rapid7-mcp
Enables AI assistants to interact with Rapid7 InsightIDR SIEM for investigating incidents, searching logs with LEQL, managing alerts and assets, analyzing user behavior, and handling threat intelligence.
README
<!-- content-guard: allow private-ipv4 file -->
Rapid7 InsightIDR MCP Server
A Model Context Protocol (MCP) server that provides AI assistants with access to Rapid7 InsightIDR, a cloud-native SIEM for modern detection and response. Query investigations, search logs with LEQL, analyze alerts, track assets, monitor user behavior, and manage threat intelligence.
Features
Investigations
- Search and filter investigations by status, priority, assignee, date range
- Create, update, and manage investigation lifecycle
- Add comments and retrieve associated alerts
- Build investigation timelines
Log Search (LEQL)
- Execute LEQL (Log Entry Query Language) queries across log sets
- List available log sets (Firewall, DNS, DHCP, Endpoint, Cloud, Active Directory)
- Retrieve individual log entries and aggregate statistics
- LEQL syntax reference and examples
Alerts
- List and filter alerts by severity, type, status, date
- Get full alert details with evidence and indicators
- Update alert status (open, investigating, closed)
- Evidence extraction for investigation
Assets
- Search endpoints by hostname, IP, OS, agent status
- Full asset details: software inventory, vulnerabilities, agent info
- Recent activity: logins, processes, network connections
User Behavior Analytics (UBA)
- Search user accounts across the organization
- Activity analysis: login patterns, locations, accessed assets
- Risky user identification with behavior scoring
- Anomaly detection and alert correlation
Threat Intelligence
- IOC management: IPs, domains, file hashes
- Add indicators to threat library
- Search for threat indicator matches across logs
Saved Queries
- List and manage saved LEQL queries
- Create reusable queries with descriptions
- LEQL syntax helper with examples
Architecture
┌────────────────────────────────────────┐
│ MCP Client (LLM) │
└──────────────┬─────────────────────────┘
│ MCP Protocol (stdio)
┌──────────────▼─────────────────────────┐
│ rapid7-mcp server │
│ │
│ ┌──────────┐ ┌────────────────────┐ │
│ │ Prompts │ │ Resources │ │
│ │ 4 guides │ │ templates, LEQL, │ │
│ │ │ │ detection rules │ │
│ └──────────┘ └────────────────────┘ │
│ │
│ ┌──────────────────────────────────┐ │
│ │ Tools │ │
│ │ investigations │ logs │ alerts │ │
│ │ assets │ users │ threats│queries │ │
│ └──────────────┬───────────────────┘ │
│ │ │
│ ┌──────────────▼───────────────────┐ │
│ │ InsightIDR REST Client │ │
│ │ (client.ts + config.ts) │ │
│ └──────────────┬───────────────────┘ │
└──────────────────┼─────────────────────┘
│ HTTPS
┌──────────────────▼─────────────────────┐
│ Rapid7 InsightIDR Platform API │
│ https://<region>.api.insight.rapid7│
└────────────────────────────────────────┘
Installation
git clone https://github.com/solomonneas/rapid7-mcp.git
cd rapid7-mcp
npm install
npm run build
Configuration
Set environment variables:
export RAPID7_API_KEY="your-api-key"
export RAPID7_REGION="us" # us, eu, ca, au, ap
export RAPID7_ORG_ID="your-org-id" # optional
Or use a .env file:
RAPID7_API_KEY=your-api-key
RAPID7_REGION=us
RAPID7_ORG_ID=your-org-id
MCP Client Configuration
Claude Desktop
{
"mcpServers": {
"rapid7": {
"command": "node",
"args": ["path/to/rapid7-mcp/dist/index.js"],
"env": {
"RAPID7_API_KEY": "your-api-key",
"RAPID7_REGION": "us"
}
}
}
}
OpenClaw
Add to your openclaw.json:
{
"mcp": {
"servers": {
"rapid7": {
"type": "stdio",
"command": "node",
"args": ["/path/to/rapid7-mcp/dist/index.js"],
"env": {
"RAPID7_API_KEY": "your-api-key",
"RAPID7_REGION": "us"
}
}
}
}
}
Tool Reference
| Tool | Description |
|---|---|
search_investigations |
List/filter investigations by status, priority, assignee |
get_investigation |
Get full investigation details with timeline |
create_investigation |
Create new investigation |
update_investigation |
Update status, assignee, disposition |
