cvalentine99/EH-2-TenX
3.2
If you are the rightful owner of EH-2-TenX and would like to certify it and/or have it hosted online, please leave a comment on the right or send an email to dayong@mcphub.com.
The ExtraHop Reveal(x) MCP Server is a production-ready server that exposes ExtraHop Reveal(x) telemetry for agentic SOC workflows.
Tools
10
Resources
0
Prompts
0
ExtraHop Reveal(x) MCP Server
Production-ready MCP server exposing ExtraHop Reveal(x) telemetry for agentic SOC workflows.
Copyright © 2025 ExtraHop Networks, Inc. All rights reserved.
Author: Chase Valentine (chasev@extrahop.com)
This software is proprietary and confidential. See for details.
Built with the framework, this server bridges ExtraHop's REST API to the Model Context Protocol, enabling AI agents to:
- Query network detections and security alerts
- Search device metadata and flow records
- Retrieve behavioral metrics for anomaly analysis
- Access SOC telemetry via standardized MCP resources
Architecture
┌──────────────────────────────────────────────────────────────┐
│ AI Agent / MCP Client │
│ (Any MCP-compatible client) │
└────────────────────┬─────────────────────────────────────────┘
│ MCP Protocol (JSON-RPC 2.0)
│ stdio / TCP / HTTP
┌────────────────────▼─────────────────────────────────────────┐
│ ExtraHop MCP Server (Rust) │
│ ┌────────────────────────────────────────────────────────┐ │
│ │ MCP Resources │ │
│ │ • extrahop://devices │ │
│ │ • extrahop://detections │ │
│ │ • extrahop://alerts │ │
│ │ • extrahop://device/{id} │ │
│ │ • extrahop://detection/{id} │ │
│ └────────────────────────────────────────────────────────┘ │
│ ┌────────────────────────────────────────────────────────┐ │
│ │ MCP Tools │ │
│ │ • search_devices │ │
│ │ • search_detections │ │
│ │ • get_detection_investigations │ │
│ │ • update_detection │ │
│ │ • query_metrics │ │
│ │ • search_records │ │
│ └────────────────────────────────────────────────────────┘ │
└────────────────────┬─────────────────────────────────────────┘
│ Subprocess Bridge
┌────────────────────▼─────────────────────────────────────────┐
│ ExtraHop Python Client │
│ (extrahop_client.py + extrahop_bridge.py) │
└────────────────────┬─────────────────────────────────────────┘
│ HTTPS REST API
┌────────────────────▼─────────────────────────────────────────┐
│ ExtraHop Reveal(x) │
│ 192.168.50.157 │
└──────────────────────────────────────────────────────────────┘
Features
MCP Tools (10)
| Tool | Description | Parameters |
|---|---|---|
search_devices | Find devices by IP, class, etc. | ipaddr, device_class, limit |
get_device | Get device details by ID | device_id |
search_detections | Query security detections | from_time, min_risk_score, categories, status |
get_detection | Get detection details | detection_id |
update_detection | Update detection status/assignee | detection_id, status, assignee, ticket_id |
get_detection_investigations | Get related investigations | detection_id |
query_metrics | Retrieve time-series metrics | object_ids, metric_category, metrics, lookback_mins |
search_records | Search flow logs | from_time, types, limit |
list_alerts | List alert configurations | - |
get_alert | Get alert details | alert_id |
MCP Resources (6)
| URI Template | Description |
|---|---|
extrahop://devices | All discovered devices |
extrahop://device/{id} | Specific device by ID |
extrahop://detections | Active detections (last 24h) |
extrahop://detection/{id} | Specific detection by ID |
extrahop://alerts | Alert configurations |
extrahop://alert/{id} | Specific alert by ID |
Installation
Prerequisites
- Rust 1.75+ (for building the MCP server)
- Python 3.7+ (for ExtraHop client)
- ExtraHop Reveal(x) appliance with API access
Build
cd /home/cvalentine/TenX/extrahop-mcp
cargo build --release
Configuration
Method 1: Environment Variables
export EXTRAHOP_HOSTNAME="192.168.50.157"
export EXTRAHOP_API_KEY="your-api-key-here"
export EXTRAHOP_CLIENT_SCRIPT="/home/cvalentine/spark-dev-workspace/ExtraHop Agentic AI/extrahop_bridge.py"
Method 2: Configuration File
# config.toml
hostname = "192.168.50.157"
api_key = "your-api-key-here"
python_path = "python3"
client_script = "/home/cvalentine/spark-dev-workspace/ExtraHop Agentic AI/extrahop_bridge.py"
verify_ssl = false
Method 3: Command Line Arguments
./target/release/extrahop-mcp \
--hostname 192.168.50.157 \
--api-key "your-api-key" \
--client-script "/path/to/extrahop_bridge.py"
Usage
Stdio Mode (Default)
For MCP-compatible AI agents and clients:
./target/release/extrahop-mcp stdio
TCP Mode (Debugging)
For testing with mcptool:
# Terminal 1: Start server
./target/release/extrahop-mcp tcp --port 3000
# Terminal 2: Test with mcptool
mcptool connect localhost:3000
HTTP Mode
For web-based MCP clients:
./target/release/extrahop-mcp http --port 8080
Examples
1. Search for High-Risk Detections
# Using mcptool
mcptool connect localhost:3000
