Model Context Protocol

The Model Context Protocol (MCP) allows you to connect AI assistants like Claude and Cursor to external data sources and tools. This guide shows you how to set up RunReveal’s MCP server with both Claude and Cursor.

MCP Setup Options

RunReveal supports two MCP setup approaches, each designed for different deployment scenarios and authentication preferences:

Remote MCP connects to RunReveal’s hosted MCP server over HTTP/HTTPS, providing a seamless OAuth-based authentication experience. This approach is ideal for most users with hosted RunReveal deployments who want quick setup and don’t need to manage local processes.

Local MCP runs the RunReveal MCP server as a local process using the runreveal mcp command, with API token authentication. This approach is essential for on-premises deployments, air-gapped environments, or when you need fine-grained control over the MCP server process.

Remote MCP

Remote MCP allows you to connect to RunReveal’s hosted MCP server over HTTP/HTTPS. This enables you to:

Access your RunReveal data and tools from any AI assistant that supports MCP
Share MCP servers across multiple team members
Run MCP servers in production environments
Centralize data access and permissions
Use OAuth authentication for seamless setup

Setting Up with Claude

Prerequisites:

A RunReveal account with API access
Claude Desktop or Claude.ai account

Step 1: Add the Integration

In Claude, go to Add integration (BETA)
Enter the following details:
- Integration Name: RunReveal
- Server URL: https://api.runreveal.com/mcp

Claude MCP Setup Screen 1

Step 2: Trust the Integration

Claude will show a warning that this integration has not been verified by Anthropic. Click Add to proceed.

Step 3: Authorize with RunReveal

You’ll be redirected to RunReveal’s authorization page
Review the OAuth client information:
- Client Name: claudeai
- Client ID: (will be displayed)
Select your workspace from the dropdown
Click Continue to authorize the connection

Claude MCP Authorization

Alternative: Using Claude Code CLI

If you’re using Claude Code (the CLI tool), you can add the RunReveal MCP server directly from the command line:

claude mcp add -t http runreveal 'https://api.runreveal.com/mcp'

This command will:

Add the RunReveal MCP server to your Claude Code configuration
Use the identifier “runreveal” for the server

After running this command, the MCP server will be available in your Claude Code sessions, and you’ll go through the same OAuth authorization flow when first accessing RunReveal tools.

Step 4: Verify the Connection

Once authorized, you should see RunReveal listed in your Claude integrations with available tools:

Claude MCP Tools

The RunReveal MCP integration provides access to several tools:

detections_list - List all detection rules
detections_get - Get details for a specific detection
run_query - Execute SQL queries against your data
list_tables - View available data tables
get_table_schema - Get schema information for tables
detections_create - Create new detection rules
source_list - List available data sources

All currently available tools require appropriate OAuth scopes for your workspace. The detections_create tool requires write permissions, while other tools require read permissions. OAuth tokens are workspace-specific and use scopes rather than traditional roles.

Claude MCP Available Tools

Setting Up with Cursor

Prerequisites:

A RunReveal account with API access
Cursor IDE installed

Configuration:

Click this link:

Or, manually add this to your configuration:

{
  "mcpServers": {
    "RunReveal": {
      "url": "https://api.runreveal.com/mcp"
    }
  }
}

Authentication Flow:

Similar to Claude, Cursor will redirect you to RunReveal’s OAuth authorization page where you can:

Select your workspace
Grant the necessary permissions (OAuth scopes)
Complete the OAuth flow

The MCP endpoint requires an Authorization header with a Bearer token. OAuth tokens are workspace-specific and use scopes that determine your permissions for the available tools.

