Use AI to Investigate Threats with Netwrix Threat Manager

AlenaSemenova · November 13, 2025, 8:00am

Want the full details? Click the link below!

Netwrix Threat Manager now supports natural language querying of investigation data through integration with the Model Context Protocol (MCP).

Download to get started: GitHub - Releases: netwrix/mcp-server-ntm

This means you can access Threat Manager investigation data via AI tools like Claude Desktop - without writing a single query. Simply ask questions in plain English — or any language you prefer — and get immediate, actionable answers. This enables you to quickly search for specific threats at any point in time without deep expertise in the Threat Manager search interface, formulate complex searches across multiple criteria and fields, or identify and analyse patterns by correlating different activity events.

You remain in full control of the integration: the MCP server is deployed in your environment, you decide what data is accessible to AI tools, and all queries are logged - giving you speed and visibility without sacrificing oversight.

What You Can Do with MCP + Netwrix Threat Manager

Use natural language prompts to unlock insights from Netwrix Threat Manager investigations.

Here are just a few things available with this integration:

Threat Monitoring: View the most recent threats or those within a specified time frame.
Filtering: Filter threats by one or more perpetrators or by threat types.
Details and Events: Dive into the details and get the events that triggered a given threat.
Searching: Find objects and users, search by name or tag, and list tags.
Links: Usable links back to NTM (login required).
Complex Queries: Ask more complex questions that combine tools intelligently for a more targeted answer.

Key Limitations

It’s important to understand what the MCP server cannot do:

No State-in-Time (SIT) Data Access: The server cannot retrieve or analyze point-in-time snapshots.
No Configuration Capabilities: The server cannot be used to configure Threat Manager.
Read-Only Access: The server only provides read access to historical activity records.
Historical Data Only: The server queries existing audit data; it does not provide real-time monitoring or alerting.

How to Get Started

This integration is available now on GitHub. To try it, you’ll need:

Netwrix Threat Manager installed and populated with data.
An MCP-compatible AI tool—such as Claude Desktop or Claude for Work.
Basic familiarity with Python or container tools.

Access the MCP Server Implementation Here:

We’d Love to Hear From You

We’re always happy to hear from our users—what you like and what you hope to see in the future. Please share your thoughts below, and you might see one of your suggestions implemented soon!

Topic	Replies	Views
Official Threat Manager MCP Server Show & Tell threat-manager , mcp	14	November 12, 2025
Streamlining Incident Response: Automating Forensic Analysis with Netwrix Auditor and MCP Show & Tell auditor , active-directory , mcp , incident-response , automation , llm , claude , azure-files , file-server , user-activity	170	June 13, 2025
What’s New in MCP + Access Analyzer: New AD Tools and Cross-Product Use Cases News announcement , access-analyzer , learning-lab	179	July 15, 2025
Netwrix Connect LIVE 2025: Key Takeaways Community News	394	June 9, 2025
ADV-2021-001 - Vulnerabilities in SteathINTERCEPT Security Advisories security-advisory	47	October 6, 2021