Tracecat

RunReveal MCP server

Query security logs and manage detections in RunReveal from your AI agents.

SIEM / datalake
http
Official docs

About

Connect Tracecat to RunReveal to query logs and tune detections from agents working alongside SOC analysts and detection engineers. You can run SQL against your RunReveal data lake to pivot from an alert into related events without an analyst writing the query by hand. From there, agents can draft a Sigma detection from the investigation, update or retire existing rules, and push notifications through your configured channels once a human approves the change.

Setup

  1. 1

    Sign in with OAuth

    You'll authorize Tracecat to access RunReveal on your behalf. No API keys to manage.

  2. 2

    Select the RunReveal tile in the Tracecat MCP catalog

    Open the MCP catalog in your workspace, select the RunReveal tile, and complete the OAuth flow.

  3. 3

    Enable RunReveal in your agent

    In your ai.agent action or Agents tools tab, select RunReveal from the MCP integrations dropdown.

Tools

run_query

Run a SQL query against your RunReveal log tables and return the rows.

list_tables

List the log tables available in the workspace.

get_table_schema

Return the column schema for a single log table.

source_list

List the log sources feeding RunReveal with status and ingestion stats.

detections_create

Create a new detection rule from a query or Sigma rule.

detection_update

Update an existing detection's logic, severity, or metadata.

detection_delete

Delete a detection by ID.

sigma_create

Create a detection from a Sigma rule definition.

agents_create

Create a new agent for orchestrating RunReveal automations.

notification_send

Send a notification through a configured RunReveal channel.

Deploy the RunReveal MCP server in minutes

Connect your security agents to 50+ hosted MCP servers.

Self-host free