add_investigation_comment |
Add comment/note to investigation |
get_investigation_alerts |
Get alerts linked to an investigation |
search_logs |
Execute LEQL queries against log sets |
list_log_sets |
List available log sets |
get_log_entry |
Get specific log entry by ID |
get_log_stats |
Aggregate statistics for a time range |
list_alerts |
Get alerts with severity/type/status filters |
get_alert |
Full alert details with evidence |
update_alert_status |
Update alert status |
get_alert_evidence |
Get evidence/indicators from an alert |
search_assets |
Search endpoints by hostname, IP, OS |
get_asset |
Full asset details with software/vulns |
get_asset_activity |
Recent activity for an asset |
search_users |
Search user accounts |
get_user_activity |
User behavior analytics |
get_risky_users |
Users with abnormal behavior scores |
list_threat_indicators |
List IOCs in threat library |
add_threat_indicator |
Add new IOC |
search_threat_activity |
Search for IOC matches in logs |
list_saved_queries |
List saved LEQL queries |
create_saved_query |
Save a LEQL query for reuse |
leql_help |
LEQL syntax reference and examples |
LEQL Query Examples
-- Find all blocked traffic from a source
where(source_address = 10.0.0.1 AND action = BLOCK)
-- Top talkers by connection count
groupby(source_address) calculate(count) sort(desc)
-- Failed logins for a specific user
where(user = "admin" AND result = FAILED_LOGIN)
-- HTTP errors by URL
where(status >= 400) groupby(url) calculate(count)
-- DNS queries to suspicious domains
where(query CONTAINS "malware") groupby(query) calculate(count)
-- Outbound connections on non-standard ports
where(destination_port != 80 AND destination_port != 443 AND direction = OUTBOUND)
Prompts
| Prompt | Description |
|---|---|
investigate-alert |
Guided alert investigation workflow |
hunt-ioc |
Search for IOC across all log sources |
user-behavior-review |
Analyze user activity for anomalies |
incident-timeline |
Build chronological incident timeline |
Resources
| URI | Description |
|---|---|
rapid7://investigation-templates |
Common investigation templates |
rapid7://leql-reference |
LEQL syntax and examples |
rapid7://detection-rules |
Built-in detection rule catalog |
Development
npm run build # Compile TypeScript
npm run dev # Watch mode
npm run test # Run tests
npm run lint # Lint check
License
MIT
Recommended Servers
playwright-mcp
A Model Context Protocol server that enables LLMs to interact with web pages through structured accessibility snapshots without requiring vision models or screenshots.
Magic Component Platform (MCP)
An AI-powered tool that generates modern UI components from natural language descriptions, integrating with popular IDEs to streamline UI development workflow.
Audiense Insights MCP Server
Enables interaction with Audiense Insights accounts via the Model Context Protocol, facilitating the extraction and analysis of marketing insights and audience data including demographics, behavior, and influencer engagement.
VeyraX MCP
Single MCP tool to connect all your favorite tools: Gmail, Calendar and 40 more.
graphlit-mcp-server
The Model Context Protocol (MCP) Server enables integration between MCP clients and the Graphlit service. Ingest anything from Slack to Gmail to podcast feeds, in addition to web crawling, into a Graphlit project - and then retrieve relevant contents from the MCP client.
Kagi MCP Server
An MCP server that integrates Kagi search capabilities with Claude AI, enabling Claude to perform real-time web searches when answering questions that require up-to-date information.
E2B
Using MCP to run code via e2b.
Neon Database
MCP server for interacting with Neon Management API and databases
Qdrant Server
This repository is an example of how to create a MCP server for Qdrant, a vector search engine.
Exa Search
A Model Context Protocol (MCP) server lets AI assistants like Claude use the Exa AI Search API for web searches. This setup allows AI models to get real-time web information in a safe and controlled way.