Skip to main content
Connect a remote MCP server and investigations can call the tools it exposes to pull in context from systems unique to your stack. MCP, the Model Context Protocol, is an open standard for exposing tools and data to AI systems over a single connection.
MCP servers are connected directly, with their own endpoint and credentials. There’s no provider route. See How telemetry works for how investigations decide when to reach for a connected source.

What we support

When you connect a server, its tools are discovered automatically — each one’s name, description, and the arguments it accepts. During an incident, investigations pick the tools that look relevant to what they’re trying to understand, construct the arguments from the context they have, call them, and read the results back. If your server provides its own instructions on how to be used, those are captured too and used to steer how its tools are called.

You choose which tools investigations can call

A connected server might expose more tools than you want reachable during an incident, and some may make changes rather than read. You keep an allowlist: only the tools you enable can be called. A request to any tool that isn’t on the allowlist is rejected before it ever reaches your server, so enabling read-only tools and leaving the rest off means there’s nothing an investigation can change.

Connecting an MCP server

Connect your server directly with its endpoint, an auth token, and the tools you want to allow.
  1. From the Investigations settings, add a telemetry data source and choose MCP server.
  2. Configure the connection:
    • Server endpoint: the URL of your remote MCP server.
    • Authentication: a bearer token, or OAuth for servers that support it.
  3. Test the connection. The server’s tools are discovered, and you choose which ones investigations may call.
  4. Review the allowlist and save the connection.
Once connected, the MCP server is available to investigations straight away, limited to the tools on your allowlist. You can disable it at any time.

Best practice

  • Allowlist only the tools that read data. Investigations never need to make changes, so leave anything that writes turned off.
  • Make sure each tool’s description and arguments are clear on your server. Investigations rely on them to decide which tool to call and how, the same way a person reading the tool list would.

Telemetry overview

How providers and data sources fit together.

How telemetry works

How investigations decide what to query and when.