LogPulse exposes a remote MCP server over HTTP, so the agent you already work in — Claude Code, Cursor, Codex, or any MCP client — can search logs, triage security risk, check service health and walk your entity graph. Typed tools on top of LPQL, not raw database access. Read-only by default, scoped per token, and aware of your team's RBAC.
The Model Context Protocol (MCP) is an open standard for connecting AI agents to external tools and data. LogPulse implements it as a remote MCP server: a single HTTPS endpoint your agent connects to with a personal access token. Once connected, the agent sees a catalog of typed LogPulse tools and calls them directly — no copy-pasting query results, no scraping the dashboard. Because the tools are built on LPQL and run inside LogPulse, the agent gets fast, consistent, governed answers instead of writing raw SQL against your data.
In LogPulse, create a personal access token and pick the scopes the agent may use — logs, SIEM, services, entities. The token is tied to you and one organization, and can never grant more than your own access.
Add the LogPulse MCP endpoint to your agent with one command. Claude Code, Cursor and Codex all speak MCP over HTTP — point them at the endpoint with your token and they discover the tools automatically.
Ask your agent a question in your editor. It picks the right LogPulse tools — search_logs, get_risk_summary, get_service_health, get_blast_radius — runs them against your data, and reasons over the structured results.
Tools are read-only by default and honour your namespace RBAC. Every call is rate-limited and written to the audit log, and the few write tools create disabled drafts for a human to review.
The agent gets the same domain depth your team uses in the dashboard — search, security, observability and the cross-domain entity graph — each behind its own scope.
logs:readsearch_logs, count_patterns, timeline_analysis, compare_timeranges, get_field_values and system_health — plus alerts, pipelines, dashboards and saved queries. The full read surface of the platform.
search_logscount_patternstimeline_analysiscompare_timerangesget_field_valuessystem_healthsiem:readsearch_risk_events, get_risk_summary, list & get notables, list & get detections, get_ueba_baselines, mitre_coverage and lookup_ioc — risk-based SIEM, MITRE coverage and threat intel.
search_risk_eventsget_risk_summarylist_notableslist_detectionsmitre_coveragelookup_iocservices:readget_service_health, list_anomalies, list_dependencies, list_services and list_incidents — service-level health, KPI anomalies and the dependency graph.
get_service_healthlist_anomalieslist_dependencieslist_serviceslist_incidentsentities:readget_entity, get_blast_radius and get_entity_risk_timeline — Entity 360 across security and observability, including blast radius.
get_entityget_blast_radiusget_entity_risk_timelinesiem:writecreate_detection turns the agent's findings into a saved detection rule — created disabled, so a human reviews and enables it. The only write tool, behind its own scope.
create_detectionBeyond callable tools, the server exposes MCP resources — an LPQL cheat sheet, your data models, saved queries and a detection guide — and prompts that steer the agent through the right sequence of tools for a task: triage a notable, check whether an IP is malicious, onboard a connector, or run a service health check.
Most clients connect in one click: add the LogPulse endpoint and authorize in your browser. A token works too, for CI and headless setups.
Add LogPulse to your agent and authorize it in your browser. OAuth 2.1 walks the user through consent on exactly the scopes you grant — no token to copy, store, or rotate by hand. It is the smoothest way to connect an interactive client like Claude Code, Cursor, or Codex.
Works with
Add the LogPulse endpoint with the Claude CLI, then approve the browser prompt. The tools appear instantly in any Claude Code session.
Add the LogPulse endpoint in Cursor's MCP settings and authorize it in your browser.
Any MCP client with remote-server and OAuth support connects the same way — Codex, Continue, or your own agent.
Prefer a token for CI or headless automation? See the MCP setup guide
An agent gateway into your logs has to be governed. LogPulse builds the guardrails in.
The MCP surface exposes read tools only. Writes are an explicit, scoped allowlist — today just create_detection, which inserts a disabled rule for human review.
Each token holds only the scopes you grant, and a tool the token can't reach is invisible to the agent. The token never exceeds your own namespace RBAC.
Every tool call is written to the audit log and rate-limited per token. Denied calls are logged too.
Every MCP call is emitted to an internal log stream and watched by built-in detections — abnormal call volume or an agent write raises a notable, on your own engine.
Tools run on your EU-hosted data and AI evaluation runs in the EU. Nothing leaves LogPulse to answer a question.
Tool output is treated as data, not instructions — a guard against prompt injection through your own logs. No auto-execute, no writes without a human.
Ask Claude or Cursor why a service is erroring; it searches your logs, correlates deploys and explains the root cause inline.
Pull an entity's risk summary, blast radius and recent notables, then ask the agent to draft a detection for what it found.
The agent reads your canonical data model and detection guide, then writes the pipeline and LPQL that fit your actual fields.
Have an agent assemble MITRE coverage, service health or incident summaries on a schedule — straight from the live platform.
It is a remote Model Context Protocol server that lets AI agents like Claude Code, Cursor and Codex call typed LogPulse tools — search, SIEM, service intelligence and the entity graph — over a single HTTPS endpoint, instead of scraping the dashboard or writing raw SQL.
Any MCP-capable client that supports remote servers over HTTP, including Claude Code, Cursor and Codex. You connect with a scoped personal access token, or with OAuth 2.1 for one-click sign-in.
Yes. The MCP surface is read-only by default, every token is scoped and bound by your namespace RBAC, all calls are rate-limited and audited, and the one write tool creates disabled detection drafts for human review. Data stays EU-hosted.
Search and investigate logs, query risk events and notables, check service health and dependencies, walk the cross-domain entity graph and blast radius, and — if you grant the write scope — draft new detection rules for a human to enable.
Yes. The MCP server is part of the LogPulse platform, governed by a per-token rate limit. Pricing stays flat — you are billed per plan, not per query or per agent.
Create a scoped access token and add LogPulse to Claude Code, Cursor or Codex in under a minute.
Create your free accountWe use cookies to analyze site traffic and improve your experience. No cookies are placed without your consent. Privacy Policy