RunReveal MCP server
Query security logs and manage detections in RunReveal from your AI agents.
About
Connect Tracecat to RunReveal to query logs and tune detections from agents working alongside SOC analysts and detection engineers. You can run SQL against your RunReveal data lake to pivot from an alert into related events without an analyst writing the query by hand. From there, agents can draft a Sigma detection from the investigation, update or retire existing rules, and push notifications through your configured channels once a human approves the change.
Setup
- 1
Sign in with OAuth
You'll authorize Tracecat to access RunReveal on your behalf. No API keys to manage.
- 2
Select the
RunRevealtile in the Tracecat MCP catalogOpen the
MCP catalogin your workspace, select theRunRevealtile, and complete the OAuth flow. - 3
Enable
RunRevealin your agentIn your
ai.agentaction orAgents→toolstab, selectRunRevealfrom theMCP integrationsdropdown.
Tools
run_query | Run a SQL query against your RunReveal log tables and return the rows. |
list_tables | List the log tables available in the workspace. |
get_table_schema | Return the column schema for a single log table. |
source_list | List the log sources feeding RunReveal with status and ingestion stats. |
detections_create | Create a new detection rule from a query or Sigma rule. |
detection_update | Update an existing detection's logic, severity, or metadata. |
detection_delete | Delete a detection by ID. |
sigma_create | Create a detection from a Sigma rule definition. |
agents_create | Create a new agent for orchestrating RunReveal automations. |
notification_send | Send a notification through a configured RunReveal channel. |