MCP server#
The Plixer One/Scrutinizer platform ships with a Model Context Protocol (MCP) server that allows the Plixer AI Assistant and external AI agents (e.g., Claude Code, Cline, etc.) to query network data, investigate alarms, work with Flow Analytics, and access documentation directly from a development environment.
Enabling remote access#
The MCP server is automatically started alongside the Scrutinizer service. To allow remote MCP clients to connect, do the following:
Note
If the remote AI assistant does not require SSL to connect to an MCP server, step 4 below can be skipped.
Create a new authentication token for the Admin web interface user (a longer expiration is recommended for persistent setups).
SSH to the Scrutinizer server (or the primary reporter in a distributed cluster) as the
plixeruser:ssh plixer@<SCRUTINIZER_IP>Edit
/usr/lib/systemd/system/plixer_mcp.serviceto add the authentication token created in step 1 (MCP_AUTH_TOKEN):Environment=MCP_ACCESS_TOKEN=MCP_AUTH_TOKEN
Reload the systemd manager and restart the MCP service to apply the updated configuration:
sudo systemctl daemon-reload sudo systemctl restart plixer_mcp
If the Scrutinizer server is not yet using a CA-signed SSL certificate, follow these instructions to replace the default self-signed certificate.
After the above steps have been completed, use the URL https://SCRUTINIZER_IP/mcp and the following authentication header to connect to the MCP server:
Authorization: Bearer MCP_AUTH_TOKEN
Note
Token validation uses constant-time comparison to reduce susceptibility to timing-based attacks.
Client configuration examples#
After remote access to the MCP server has been enabled, refer to the below examples to configure the authentication token (MCP_AUTH_TOKEN above) and transport settings for an external MCP client.
Claude Code#
Add the MCP server:
Command line
Run the following from the terminal (replace
SCRUTINIZER_IPandMCP_AUTH_TOKENwith the correct values):claude mcp add scrutinizer \ https://SCRUTINIZER_IP/mcp \ --transport http \ --header "Authorization: Bearer MCP_AUTH_TOKEN"
Note
Append
-s userto the first line to make the server available to all projects.settings.json
Add the following to either
.claude/settings.jsonor~/.claude/settings.json(replaceSCRUTINIZER_IPandYOUR_AUTH_TOKENwith the correct values):{ "mcpServers": { "scrutinizer": { "type": "streamableHttp", "url": "https://SCRUTINIZER_IP/mcp", "headers": { "Authorization": "Bearer MCP_AUTH_TOKEN" } } } }
Verify that the server has been successfully added:
claude mcp listThe output should include
scrutinizerwith the streamable HTTP transport.
Claude Desktop#
Edit claude_desktop_config.json (Claude Desktop > Developer > Edit Config) and add:
Note
Node.js must be installed on the Claude Desktop host.
Use
C:\\PROGRA~1\\nodejs\\if Node.js is inC:\Program Files\nodejs. If it was installed to a different folder/directory, use the equivalent 8.3 short path to avoid issues with spaces.NODE_TLS_REJECT_UNAUTHORIZED: "0"is only required if the Scrutinizer server is using a self-signed certificate.
{
"mcpServers": {
"scrutinizer": {
"command": "C:\\Windows\\System32\\cmd.exe",
"args": [
"/c",
"C:\\PROGRA~1\\nodejs\\npx.cmd",
"-y",
"mcp-remote",
"https://<scrutinizer-host>/mcp",
"--transport",
"http-only",
"--header",
"Authorization: Bearer MCP_ACCESS_TOKEN"
],
"env": {
"NODE_TLS_REJECT_UNAUTHORIZED": "0"
}
}
}
}
After saving the changes, completely close/exit Claude Desktop via the task manager. Scrutinizer tools should be available after the application is relaunched.
Cline#
Add the following to cline_mcp_settings.json (replace SCRUTINIZER_IP and YOUR_AUTH_TOKEN with the correct values):
{
"mcpServers": {
"scrutinizer": {
"type": "streamableHttp",
"url": "https://SCRUTINIZER_IP/mcp",
"headers": {
"Authorization": "Bearer YOUR_AUTH_TOKEN"
},
"disabled": false,
"autoApprove": []
}
}
}
Tooling#
AI assistants can access the below tools through the MCP server.
Write actions/tools require the AI Write Tools setting to be enabled (under Admin > Settings > AI Settings). Read-only tools are always available.
Network reporting and analysis
Tool |
Description |
Access |
|---|---|---|
|
Execute Scrutinizer reporting queries using sdf* filters. Supports report types like |
Read-only |
|
Look up IP groups, applications, exporters, protocols, countries, device groups, and interfaces using natural language embedding search. |
Read-only |
|
Get available report types for specific exporters by their hex IP addresses. |
Read-only |
|
Look up IP addresses associated with a username from Active Directory, RADIUS, and Cisco ISE authentication data. Supports fuzzy matching. |
Read-only |
|
Retrieve detailed IP information including geolocation, ASN, and hostname. |
Read-only |
|
Perform Host Index lookup for comprehensive traffic information about an IP address (DNS, first/last seen, traffic stats, peers). |
Read-only |
Parameters used by the scrutinizer_report tool
Parameter |
Required |
Description |
|---|---|---|
|
Yes |
Report type: |
|
Yes |
Time range: |
|
If CUSTOM |
Unix epoch start time |
|
If CUSTOM |
Unix epoch end time |
|
No |
|
|
No |
|
|
No |
|
|
No |
|
|
No |
Maximum rows to return (default: 10) |
|
No |
Client timezone (default: |
|
No |
Graph type: |
|
No |
Object of sdf* filters (see filter reference below) |
|
No |
Human-readable description of the request |
|
No |
Resolved network context from |
Supported sdf* filters
Filters are passed as an object with keys like sdfDips_0, sdfIps_0, etc. Use in_ for include and ex_ for exclude prefixes. resolve_network_context should be used to look up valid object IDs before constructing filters.