Troubleshooting

Connection Issues:

Verify your RunReveal API credentials are valid
Check that you have the necessary permissions in your workspace
Ensure the MCP server URL is correct: https://api.runreveal.com/mcp

Authentication Problems:

Clear your browser cookies and retry the OAuth flow
Make sure you’re selecting the correct workspace during authorization
Contact RunReveal support if you continue having issues

Security Considerations:

The MCP connection uses OAuth for secure authentication
Tools respect your existing RunReveal permissions and access controls
All data transmission is encrypted over HTTPS
You can revoke access at any time through your RunReveal workspace settings

Local MCP

Local MCP runs the RunReveal MCP server as a local process, ideal for:

On-premises RunReveal deployments
Custom API endpoints
API token-based authentication

Prerequisites

RunReveal CLI installed (brew install runreveal)
API token with appropriate permissions
Workspace ID
Custom base URL (for on-premises deployments)

Environment Variables

Set the following environment variables for your local MCP server:

export RUNREVEAL_TOKEN="your-api-token-here"
export RUNREVEAL_WORKSPACE="your-workspace-id-here"
export RUNREVEAL_BASEURL="https://api.runreveal.com"  # or your on-prem URL

For on-premises deployments:

export RUNREVEAL_BASEURL="https://api.YOUR_BASE_DOMAIN.runreveal.com"

Getting Your API Token:

Copy your API token directly from the RunReveal UI:

Go to your RunReveal workspace
Navigate to Settings → API Tokens
Copy the token value (it will be in the format that works with the local MCP server)
Use this token value in your RUNREVEAL_TOKEN environment variable

Setting Up with Claude and Cursor

Add this configuration to your Claude or Cursor MCP settings:

{
  "mcpServers": {
    "runreveal": {
      "command": "runreveal",
      "args": ["mcp"],
      "env": {
        "RUNREVEAL_TOKEN": "your-api-token-here",
        "RUNREVEAL_WORKSPACE": "your-workspace-id-here",
        "RUNREVEAL_BASEURL": "https://api.runreveal.com"
      }
    }
  }
}

The configuration is identical for both Claude and Cursor when using local MCP.

Authentication Differences

Local MCP (API Token):

Requires explicit API token setup
No OAuth flow needed
Works with on-premises deployments
Token must have appropriate permissions

⚠️

API Token Required: Local MCP setup requires an API token and does not inherit your existing authentication. Make sure your token has the necessary permissions for the tools you plan to use.

Troubleshooting

Connection Issues:

Verify your API token is valid and has appropriate permissions
Check that RUNREVEAL_WORKSPACE is set to the correct workspace ID
Ensure RUNREVEAL_BASEURL points to the correct API endpoint
Test your CLI connection: runreveal workspaces list

Authentication Problems:

Verify your API token hasn’t expired
Check that the token has the necessary permissions for MCP tools
Ensure environment variables are properly set in your MCP configuration
Test token authentication: runreveal logs query "SELECT 1 LIMIT 1"

Security Considerations:

API tokens provide secure authentication without OAuth flow
Tokens can be scoped to specific permissions and workspaces
All data transmission is encrypted over HTTPS
You can revoke or rotate API tokens through your RunReveal workspace settings
Environment variables should be kept secure and not shared

Available Tools and Capabilities

Once connected, both Claude and Cursor can help you with:

Data Analysis

Query your log data with natural language
Explore table schemas and relationships
Generate SQL queries for complex analysis
List and explore available data sources

Detection Management

List and review existing detection rules
Create new detections based on your requirements
Get detailed information about specific detections

Security Operations

Investigate security events and incidents
Analyze patterns in your data
Generate reports and summaries

Example Usage

Once set up, you can ask your AI assistant questions like:

“Show me all failed login attempts from the last 24 hours”
“What detection rules do we have for privilege escalation?”
“Create a new detection for suspicious file downloads”
“What tables contain network traffic data?”
“List all available data sources in my workspace”

Tool Access Issues

Verify your RunReveal user/token has appropriate OAuth scopes for the tools you’re trying to use
OAuth tokens are workspace-specific and use scopes rather than traditional roles
For local MCP, ensure your API token has the necessary permissions for the tools you plan to use
The detections_create tool requires write permissions, while other tools require read permissions

Next Steps

With MCP set up, you can now leverage AI assistants to:

Streamline your security operations workflows
Get natural language insights from your data
Automate common detection and analysis tasks
Collaborate more effectively with your security team

Native AI Chat Custom Prompts