MCP server#

The Plixer One/Scrutinizer platform ships with a Model Context Protocol (MCP) server that allows the Plixer AI Assistant and external AI agents (e.g., Claude Code, Cline, etc.) to query network data, investigate alarms, work with Flow Analytics, and access documentation directly from a development environment.

Enabling remote access#

The MCP server is automatically started alongside the Scrutinizer service. To allow remote MCP clients to connect, do the following:

Note

If the remote AI assistant does not require SSL to connect to an MCP server, step 4 below can be skipped.

  1. Create a new authentication token for the Admin web interface user (a longer expiration is recommended for persistent setups).

  2. SSH to the Scrutinizer server (or the primary reporter in a distributed cluster) as the plixer user:

    ssh plixer@<SCRUTINIZER_IP>
    
  3. Edit /usr/lib/systemd/system/plixer_mcp.service to add the authentication token created in step 1 (MCP_AUTH_TOKEN):

    Environment=MCP_ACCESS_TOKEN=MCP_AUTH_TOKEN
    
  4. Reload the systemd manager and restart the MCP service to apply the updated configuration:

    sudo systemctl daemon-reload
    sudo systemctl restart plixer_mcp
    
  5. If the Scrutinizer server is not yet using a CA-signed SSL certificate, follow these instructions to replace the default self-signed certificate.

After the above steps have been completed, use the URL https://SCRUTINIZER_IP/mcp and the following authentication header to connect to the MCP server:

Authorization: Bearer MCP_AUTH_TOKEN

Note

Token validation uses constant-time comparison to reduce susceptibility to timing-based attacks.

Client configuration examples#

After remote access to the MCP server has been enabled, refer to the below examples to configure the authentication token (MCP_AUTH_TOKEN above) and transport settings for an external MCP client.

Claude Code#

  1. Add the MCP server:

    Command line

    Run the following from the terminal (replace SCRUTINIZER_IP and MCP_AUTH_TOKEN with the correct values):

    claude mcp add scrutinizer \
    https://SCRUTINIZER_IP/mcp \
    --transport http \
    --header "Authorization: Bearer MCP_AUTH_TOKEN"
    

    Note

    Append -s user to the first line to make the server available to all projects.

    settings.json

    Add the following to either .claude/settings.json or ~/.claude/settings.json (replace SCRUTINIZER_IP and YOUR_AUTH_TOKEN with the correct values):

    {
      "mcpServers": {
        "scrutinizer": {
          "type": "streamableHttp",
          "url": "https://SCRUTINIZER_IP/mcp",
          "headers": {
            "Authorization": "Bearer MCP_AUTH_TOKEN"
          }
        }
      }
    }
    
  2. Verify that the server has been successfully added:

    claude mcp list
    

    The output should include scrutinizer with the streamable HTTP transport.

Claude Desktop#

Edit claude_desktop_config.json (Claude Desktop > Developer > Edit Config) and add:

Note

  • Node.js must be installed on the Claude Desktop host.

  • Use C:\\PROGRA~1\\nodejs\\ if Node.js is in C:\Program Files\nodejs. If it was installed to a different folder/directory, use the equivalent 8.3 short path to avoid issues with spaces.

  • NODE_TLS_REJECT_UNAUTHORIZED: "0" is only required if the Scrutinizer server is using a self-signed certificate.

{
  "mcpServers": {
    "scrutinizer": {
      "command": "C:\\Windows\\System32\\cmd.exe",
      "args": [
        "/c",
        "C:\\PROGRA~1\\nodejs\\npx.cmd",
        "-y",
        "mcp-remote",
        "https://<scrutinizer-host>/mcp",
        "--transport",
        "http-only",
        "--header",
        "Authorization: Bearer MCP_ACCESS_TOKEN"
      ],
      "env": {
        "NODE_TLS_REJECT_UNAUTHORIZED": "0"
      }
    }
  }
}

After saving the changes, completely close/exit Claude Desktop via the task manager. Scrutinizer tools should be available after the application is relaunched.

Cline#

Add the following to cline_mcp_settings.json (replace SCRUTINIZER_IP and YOUR_AUTH_TOKEN with the correct values):

{
  "mcpServers": {
    "scrutinizer": {
      "type": "streamableHttp",
      "url": "https://SCRUTINIZER_IP/mcp",
      "headers": {
        "Authorization": "Bearer YOUR_AUTH_TOKEN"
      },
      "disabled": false,
      "autoApprove": []
    }
  }
}

Tooling#

AI assistants can access the below tools through the MCP server.

