This Model Context Protocol (MCP) server enables AI assistants to interface directly with Netwrix Threat Manager (NTM), enhancing your organization's threat management capabilities.
- Threat Monitoring: View the most recent threats or those within a specified time frame.
- Filtering: Filter threats by one or more perpetrators or by threat types.
- Details and Events: Dive into the details and get the events that triggered a given threat.
- Searching: Find objects and users, search by name or tag, and list tags.
- Links: Usable links back to NTM (login required).
- Complex Queries: Ask more complex questions that combine tools intelligently for a more targetted answer.
Here are some example prompts, and which tools are invoked, and how the LLM may respond. See below for tool details.
-
"Show me the most recent threats."
get_recent_threats, no threat IDs, no perp IDs, defaultskipandtakevalues.- The LLM may ask if you want to see more threats once this is complete, which will set the
skipandtakeparams accordingly.
-
"Find any users with the surname Hunter."
find_users_by_name: using the string "Hunter" asname_search.- The tool will find any user with Hunter in their name, so it would also find those with a first name of Hunter. The LLM in this case will probably differentiate between those with the surname "Hunter" and those with it as a first name.
-
"I want to know which objects are stale."
get_all_tags: the LLM will consider using get_objects_with_tag but then realises it needs to call this tool first.get_objects_with_tag: settag_idparameter using tag ID for "stale" as found in previous tool.
-
"Find me all threats for last Wednesday by users tagged as stale."
get_all_tags: to fetch all tag IDs, then find the one for "stale".get_users_with_tag: to fetch all users tagged as stale.get_threats_within_time_range: using the user IDs found, will fetch the 20 most recent threats from "last Wednesday".- The LLM may repeat calls to the last tool to get all threats. For example if the first call returns 20, a safe assumption to make is that there is more, less than 20 means there is no point skipping and taking more.
-
get_threat_types - View all types of threats, their level, and if they are enabled.
-
get_recent_threats - Gets the most recent threats, optionally filtered by threat type, and optionally filtered by perpetrator.
threat_type_ids: Filter on threat types, obtained by get_threat_types tool. Empty list assumes all threats. (array, required)perp_ids: Filter on perpetrators, obtained by get_threat_types tool. Empty list assumes all perpetrators. (array, required)skip: Skip a number of records. Defaults to 0.take: Take a number of records. Defaults to 20, maximum of 20.
-
get_threats_within_time_range - Gets threats within the given date and time range, optionally filtered by threat type, and optionally filtered by perpetrator.
start_timestart date and time to search from. (datetime, required)end_timeend date and time to search until. (datetime, required)threat_type_ids: Filter on threat types, obtained by get_threat_types tool. Empty list assumes all threats. (array, required)perp_ids: Filter on perpetrators, obtained by get_threat_types tool. Empty list assumes all perpetrators. (array, required)skip: Skip a number of records. Defaults to 0.take: Take a number of records. Defaults to 20, maximum of 20.
-
get_details_for_threat - Gets details for the given threat.
threat_id: Threat ID, obtained by get_recent_threats and get_threats_within_time_range tools. (GUID, required)
-
get_recent_events_for_threat - Gets threats within the given date and time range, optionally filtered by threat type, and optionally filtered by perpetrator.
threat_id: Threat ID, obtained by get_recent_threats and get_threats_within_time_range tools. (GUID, required)skip: Skip a number of records. Defaults to 0.take: Take a number of records. Defaults to 20, maximum of 20.
-
find_users_by_name - Finds all users by name. Partial matches will also be returned.
name_search: Partial or full name of user to search for, case is ignored. (string, required)
-
get_all_tags - Get tags available in NTM.
skip: Skip a number of records. Defaults to 0.take: Take a number of records. Defaults to 20, maximum of 20.
-
get_objects_with_tag - Get all objects with the given tag ID.
tag_id: The tag ID to filter objects by. (integer, required)
-
get_users_with_tag - Get all users with the given tag ID.
tag_id: The tag ID to filter objects by, from get_all_tags tool. (integer, required)
- get_ntm_version - Get the version of your Netwrix Threat Manager server.
Prequisites:
-
Install uv, a Python project manager
-
Clone the repository (or download it as a zip)
To clone the repository:
git clone https://github.com/netwrix/mcp-server-ntm.git-
Download the latest
mcp_server_ntm.dxtfile from releases -
Double-click to open with Claude Desktop (may have to find Claude Desktop to "Open with...")
-
Click "Install"
- Download the latest
mcp_server_ntm.dxtfile from releases - Navigate to
File -> Settings -> Extensions -> Advanced settings -> Install Extension... - Fill out the required fields, select Install and Enable
- Navigate to
File -> Settings -> Developer -> Edit Config
Open the claude_desktop_config.json file and add the following:
{
"mcpServers": {
"mcp-server-ntm": {
"command": "uv",
"args": [
"run",
"path/to/src/mcp_server_ntm/server.py"
],
"env": {
"NTM_URL": "https://example.com",
"NTM_USERNAME": "your_ntm_username",
"NTM_PASSWORD": "your_ntm_password"
}
}
}
}Then, restart Claude Desktop.
Once installed, you will be presented with the following configuration screen. All fields are required.
- NTM Server URL
- Username (must be at least Reviewers level)
- Password
Passwords are stored in the secure area of the local OS, see Claude Desktop for more details.
This project is licensed under the terms of the MIT open source license. Please refer to MIT for the full terms.
If you need help using this MCP server, want to better understand your results, or would like to share feedback, visit the Netwrix Community - we’re here to help and eager to hear about your experience!