app-root/logs \ qradar-mcp:latestImportant: The config.json file must be mounted at
/opt/app-root/config.jsonfor authentication. Make sure you've created and configuredconfig.jsonfromconfig.example.jsonbefore running.The server will be available at
http://localhost:5001(mapped from internal port 5000). -
Check status:
docker ps docker logs qradar-mcp-server
Option 3: Run Local with Python
For local development with Python without Docker:
-
Create virtual environment (recommended):
python3 -m venv venv source venv/bin/activate -
Install dependencies:
pip install -e . -
Configure authentication:
cp config.example.json config.json # Edit config.json with your QRadar credentials # Copy config to parent directory (required for local mode) cp config.json ../config.json -
Run the server:
python server.py
The server will start at http://localhost:5000. The port can be modified in server.py if port conflicts occur.
Note: The config loader looks for config.json in the parent directory of the qradar-mcp folder when running locally. This is by design to support both Docker (where config is at /opt/app-root/config.json) and local Python modes.
Verify Deployment
Use the provided test script to verify your deployment:
# Run the connection test
python tests/local_mcp_connection.py
This script will:
- Load authentication from your
config.json - Connect to the MCP server at
http://localhost:5001 - Initialize the MCP session
- List all available tools
- Display the first 10 tools
Expected output:
QRadar MCP Server - Local Container Test
==================================================
Endpoint: http://localhost:5001/mcp
Auth: Using authorized service token from config.json
...
✅ Found 32 tools
==================================================
✅ MCP Server is fully operational in local mode!
==================================================
Configuration
Environment Variables
QRADAR_HOST: QRadar instance hostnameQRADAR_SEC_TOKEN: QRadar SEC token (for user sessions)QRADAR_CSRF_TOKEN: QRadar CSRF token (for user sessions)QRADAR_AUTH_TOKEN: Authorized service token (alternative to SEC/CSRF)
Configuration Files
config.json: Main configuration (not committed)config.example.json: Configuration templatemcp_settings.json: MCP-specific settings (not committed)mcp_settings.example.json: Settings template
Security
- Never commit
config.jsonormcp_settings.json- They contain sensitive tokens - Tokens are session-based and expire - refresh as needed
- Use
verify_ssl: truein production - All endpoints require authentication
- Supports both user sessions and authorized service tokens
Troubleshooting
Common Issues
- Authentication errors (401): Refresh your QRadar tokens
- Connection refused: Verify QRadar host is accessible
- SSL errors: Set
verify_ssl: falsefor testing - Tool not found: Ensure MCP server is properly initialized
Community
- Issues: Report bugs or request features via GitHub Issues
License
Copyright 2026 IBM Corporation
Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
IBM Public Repository Disclosure
All content in these repositories including code has been provided by IBM under the associated open source software license and IBM is under no obligation to provide enhancements, updates, or support. IBM developers produced this code as an open source project (not as an IBM product), and IBM makes no assertions as to the level of quality nor security, and will not be maintaining this code going forward.