Write actions/tools require the AI Write Tools setting to be enabled (under Admin > Settings > AI Settings). Read-only tools are always available.

Network reporting and analysis

Tool

Description

Access

scrutinizer_report

Execute Scrutinizer reporting queries using sdf* filters. Supports report types like conversations, host2host, srcHosts, dstHosts, applications, country2country, ipGroupGroup, etc.

Read-only

resolve_network_context

Look up IP groups, applications, exporters, protocols, countries, device groups, and interfaces using natural language embedding search.

Read-only

get_report_types_by_exporter

Get available report types for specific exporters by their hex IP addresses.

Read-only

resolve_username_to_ip

Look up IP addresses associated with a username from Active Directory, RADIUS, and Cisco ISE authentication data. Supports fuzzy matching.

Read-only

get_ip_details

Retrieve detailed IP information including geolocation, ASN, and hostname.

Read-only

lookup_host_index

Perform Host Index lookup for comprehensive traffic information about an IP address (DNS, first/last seen, traffic stats, peers).

Read-only

Parameters used by the scrutinizer_report tool

Parameter

Required

Description

report_type

Yes

Report type: conversations, host2host, srcHosts, dstHosts, applications, country2country, ipGroupGroup, etc.

time_range

Yes

Time range: LastFiveMinutes, LastHour, Today, Yesterday, Last24Hours, ThisWeek, LastWeek, CUSTOM

start_time

If CUSTOM

Unix epoch start time

end_time

If CUSTOM

Unix epoch end time

direction

No

inbound (default) or outbound

data_mode

No

saf (default) or traditional

rate_total

No

rate or total (default)

units

No

bits (default), bytes, or percent

max_rows

No

Maximum rows to return (default: 10)

timezone

No

Client timezone (default: America/New_York)

graph_type

No

Graph type: ridgeline, staggered_pie, step, line, bar, pie, donut, hidden, etc.

filters

No

Object of sdf* filters (see filter reference below)

tool_description

No

Human-readable description of the request

resolved_context

No

Resolved network context from resolve_network_context

Supported sdf* filters

Filters are passed as an object with keys like sdfDips_0, sdfIps_0, etc. Use in_ for include and ex_ for exclude prefixes. resolve_network_context should be used to look up valid object IDs before constructing filters.

Filter Type

Key Pattern

Value Format

Example

Device/Exporter

sdfDips_*

in_GROUP_ALL, in_0A0101DD_ALL, in_0A0101DD_eth0

"sdfDips_0": "in_GROUP_ALL"

IP Address

sdfIps_*

in_<ip>_src, in_<ip>_dst, in_<ip>_both

"sdfIps_0": "in_192.168.1.1_src"

Port

sdfPorts_*

in_<port>-<proto> (6=TCP, 17=UDP)

"sdfPorts_0": "in_80-6"

Country

sdfCountries_*

in_<code>_src, in_<code>_dst, in_<code>_both

"sdfCountries_0": "in_840_src"

Subnet

sdfIpns_*

in_<ip>_<mask>_src

"sdfIpns_0": "in_10.0.0.0_8_both"

IP Group

sdfIPGroups_*

in_<id>_src, in_<id>_dst

"sdfIPGroups_0": "in_3_src"

Protocol

sdfProts_*

in_<proto> (6=TCP, 17=UDP, 1=ICMP)

"sdfProts_0": "in_6"

Application

sdfApps_*

in_<id>, ex_<id>

"sdfApps_0": "in_42"

NBAR

sdfAppNbars_*

in_<name>

"sdfAppNbars_0": "in_http"

Domain

sdfDomains_*

in_<domain>_dst

"sdfDomains_0": "in_example.com_dst"

Search and documentation

Tool

Description

Access

search_documentation

Search Scrutinizer documentation for help content, configuration guides, and troubleshooting.

Read-only

search_policies

Search organizational policy documents for security policies, compliance rules, and access control.

Read-only

search_playbooks

Search playbooks and runbooks for operational procedures and incident response steps.

Read-only

search_ui_routes

Search documentation embeddings to find the UI page that best matches the user’s request.

Read-only

Collection management

Tool

Description

Access

create_scrutinizer_collection

Create a new collection with notes describing related events.

Write

add_collection_detail

Add a single detail entry (alarm, report, event, device, user, etc.) to a collection.

Write

add_collection_details

Add multiple detail entries to a collection in bulk.

Write

save_report

Save a report configuration so it can be referenced in a collection detail.

Write

create_executive_summary

Create or update a daily executive summary for NetOps or SecOps agents with risk scoring.

