Tenable Identity Exposure Server
БесплатноНе проверенExposes the Tenable Identity Exposure (TIE) REST API as tools for LLM clients, enabling queries on security profiles, activity timelines, AD objects, and more.
Описание
Exposes the Tenable Identity Exposure (TIE) REST API as tools for LLM clients, enabling queries on security profiles, activity timelines, AD objects, and more.
README
An MCP server exposing the Tenable Identity Exposure (TIE, formerly Tenable.ad) REST API as tools for LLM clients. Built on FastMCP from the official mcp SDK.
Verified end-to-end against a live TIE SaaS instance (v3.120.1).
⚠️ Disclaimer: This is not an officially supported Tenable project. It was built with assistance from Claude — treat its output as a starting point and validate responses against the Tenable console before acting on them.
Tools
| Tool | Description |
|---|---|
tie_catalog |
List available resources (flat + nested) — call this first |
tie_request |
Raw HTTP call to any endpoint (method, path, params, body) |
tie_resource_action |
Generic CRUD (list/get/create/update/delete) on flat resources |
tie_recent_activity |
Unified IoE+IoA timeline for the last N hours (one call) |
tie_profiles |
List security profiles (IoE/IoA data is profile-scoped) |
tie_scores |
Per-directory security scores for a profile |
tie_topology |
AD topology (domains, forests, trusts) for a profile |
tie_attacks |
IoA attack instances (requires resource_type + resource_value) |
tie_alerts |
Alerts for a profile |
tie_deviances |
IoE deviant AD objects for a checker within a time window |
tie_deviances_by_checker |
Full IoE deviances for a checker (no date filter) |
tie_deviances_by_directory |
Full IoE deviances for a directory (no date filter) |
tie_search_events |
Search AD security events in a date range |
tie_search_ad_objects |
Search AD objects (users/computers/groups/OUs) |
tie_whoami |
Current user identity, roles, permissions |
Time windows, profiles, and token budget
- Time-aware tools (
tie_recent_activity,tie_deviances) accept a relativehours=Nwindow or explicitdate_start/date_end. All timestamps are UTC. - IoE/IoA data is profile-scoped. The API does not expose which profile your
console has selected, so pass
profile_idexplicitly — usetie_profilesto list them. - By default, deviance/object results are slimmed: descriptions are rendered
from their templates and oversized attribute values (SID lists, member dumps)
are dropped. Pass
verbose=truefor the full raw payload.
Configuration
Set via environment variables (or --tie-url / --tie-api-key flags):
| Variable | Description |
|---|---|
TIE_URL |
Base URL, e.g. https://your-host.tenable.ad |
TIE_API_KEY |
API key (TIE console → System → Configuration → API key) |
TIE_VERIFY_SSL |
true (default) or false for self-signed certs |
Auth uses the X-API-Key header.
Install & run
python -m venv .venv && . .venv/bin/activate
pip install -e .
cp .env.example .env # fill in TIE_URL and TIE_API_KEY
# stdio (Claude Desktop / Claude Code)
set -a; . ./.env; set +a
tenable-tie-mcp
# or network transports
tenable-tie-mcp --transport sse --port 8000
tenable-tie-mcp --transport http --port 8000
Running with uv / uvx (alternative to a manual venv)
uv can manage the environment for you. uv is the
full tool; uvx (alias for uv tool run) runs a package in a throwaway env, like
npx. Both need uv installed (brew install uv).
# uv run: resolves deps from pyproject.toml into a managed .venv, then runs
uv run tenable-tie-mcp
# uvx: run ephemerally from the project path, nothing persisted
uvx --from . tenable-tie-mcp
Claude Desktop / Claude Code config
Use the full path to the executable. Claude Desktop does not launch from your
shell, so it does not inherit your PATH — a bare tenable-tie-mcp will fail with
"command not found" unless the tool is on the system PATH (e.g. a pipx install).
