{"id":49250508,"url":"https://github.com/solomonneas/rapid7-mcp","last_synced_at":"2026-04-30T03:04:19.860Z","repository":{"id":337113121,"uuid":"1152364265","full_name":"solomonneas/rapid7-mcp","owner":"solomonneas","description":"MCP server for Rapid7 InsightIDR — SIEM log search, investigations, alerts, UBA, and threat intelligence","archived":false,"fork":false,"pushed_at":"2026-04-20T22:55:37.000Z","size":17476,"stargazers_count":1,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-04-21T00:38:20.943Z","etag":null,"topics":["ai-agents","insightvm","mcp","model-context-protocol","rapid7","security","vulnerability-management"],"latest_commit_sha":null,"homepage":null,"language":"TypeScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/solomonneas.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":".github/FUNDING.yml","license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null},"funding":{"github":"solomonneas","ko_fi":"solomonneas","buy_me_a_coffee":"solomonneas"}},"created_at":"2026-02-07T19:07:32.000Z","updated_at":"2026-04-20T22:58:50.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/solomonneas/rapid7-mcp","commit_stats":null,"previous_names":["solomonneas/rapid7-mcp"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/solomonneas/rapid7-mcp","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/solomonneas%2Frapid7-mcp","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/solomonneas%2Frapid7-mcp/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/solomonneas%2Frapid7-mcp/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/solomonneas%2Frapid7-mcp/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/solomonneas","download_url":"https://codeload.github.com/solomonneas/rapid7-mcp/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/solomonneas%2Frapid7-mcp/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":32245156,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-24T13:21:15.438Z","status":"ssl_error","status_checked_at":"2026-04-24T13:21:15.005Z","response_time":64,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ai-agents","insightvm","mcp","model-context-protocol","rapid7","security","vulnerability-management"],"created_at":"2026-04-25T00:03:04.715Z","updated_at":"2026-04-25T00:03:15.502Z","avatar_url":"https://github.com/solomonneas.png","language":"TypeScript","funding_links":["https://github.com/sponsors/solomonneas","https://ko-fi.com/solomonneas","https://buymeacoffee.com/solomonneas"],"categories":[],"sub_categories":[],"readme":"# Rapid7 InsightIDR MCP Server\n\n[![TypeScript 5.7](https://img.shields.io/badge/TypeScript-5.7-blue?logo=typescript)](https://www.typescriptlang.org/)\n[![Node.js](https://img.shields.io/badge/Node.js-20%2B-green?logo=node.js)](https://nodejs.org/)\n[![MCP SDK](https://img.shields.io/badge/MCP-1.x-purple)](https://modelcontextprotocol.io)\n[![Rapid7](https://img.shields.io/badge/Rapid7-InsightIDR-orange)](https://www.rapid7.com/products/insightidr/)\n[![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](LICENSE)\n\nA [Model Context Protocol (MCP)](https://modelcontextprotocol.io) server that provides AI assistants with access to [Rapid7 InsightIDR](https://www.rapid7.com/products/insightidr/), a cloud-native SIEM for modern detection and response. Query investigations, search logs with LEQL, analyze alerts, track assets, monitor user behavior, and manage threat intelligence.\n\n## Features\n\n### Investigations\n- Search and filter investigations by status, priority, assignee, date range\n- Create, update, and manage investigation lifecycle\n- Add comments and retrieve associated alerts\n- Build investigation timelines\n\n### Log Search (LEQL)\n- Execute LEQL (Log Entry Query Language) queries across log sets\n- List available log sets (Firewall, DNS, DHCP, Endpoint, Cloud, Active Directory)\n- Retrieve individual log entries and aggregate statistics\n- LEQL syntax reference and examples\n\n### Alerts\n- List and filter alerts by severity, type, status, date\n- Get full alert details with evidence and indicators\n- Update alert status (open, investigating, closed)\n- Evidence extraction for investigation\n\n### Assets\n- Search endpoints by hostname, IP, OS, agent status\n- Full asset details: software inventory, vulnerabilities, agent info\n- Recent activity: logins, processes, network connections\n\n### User Behavior Analytics (UBA)\n- Search user accounts across the organization\n- Activity analysis: login patterns, locations, accessed assets\n- Risky user identification with behavior scoring\n- Anomaly detection and alert correlation\n\n### Threat Intelligence\n- IOC management: IPs, domains, file hashes\n- Add indicators to threat library\n- Search for threat indicator matches across logs\n\n### Saved Queries\n- List and manage saved LEQL queries\n- Create reusable queries with descriptions\n- LEQL syntax helper with examples\n\n## Architecture\n\n```\n┌────────────────────────────────────────┐\n│           MCP Client (LLM)             │\n└──────────────┬─────────────────────────┘\n               │ MCP Protocol (stdio)\n┌──────────────▼─────────────────────────┐\n│         rapid7-mcp server              │\n│                                        │\n│  ┌──────────┐  ┌────────────────────┐  │\n│  │ Prompts  │  │    Resources       │  │\n│  │ 4 guides │  │ templates, LEQL,   │  │\n│  │          │  │ detection rules    │  │\n│  └──────────┘  └────────────────────┘  │\n│                                        │\n│  ┌──────────────────────────────────┐  │\n│  │            Tools                  │  │\n│  │  investigations │ logs │ alerts   │  │\n│  │  assets │ users │ threats│queries │  │\n│  └──────────────┬───────────────────┘  │\n│                 │                       │\n│  ┌──────────────▼───────────────────┐  │\n│  │      InsightIDR REST Client      │  │\n│  │      (client.ts + config.ts)     │  │\n│  └──────────────┬───────────────────┘  │\n└──────────────────┼─────────────────────┘\n                   │ HTTPS\n┌──────────────────▼─────────────────────┐\n│      Rapid7 InsightIDR Platform API    │\n│      https://\u003cregion\u003e.api.insight.rapid7│\n└────────────────────────────────────────┘\n```\n\n## Installation\n\n```bash\ngit clone https://github.com/solomonneas/rapid7-mcp.git\ncd rapid7-mcp\nnpm install\nnpm run build\n```\n\n## Configuration\n\nSet environment variables:\n\n```bash\nexport RAPID7_API_KEY=\"your-api-key\"\nexport RAPID7_REGION=\"us\"          # us, eu, ca, au, ap\nexport RAPID7_ORG_ID=\"your-org-id\" # optional\n```\n\nOr use a `.env` file:\n\n```env\nRAPID7_API_KEY=your-api-key\nRAPID7_REGION=us\nRAPID7_ORG_ID=your-org-id\n```\n\n## MCP Client Configuration\n\n### Claude Desktop\n\n```json\n{\n  \"mcpServers\": {\n    \"rapid7\": {\n      \"command\": \"node\",\n      \"args\": [\"path/to/rapid7-mcp/dist/index.js\"],\n      \"env\": {\n        \"RAPID7_API_KEY\": \"your-api-key\",\n        \"RAPID7_REGION\": \"us\"\n      }\n    }\n  }\n}\n```\n\n### OpenClaw\n\nAdd to your `openclaw.json`:\n\n```json\n{\n  \"mcp\": {\n    \"servers\": {\n      \"rapid7\": {\n        \"type\": \"stdio\",\n        \"command\": \"node\",\n        \"args\": [\"/path/to/rapid7-mcp/dist/index.js\"],\n        \"env\": {\n          \"RAPID7_API_KEY\": \"your-api-key\",\n          \"RAPID7_REGION\": \"us\"\n        }\n      }\n    }\n  }\n}\n```\n\n## Tool Reference\n\n| Tool | Description |\n|------|-------------|\n| `search_investigations` | List/filter investigations by status, priority, assignee |\n| `get_investigation` | Get full investigation details with timeline |\n| `create_investigation` | Create new investigation |\n| `update_investigation` | Update status, assignee, disposition |\n| `add_investigation_comment` | Add comment/note to investigation |\n| `get_investigation_alerts` | Get alerts linked to an investigation |\n| `search_logs` | Execute LEQL queries against log sets |\n| `list_log_sets` | List available log sets |\n| `get_log_entry` | Get specific log entry by ID |\n| `get_log_stats` | Aggregate statistics for a time range |\n| `list_alerts` | Get alerts with severity/type/status filters |\n| `get_alert` | Full alert details with evidence |\n| `update_alert_status` | Update alert status |\n| `get_alert_evidence` | Get evidence/indicators from an alert |\n| `search_assets` | Search endpoints by hostname, IP, OS |\n| `get_asset` | Full asset details with software/vulns |\n| `get_asset_activity` | Recent activity for an asset |\n| `search_users` | Search user accounts |\n| `get_user_activity` | User behavior analytics |\n| `get_risky_users` | Users with abnormal behavior scores |\n| `list_threat_indicators` | List IOCs in threat library |\n| `add_threat_indicator` | Add new IOC |\n| `search_threat_activity` | Search for IOC matches in logs |\n| `list_saved_queries` | List saved LEQL queries |\n| `create_saved_query` | Save a LEQL query for reuse |\n| `leql_help` | LEQL syntax reference and examples |\n\n## LEQL Query Examples\n\n```sql\n-- Find all blocked traffic from a source\nwhere(source_address = 10.0.0.1 AND action = BLOCK)\n\n-- Top talkers by connection count\ngroupby(source_address) calculate(count) sort(desc)\n\n-- Failed logins for a specific user\nwhere(user = \"admin\" AND result = FAILED_LOGIN)\n\n-- HTTP errors by URL\nwhere(status \u003e= 400) groupby(url) calculate(count)\n\n-- DNS queries to suspicious domains\nwhere(query CONTAINS \"malware\") groupby(query) calculate(count)\n\n-- Outbound connections on non-standard ports\nwhere(destination_port != 80 AND destination_port != 443 AND direction = OUTBOUND)\n```\n\n## Prompts\n\n| Prompt | Description |\n|--------|-------------|\n| `investigate-alert` | Guided alert investigation workflow |\n| `hunt-ioc` | Search for IOC across all log sources |\n| `user-behavior-review` | Analyze user activity for anomalies |\n| `incident-timeline` | Build chronological incident timeline |\n\n## Resources\n\n| URI | Description |\n|-----|-------------|\n| `rapid7://investigation-templates` | Common investigation templates |\n| `rapid7://leql-reference` | LEQL syntax and examples |\n| `rapid7://detection-rules` | Built-in detection rule catalog |\n\n## Development\n\n```bash\nnpm run build    # Compile TypeScript\nnpm run dev      # Watch mode\nnpm run test     # Run tests\nnpm run lint     # Lint check\n```\n\n## License\n\nMIT\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsolomonneas%2Frapid7-mcp","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsolomonneas%2Frapid7-mcp","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsolomonneas%2Frapid7-mcp/lists"}