Write

Collection detail types

When adding details to a collection, the detail_type field determines the structure of detail_json:

Detail Type

ID

detail_json Structure

alarm_policy

1

{"policy_id": <int>, "payloadId": "<uuid>"}

alarm_violator

2

{"violator": "<ip>", "payloadId": "<uuid>"}

alarm_host

3

{"host": "<ip>", "payloadId": "<uuid>"}

alarm_target

4

{"target": "<ip>", "payloadId": "<uuid>"}

report

5

{"reportTypeLang": "<type>", "collection": "<token>", "saved": {"name": "<name>"}}

event

6

{"eventId": <int>}

event_list

7

{"name": "<name>", "payloadId": "<uuid>"}

device

8

{"device_ip": "<ip>", "device_name": "<name>"}

user

9

{"username": "<name>", "user_ip": "<ip>"}

service_now_ticket

10

{"instance": "<instance>", "ticket_id": "<number>"}

application

11

{"application_name": "<name>", "application_id": <int>}

Alarm and policy management

Tool

Description

Access

get_policies

Retrieve all alarm policies with descriptions.

Read-only

get_policies_by_category

Retrieve policies by category ID or name.

Read-only

get_alarms_by_policy

Retrieve alarms for a time range, optionally filtered by severity (critical, high, medium, low, info).

Read-only

get_alarms_by_entity_policy

Get entity information (violators, hosts, targets) for a specific policy.

Read-only

Flow Analytics security groups

Tool

Description

Access

list_security_groups

List all security groups with exporter and algorithm counts.

Read-only

get_security_group_details

Get detailed group info including assigned exporters and algorithms.

Read-only

create_security_group

Create a new security group (e.g., “Edge Routers”, “Branch Offices”).

Write

update_security_group

Update a security group’s name.

Write

add_exporters_to_security_group

Add exporters to a group by IP address.

Write

remove_exporters_from_security_group

Remove exporters from a group by IP address.

Write

delete_security_group

Delete a security group (must not be assigned to any algorithms).

Write

Flow Analytics algorithms

Tool

Description

Access

list_flow_analytics_algorithms

List all threat detection algorithms with names, tabs, and policy associations.

Read-only

get_flow_analytics_algorithm_details

Get full algorithm configuration, enabled state, and execution stats.

Read-only

update_flow_analytics_algorithm_settings

Update algorithm settings: enable/disable, syslog, alert, and custom parameters.

Write

get_flow_analytics_algorithm_exporters

Get exporters assigned to an algorithm (included and excluded).

Read-only

update_flow_analytics_algorithm_exporters

Update exporter assignments for an algorithm.

Write

get_flow_analytics_exclusion_config

Get exclusion configuration (returns fc_id needed for managing exclusions).

Read-only

list_flow_analytics_exclusions

List current IP/IP group exclusions for an algorithm.

Read-only

add_flow_analytics_exclusions

Add IP addresses or IP groups as exclusions. Auto-acknowledges existing alarms.

Write

remove_flow_analytics_exclusions

Remove exclusion rules by rule ID.

Write

ML detection exclusions

Tool

Description

Access

add_ml_ip_detection_exclusion

Add a single ML detection exclusion for an IP address.

Write

add_ml_ip_detection_exclusions

Add multiple ML detection exclusions in bulk.

Write

Supported ML detections:
  • bruteforce_serverssh

  • bruteforce_serverrdp-tcp

  • bruteforce_serverrdp-udp

  • bruteforce_clientssh

  • bruteforce_clientrdp

  • data_accum

  • data_exfil

  • dgl

  • lateral_movement

  • ml_malware_detection

  • ml_malware_detection_c&c

  • ml_malware_detection_ek

  • ml_malware_detection_miner

  • ml_malware_detection_rat

  • rogue_dhcp

  • rogue_dns

  • rogue_ldap

  • sigred

  • tunneling_int_clienticmp

  • tunneling_int_clientdns

  • tunneling_int_clientssh

  • tunneling_ext_clienticmp

  • tunneling_ext_clientdns

  • tunneling_ext_clientssh

  • worm

  • zerologon

  • all

Utilities

Tool

Description

Access

convert_timestamp

Convert datetime formats (ISO 8601, YYYY-MM-DD HH:MM:SS) to Unix epoch.

Read-only

get_current_time

Get system time in Unix timestamp, ISO 8601, and human-readable formats.

Read-only

create_packet_capture

Create a packet capture rule for specific traffic (server IP, client IP, port).

Write

Content embeddings#

External AI assistants are also able to access all default and custom embeddings through the MCP server’s search and documentation tools.

See this section to learn more about AI embeddings.