For a venv install, point at the venv's launcher:
{
"mcpServers": {
"tenable-tie": {
"command": "/absolute/path/to/tenable-ie-mcp/.venv/bin/tenable-tie-mcp",
"env": {
"TIE_URL": "https://your-host.tenable.ad",
"TIE_API_KEY": "your-key"
}
}
}
}
Find the exact path with echo "$PWD/.venv/bin/tenable-tie-mcp" from the project
root. See claude_desktop_config.sample.json for a complete example.
If you installed globally with
pipx install .(oruv tool install), the bare"command": "tenable-tie-mcp"works because it lands on the system PATH.
With uv (alternative)
Point command at the full path of uv (which uv, e.g. /opt/homebrew/bin/uv)
and let it manage the environment:
{
"mcpServers": {
"tenable-tie": {
"command": "/opt/homebrew/bin/uv",
"args": ["run", "--directory", "/absolute/path/to/tenable-ie-mcp", "tenable-tie-mcp"],
"env": {
"TIE_URL": "https://your-host.tenable.ad",
"TIE_API_KEY": "your-key"
}
}
}
}
Docker
docker compose up --build # reads TIE_URL / TIE_API_KEY from environment
Example prompts
- "Show me IoE and IoA activity in the last 12 hours." →
tie_recent_activity - "Which security profiles exist?" →
tie_profiles - "List the monitored directories and their security scores."
- "Show the latest IoA attacks against directory 8."
- "What IoE deviances appeared for checker 15 in the last day?" →
tie_deviances - "Show unread alerts for profile 2."
Notes
profile_iddefaults to1(the default Tenable profile) in the convenience tools.- Attacks must be scoped:
resource_type∈infrastructure|directory|hostname|ipandresource_valueis the id or name/ip. - Non-JSON responses are returned as
{"content_type": ..., "text": ...}rather than crashing. - Scoring and prioritization: TIE checkers carry a
remediationCost(easy / medium / hard) but no native asset-level severity score. If your workflow requires AES (Asset Exposure Score) or ACR (Asset Criticality Rating) — for example, to rank affected identities by business risk — connect your environment to Tenable One. Tenable One aggregates data across TIE, Tenable Vulnerability Management, and other sources to produce unified AES/ACR scores that can be surfaced here via the API.
Установка Tenable Identity Exposure Server
У этого сервера нет опубликованного пакета — он собирается из исходников. Открой репозиторий и следуй инструкции в README.
▸ github.com/knethteo/tenable-identity-exposure-mcpFAQ
Tenable Identity Exposure Server MCP бесплатный?
Да, Tenable Identity Exposure Server MCP бесплатный — установка в пару кликов через Unyly без оплаты.
Нужен ли API-ключ для Tenable Identity Exposure Server?
Нет, Tenable Identity Exposure Server работает без API-ключей и переменных окружения.
Tenable Identity Exposure Server — hosted или self-hosted?
Доступен hosted-вариант: Unyly запускает сервер в облаке, локальная установка не обязательна.
Как установить Tenable Identity Exposure Server в Claude Desktop, Claude Code или Cursor?
Открой Tenable Identity Exposure Server на unyly.org, выбери вкладку своего клиента (Claude Desktop, Claude Code, Cursor) и нажми Install — конфиг сгенерируется автоматически, без правки JSON.
Похожие MCP
Fetch
Web content fetching and conversion for efficient LLM usage.
AWS KB Retrieval
Retrieval from AWS Knowledge Base using Bedrock Agent Runtime.
автор: modelcontextprotocolSpring AI MCP Server
Provides auto-configuration for setting up an MCP server in Spring Boot applications.
llm-analysis-assistant
A very streamlined mcp client that supports calling and monitoring stdio/sse/streamableHttp, and can also view request responses through the /logs page. It also
автор: xuzexin-hzCompare Tenable Identity Exposure Server with
Не уверен что выбрать?
Найди свой стек за 60 секунд
Автор?
Embed-бейдж для README
Похожее
Все в категории ai