Filter Type |
Key Pattern |
Value Format |
Example |
|---|---|---|---|
Device/Exporter |
|
|
|
IP Address |
|
|
|
Port |
|
|
|
Country |
|
|
|
Subnet |
|
|
|
IP Group |
|
|
|
Protocol |
|
|
|
Application |
|
|
|
NBAR |
|
|
|
Domain |
|
|
|
Search and documentation
These tools perform embedding-based searches.
Tool |
Description |
Access |
|---|---|---|
|
Search Scrutinizer documentation for help content, configuration guides, and troubleshooting. |
Read-only |
|
Search organizational policy documents for security policies, compliance rules, and access control. |
Read-only |
|
Search playbooks and runbooks for operational procedures and incident response steps. |
Read-only |
|
Search documentation embeddings to find the UI page that best matches the user’s request. |
Read-only |
Collection management
Tool |
Description |
Access |
|---|---|---|
|
Create a new collection with notes describing related events. |
Write |
|
Add a single detail entry (alarm, report, event, device, user, etc.) to a collection. |
Write |
|
Add multiple detail entries to a collection in bulk. |
Write |
|
Save a report configuration so it can be referenced in a collection detail. |
Write |
|
Create or update a daily executive summary for NetOps or SecOps agents with risk scoring. |
Write |
Collection detail types
When adding details to a collection, the detail_type field determines the structure of detail_json:
Detail Type |
ID |
|
|---|---|---|
|
1 |
|
|
2 |
|
|
3 |
|
|
4 |
|
|
5 |
|
|
6 |
|
|
7 |
|
|
8 |
|
|
9 |
|
|
10 |
|
|
11 |
|
Alarm and policy management
Tool |
Description |
Access |
|---|---|---|
|
Retrieve all alarm policies with descriptions. |
Read-only |
|
Retrieve policies by category ID or name. |
Read-only |
|
Retrieve alarms for a time range, optionally filtered by severity ( |
Read-only |
|
Get entity information (violators, hosts, targets) for a specific policy. |
Read-only |
Flow Analytics security groups
Tool |
Description |
Access |
|---|---|---|
|
List all security groups with exporter and algorithm counts. |
Read-only |
|
Get detailed group info including assigned exporters and algorithms. |
Read-only |
|
Create a new security group (e.g., “Edge Routers”, “Branch Offices”). |
Write |
|
Update a security group’s name. |
Write |
|
Add exporters to a group by IP address. |
Write |
|
Remove exporters from a group by IP address. |
Write |
|
Delete a security group (must not be assigned to any algorithms). |
Write |
Flow Analytics algorithms
Tool |
Description |
Access |
|---|---|---|
|
List all threat detection algorithms with names, tabs, and policy associations. |
Read-only |
|
Get full algorithm configuration, enabled state, and execution stats. |
Read-only |
|
Update algorithm settings: enable/disable, syslog, alert, and custom parameters. |
Write |
|
Get exporters assigned to an algorithm (included and excluded). |
Read-only |
|
Update exporter assignments for an algorithm. |
Write |
|
Get exclusion configuration (returns |
Read-only |
|
List current IP/IP group exclusions for an algorithm. |
Read-only |
|
Add IP addresses or IP groups as exclusions. Auto-acknowledges existing alarms. |
Write |
|
Remove exclusion rules by rule ID. |
Write |
ML detection exclusions
Tool |
Description |
Access |
|---|---|---|
|
Add a single ML detection exclusion for an IP address. |
Write |
|
Add multiple ML detection exclusions in bulk. |
Write |
Supported ML detections:
bruteforce_serversshbruteforce_serverrdp-tcpbruteforce_serverrdp-udpbruteforce_clientsshbruteforce_clientrdpdata_accumdata_exfildgllateral_movementml_malware_detectionml_malware_detection_c&cml_malware_detection_ekml_malware_detection_minerml_malware_detection_ratrogue_dhcprogue_dnsrogue_ldapsigredtunneling_int_clienticmptunneling_int_clientdnstunneling_int_clientsshtunneling_ext_clienticmptunneling_ext_clientdnstunneling_ext_clientsshwormzerologonall
Utilities
Tool |
Description |
Access |
|---|---|---|
|
Convert datetime formats (ISO 8601, |
Read-only |
|
Get system time in Unix timestamp, ISO 8601, and human-readable formats. |
Read-only |
|
Create a packet capture rule for specific traffic (server IP, client IP, port). |
Write |
Content embeddings#
External AI assistants are also able to access all default and custom embeddings through the MCP server’s search and documentation tools.
See this section to learn more about AI embeddings.