Skip to main content
MCP Servers / Tenable Identity Exposure MCP Server

Tenable Identity Exposure MCP Server

Contributed

MCP server exposing the Tenable Identity Exposure (TIE) API as tools for LLM clients.

Author knethteo
Transport both
Runtime python
Auth api-key
License MIT
Added Jul 8, 2026

Compatible Clients

Claude DesktopClaude Code

Integrations

Tenable

Tools (15)

  1. tie_catalog

    List available resources (flat + nested) — call this first.

  2. tie_request

    Raw HTTP call to any endpoint (method, path, params, body).

  3. tie_resource_action

    Generic CRUD (list/get/create/update/delete) on flat resources.

  4. tie_recent_activity

    Unified IoE+IoA timeline for the last N hours in one call.

  5. tie_profiles

    List security profiles (IoE/IoA data is profile-scoped).

  6. tie_scores

    Per-directory security scores for a profile.

  7. tie_topology

    AD topology (domains, forests, trusts) for a profile.

  8. tie_attacks

    IoA attack instances (requires resource_type + resource_value).

  9. tie_alerts

    Alerts for a profile.

  10. tie_deviances

    IoE deviant AD objects for a checker within a time window.

  11. tie_deviances_by_checker

    Full IoE deviances for a checker (no date filter).

  12. tie_deviances_by_directory

    Full IoE deviances for a directory (no date filter).

  13. tie_search_events

    Search AD security events in a date range.

  14. tie_search_ad_objects

    Search AD objects (users/computers/groups/OUs).

  15. tie_whoami

    Current user identity, roles, and permissions.

Tags

tenableidentity-exposureactive-directoryioeioasecurity

An MCP server exposing the Tenable Identity Exposure (TIE, formerly Tenable.ad) REST API as tools for LLM clients. Built on FastMCP from the official mcp SDK and verified end-to-end against a live TIE SaaS instance.

This is not an officially supported Tenable project. Validate responses against the Tenable console before acting on them.

What it does

Turns the Tenable Identity Exposure API into 15 LLM-callable tools spanning both Indicators of Exposure (IoE) and Indicators of Attack (IoA). Highlights:

  • Unified activity timelinetie_recent_activity merges IoE deviances and IoA attacks for the last N hours in a single call.
  • Security posture — list security profiles, per-directory security scores, and AD topology (domains, forests, trusts).
  • Deviance investigation — pull IoE deviances by time window, checker, or directory, with rendered descriptions and slimmed payloads to conserve token budget.
  • AD search — query AD objects (users, computers, groups, OUs) and security events over a date range.
  • Escape hatchestie_catalog for resource discovery, tie_request for raw calls to any endpoint, and tie_resource_action for generic CRUD.

How it works

The server wraps the TIE REST API and authenticates with the X-API-Key header (TIE_URL / TIE_API_KEY via environment or CLI flags). It runs over stdio for Claude Desktop / Claude Code, or as an SSE/HTTP network service. Time-aware tools accept a relative hours=N window or explicit UTC date_start/date_end. IoE/IoA data is profile-scoped, so tools take an explicit profile_id. By default, deviance and object results are slimmed (descriptions rendered from templates, oversized attribute values dropped); pass verbose=true for the full raw payload.