Official Threat Manager MCP Server

Products Threat Manager Show & Tell
,
1

MCP Server for Netwrix Threat Manager

Download from the Netwrix GitHub: GitHub - netwrix/mcp-server-ntm: An MCP server for Netwrix Threat Manager.

The Netwrix Threat Manager MCP Server allows AI tools, such as Claude Desktop, to query and analyze historical Activity Records collected by your Netwrix Threat Manager instance.

This facilitates streamlined threat detection and investigation, and complex data retrieval and analysis using natural language queries.

Prerequisites

Before proceeding with the installation, please ensure you have the following:

  • A functioning Netwrix Threat Manager or later installation actively collecting audit data.
  • An installed MCP-compatible client application (e.g., Claude Desktop).
  • Credentials for Netwrix Threat Manager account with sufficient permissions to Activity Records

Installation

  • Configure a user with Reviewer level access to allow the MCP server access to NTM API.
  • Install uv, a Python project manager
  • Clone the repository (or download it as a zip)

To clone the repository access the link: https://github.com/netwrix/mcp-server-ntm.git

How to get started

1.Install in Claude Desktop via Desktop Extensions (Recommended)

Option 1: One-click Installation

  • Download the latest mcp_server_ntm.dxt file from releases
  • Double-click to open with Claude Desktop (may have to find Claude Desktop to “Open with…”)
  • Click “Install”

Option 2: Upload Desktop Extension File Manually

  • Download the latest mcp_server_ntm.dxt file from releases
  • Navigate to File → Settings → Extensions → Advanced settings → Install Extension…
  • Fill out the required fields, select Install and Enable

2.Install in Claude Desktop via Configuration File

Navigate to File → Settings → Developer → Edit Config

3.Open the claude_desktop_config.json file and add the following:

{
  "mcpServers": {
    "mcp-server-ntm": {
    "command": "uv",
    "args": [
        "run",
        "path/to/src/mcp_server_ntm/server.py"
    ],
      "env": {
        "NTM_URL": "https://example.com",
        "NTM_USERNAME": "your_ntm_username",
        "NTM_PASSWORD": "your_ntm_password"
      }
    }
  }
}

4.Restart Claude Desktop once you have finished with previous steps.

Configuration

If you installed using the dxt file, you will be presented with the following configuration screen (all fields are required):

  • NTM Server URL
  • Username (must be at least Reviewers level)
  • Password

Passwords are stored in the secure area of the local OS, see Claude Desktop for more details.

configure Netwrix Threat Manager MCP
configure Netwrix Threat Manager MCP602×472 75.1 KB

Use case examples

Here are some example prompts, and which tools are invoked, and how the LLM may respond. See below for tool details.

“Show me the most recent threats.”

  • get_recent_threats, no threat IDs, no perp IDs, default skip and take values.
  • The LLM may ask if you want to see more threats once this is complete, which will set the skip and take params accordingly.

“Find any users with the surname Hunter.”

  • find_users_by_name: using the string “Hunter” as name_search.
  • The tool will find any user with Hunter in their name, so it would also find those with a first name of Hunter. The LLM in this case will probably differentiate between those with the surname “Hunter” and those with it as a first name.

“I want to know which objects are stale.”

  • get_all_tags: the LLM will consider using get_objects_with_tag but then realises it needs to call this tool first.
  • get_objects_with_tag: set tag_id parameter using tag ID for “stale” as found in previous tool.

“Find me all threats for last Wednesday by users tagged as stale.”

  • get_all_tags: to fetch all tag IDs, then find the one for “stale”.
  • get_users_with_tag: to fetch all users tagged as stale.
  • get_threats_within_time_range: using the user IDs found, will fetch the 20 most recent threats from “last Wednesday”.
  • The LLM may repeat calls to the last tool to get all threats. For example if the first call returns 20, a safe assumption to make is that there is more, less than 20 means there is no point skipping and taking more.

Tools

Threat Discovery and Details:

  • get_threat_types - View all types of threats, their level, and if they are enabled.
  • get_recent_threats - Gets the most recent threats, optionally filtered by threat type, and optionally filtered by perpetrator.
  • threat_type_ids: Filter on threat types, obtained by get_threat_types tool. Empty list assumes all threats. (array, required)
  • perp_ids: Filter on perpetrators, obtained by get_threat_types tool. Empty list assumes all perpetrators. (array, required)
  • skip: Skip a number of records. Defaults to 0.
  • take: Take a number of records. Defaults to 20, maximum of 20.
  • get_threats_within_time_range - Gets threats within the given date and time range, optionally filtered by threat type, and optionally filtered by perpetrator.
  • start_time start date and time to search from. (datetime, required)
  • end_time end date and time to search until. (datetime, required)
  • threat_type_ids: Filter on threat types, obtained by get_threat_types tool. Empty list assumes all threats. (array, required)
  • perp_ids: Filter on perpetrators, obtained by get_threat_types tool. Empty list assumes all perpetrators. (array, required)
  • skip: Skip a number of records. Defaults to 0.
  • take: Take a number of records. Defaults to 20, maximum of 20.
  • get_details_for_threat - Gets details for the given threat.
  • threat_id: Threat ID, obtained by get_recent_threats and get_threats_within_time_range tools. (GUID, required)
  • get_recent_events_for_threat - Gets threats within the given date and time range, optionally filtered by threat type, and optionally filtered by perpetrator.
  • threat_id: Threat ID, obtained by get_recent_threats and get_threats_within_time_range tools. (GUID, required)
  • skip: Skip a number of records. Defaults to 0.
  • take: Take a number of records. Defaults to 20, maximum of 20.

User and Object Searching:

  • find_users_by_name - Finds all users by name. Partial matches will also be returned.
  • name_search: Partial or full name of user to search for, case is ignored. (string, required)
  • get_all_tags - Get tags available in NTM.
  • skip: Skip a number of records. Defaults to 0.
  • take: Take a number of records. Defaults to 20, maximum of 20.
  • get_objects_with_tag - Get all objects with the given tag ID.
  • tag_id: The tag ID to filter objects by. (integer, required)
  • get_users_with_tag - Get all users with the given tag ID.
  • tag_id: The tag ID to filter objects by, from get_all_tags tool. (integer, required)

Version:

  • get_ntm_version - Get the version of your Netwrix Threat Manager server.

Questions

If you need help using this MCP server or understanding your results, just reach out. We’re happy to help!