> calltool search_detections --arg from_time=-86400000 --arg min_risk_score=80
Response:
{
"detections": [
{
"id": 12345,
"title": "Suspicious Outbound Connection",
"risk_score": 95,
"category": "sec.intrusion",
"status": null
}
]
}
2. Get Device Details
> calltool get_device --arg device_id=100
Response:
{
"id": 100,
"display_name": "web-server-01",
"ipaddr4": ["10.0.1.50"],
"device_class": "server",
"vendor": "Dell",
"software": ["Apache/2.4.41"]
}
3. Update Detection Status
> calltool update_detection \
--arg detection_id=12345 \
--arg status="in_progress" \
--arg assignee="analyst@company.com" \
--arg ticket_id="INC-67890"
4. Query HTTP Metrics
> calltool query_metrics \
--arg object_ids='[100, 101]' \
--arg object_type="device" \
--arg metric_category="http" \
--arg metrics='["req", "rsp", "error"]' \
--arg lookback_mins=60
5. Search Flow Records
> calltool search_records \
--arg from_time="-3600000" \
--arg types='["~http"]' \
--arg limit=100
6. Access Resources
> readresource extrahop://detections
> readresource extrahop://device/100
> readresource extrahop://detection/12345
Agentic Workflow Example
Scenario: AI agent investigates a security detection
# Agent reasoning:
# "Find all high-risk detections in the last hour and gather context"
# 1. Search for critical detections
detections = mcp_client.call_tool("search_detections", {
"from_time": -3600000, # Last hour
"min_risk_score": 90,
"status": [".none"] # Open only
})
# 2. For each detection, get device context
for detection in detections:
participants = detection.get("participants", [])
device_ids = [p["object_id"] for p in participants if p["object_type"] == "device"]
# 3. Get device details
for device_id in device_ids:
device = mcp_client.call_tool("get_device", {"device_id": device_id})
# 4. Query behavioral metrics
metrics = mcp_client.call_tool("query_metrics", {
"object_ids": [device_id],
"object_type": "device",
"metric_category": "http",
"metrics": ["req", "error"],
"lookback_mins": 120
})
# 5. Get related investigations
investigations = mcp_client.call_tool("get_detection_investigations", {
"detection_id": detection["id"]
})
# 6. Update with findings
mcp_client.call_tool("update_detection", {
"detection_id": detection["id"],
"status": "in_progress",
"assignee": "ai-triage@company.com",
"ticket_id": f"AUTO-{detection['id']}"
})
Testing
Validate Configuration
./target/release/extrahop-mcp test
List Available Tools
# Start server in TCP mode
./target/release/extrahop-mcp tcp &
# Query tools
mcptool mcp listtools localhost:3000
Run Integration Test
# Using mcptool with script
cat <<EOF > test_script.mcp
listtools
listresources
calltool search_devices --arg limit=1
EOF
mcptool connect localhost:3000 --script test_script.mcp
File Structure
extrahop-mcp/
├── Cargo.toml # Rust project manifest
├── README.md # This file
├── src/
│ ├── main.rs # CLI entry point (stdio/TCP/HTTP)
│ ├── lib.rs # Library exports
│ ├── server.rs # MCP server with tools & resources
│ ├── bridge.rs # Python subprocess bridge
│ ├── config.rs # Configuration management
│ └── types.rs # ExtraHop type definitions
└── examples/
└── (future examples)
Related files:
../spark-dev-workspace/ExtraHop Agentic AI/
├── extrahop_client.py # Python ExtraHop REST client
├── extrahop_bridge.py # Bridge script (called by Rust)
└── example_usage.py # Python client examples
Troubleshooting
"Client script not found"
Set the EXTRAHOP_CLIENT_SCRIPT environment variable:
export EXTRAHOP_CLIENT_SCRIPT="/home/cvalentine/spark-dev-workspace/ExtraHop Agentic AI/extrahop_bridge.py"
"Python subprocess error"
- Verify Python dependencies:
pip install requests - Test bridge directly:
python3 extrahop_bridge.py \
--hostname 192.168.50.157 \
--api-key "your-key" \
<<< '{"method": "devices.search", "params": {"limit": 1}}'
"Connection refused"
Ensure ExtraHop appliance is accessible:
curl -k https://192.168.50.157/api/v1/extrahop
Performance
- Cold start: ~100ms (Rust binary + Python subprocess)
- Tool execution: 200-500ms (depends on ExtraHop API latency)
- Resource reads: 300-1000ms (depends on data volume)
- Concurrent requests: Supported via Tokio async runtime
Security Considerations
- API Keys: Store in environment variables or secure vault (never commit to git)
- SSL Verification: Enable
verify_ssl = truefor production - Network Access: Restrict MCP server to trusted networks only
- Least Privilege: Use ExtraHop API keys with minimal required permissions
Roadmap
- Caching layer for frequently accessed resources
- WebSocket subscriptions for real-time detection updates
- Bulk operations for detection triage
- Integration with TenX AI SOC for unified telemetry
- CUDA-accelerated log parsing on DGX
- Normalized schema for cross-source correlation
Related Projects
- - Rust MCP protocol implementation
- - MCP server testing CLI
- - Rust IDE via MCP
License
MIT
Contributing
For feature requests or bug reports, contact the TenX SOC integration team.