Live Network Events
Subscribe to real-time network telemetry from every device, connection, and session in your Threatmatic fleet.
The events resource streams live network telemetry from the Threatmatic platform. Every connection attempt, policy decision, anomaly detection, and device state change is emitted as a structured event the moment it occurs.
An AI assistant subscribed to this stream has the same real-time visibility as the Threatmatic operations console — and can act on what it sees using the Policy Action tools.
Resource
resource: threatmatic://eventsSubscribe via MCP resource subscription, or use the get_events tool for a bounded query.
Tools
get_events
Fetch a paginated window of recent events, with optional filters.
{
"name": "get_events",
"description": "Fetch recent network events from the Threatmatic platform.",
"inputSchema": {
"type": "object",
"properties": {
"limit": {
"type": "integer",
"description": "Number of events to return (max 500, default 50)"
},
"since": {
"type": "string",
"description": "ISO 8601 timestamp — return events after this time"
},
"device_id": {
"type": "string",
"description": "Filter to events from a specific device"
},
"user_id": {
"type": "string",
"description": "Filter to events associated with a specific user identity"
},
"event_type": {
"type": "string",
"enum": ["connection", "policy_decision", "anomaly", "device_state", "incident"],
"description": "Filter to a specific event category"
},
"severity": {
"type": "string",
"enum": ["info", "low", "medium", "high", "critical"],
"description": "Minimum severity threshold"
}
}
}
}subscribe_events
Open a persistent stream that pushes events to the AI as they arrive. Use this in long-running agents or monitoring workflows.
{
"name": "subscribe_events",
"description": "Subscribe to a live stream of network events. Returns a stream handle.",
"inputSchema": {
"type": "object",
"properties": {
"filters": {
"type": "object",
"description": "Same filter options as get_events"
}
}
}
}Event Schema
Every event shares a common envelope:
{
"id": "evt_01HWXK9M3J4P5Q6R7S8T9UV0W",
"type": "policy_decision",
"timestamp": "2026-05-21T09:14:32.441Z",
"severity": "high",
"tenant_id": "tnt_acmecorp",
"data": { ... }
}Event Types
connection
Emitted for every network connection attempt — permitted or blocked.
{
"type": "connection",
"data": {
"source": {
"device_id": "dev_badge_reader_lobby_01",
"device_type": "badge_reader",
"user_id": null
},
"destination": {
"ip": "10.0.1.44",
"port": 443,
"hostname": "acs.acmecorp.internal",
"app_id": "access_control_server"
},
"outcome": "permitted",
"policy_id": "pol_badge_reader_acs_only",
"bytes_sent": 1240,
"duration_ms": 48
}
}policy_decision
Emitted when the policy engine evaluates and acts on a connection or session.
{
"type": "policy_decision",
"severity": "high",
"data": {
"decision": "blocked",
"reason": "destination_not_in_allowlist",
"device_id": "dev_camera_floor3_east",
"destination_ip": "185.234.47.21",
"destination_reputation": "known_c2",
"policy_id": "pol_camera_mgmt_only",
"triggered_rule": "block_unknown_destinations"
}
}anomaly
Emitted when a device or user deviates from its established behavioral baseline.
{
"type": "anomaly",
"severity": "critical",
"data": {
"device_id": "dev_workstation_sarah_k",
"anomaly_type": "lateral_movement_attempt",
"description": "Device attempting connections to 14 internal hosts not in its baseline",
"baseline_connections_per_hour": 3,
"observed_connections_per_hour": 47,
"confidence": 0.97,
"recommended_action": "isolate"
}
}device_state
Emitted when a device's enrollment status, trust level, or connectivity changes.
{
"type": "device_state",
"data": {
"device_id": "dev_sensor_hvac_b2",
"previous_state": "active",
"current_state": "offline",
"offline_duration_seconds": 0,
"expected_offline": false,
"last_seen": "2026-05-21T08:59:11.002Z"
}
}incident
Emitted when the platform opens, updates, or closes an incident.
{
"type": "incident",
"severity": "critical",
"data": {
"incident_id": "inc_01HWXK9M",
"status": "opened",
"title": "Ransomware lateral movement — finance segment",
"affected_devices": ["dev_workstation_sarah_k", "dev_workstation_bob_t"],
"attack_pattern": "APT-44",
"ioc_matches": 847,
"recommended_actions": ["isolate_user", "block_c2_destinations"]
}
}Example: Agent Monitoring for Anomalies
const client = new MCPClient({ server: "threatmatic" });
// Subscribe to high-severity anomalies only
const stream = await client.callTool("subscribe_events", {
filters: { event_type: "anomaly", severity: "high" },
});
for await (const event of stream) {
if (event.data.recommended_action === "isolate") {
// Hand off to policy tool
await client.callTool("isolate_device", {
device_id: event.data.device_id,
reason: event.data.description,
});
}
}Audit and Retention
All events are stored with cryptographic integrity — each entry is chained to the previous, making retroactive tampering detectable. Events are retained for 90 days by default; extended retention is available on Enterprise plans.
Every MCP tool call that reads or acts on events is attributed to the API key and recorded in the audit log alongside the original event.
How is this guide?
Last updated on
MCP Server Overview
How Threatmatic's MCP server connects live network events, security posture, and policy action to AI assistants and external systems.
Security Posture
Query the current risk scores, anomaly flags, compliance state, and behavioral baselines for any device, user, or workload in your fleet.