Integrations
Enables querying and managing Linux-based endpoints in the Binalyze AIR forensics platform through natural language interactions.
Allows for management and forensic analysis of macOS endpoints within the Binalyze AIR platform through natural language queries.
Serves as the runtime environment for the MCP server, allowing the server to connect Binalyze AIR's digital forensics capabilities with language models.
Binalyze AIR MCP Server
A Node.js server implementing Model Context Protocol (MCP) for Binalyze AIR, enabling natural language interaction with AIR's digital forensics and incident response capabilities.
✨ Features
- Asset Management - List assets in your organization.
- Asset Details - Get detailed information about a specific asset by its ID.
- Asset Tasks - Get all tasks associated with a specific asset by its ID.
- Acquisition Profiles - List acquisition profiles.
- Acquisition Tasks - Assign evidence acquisition tasks to endpoints.
- Image Acquisition Tasks - Assign disk image acquisition tasks to endpoints.
- Baseline Acquisition - Acquire baseline data from specific endpoints to establish a reference point.
- Compare Baseline - Compare multiple baseline acquisition tasks for a specific endpoint to identify changes.
- Get Comparison Report - Retrieve comparison result report for a specific endpoint and task.
- Create Acquisition Profiles - Create new acquisition profiles with specific evidence/artifact/network settings.
- Acquisition Artifacts - List available artifacts for evidence collection.
- Acquisition Evidences - List available evidence items for forensic data collection.
- Reboot Tasks - Assign reboot tasks to specific endpoints.
- Shutdown Tasks - Assign shutdown tasks to specific endpoints.
- Isolation Tasks - Isolate or unisolate specific endpoints.
- Log Retrieval Tasks - Retrieve logs from specific endpoints.
- Version Update Tasks - Assign version update tasks to specific endpoints.
- Organization Management - List organizations.
- Case Management - List cases in your organization.
- Policy Management - See security policies across your organization.
- Task Management - Track forensic collection tasks and their statuses.
- Triage Rules - View YARA, Osquery and Sigma rules for threat detection.
- User Management - List users in your organization.
- Drone Analyzers - View available drone analyzers with supported operating systems.
- Audit Log Export - Initiate an export of audit logs.
- List Audit Logs - View audit logs from the system.
- Uninstall Assets - Uninstall specific assets based on filters without purging data.
- Purge and Uninstall Assets - Purge data and uninstall specific assets based on filters.
- Add Tags to Assets - Add tags to specific assets based on filters.
- Remove Tags from Assets - Remove tags from specific assets based on filters.
- Auto Asset Tagging - Create and update rules to automatically tag assets based on specific conditions.
- List Auto Asset Tags - List all existing auto asset tag rules.
- Get Auto Asset Tag Details - Get detailed information about a specific auto asset tag rule by its ID.
- Delete Auto Asset Tag - Delete a specific auto asset tag rule by its ID.
- Start Auto Tagging - Initiate the auto tagging process for assets that match specific filter criteria.
- E-Discovery Patterns - List available e-discovery patterns for detecting different file types.
- Policy Management - List, create, update, and delete policies in your organization.
- Policy Match Statistics - See which policies apply to your assets based on various criteria.
- Task Assignment Management - View and manage task assignments.
Overview
This MCP server creates a bridge between Large Language Models (LLMs) and Binalyze AIR, allowing interaction through natural language. Retrieve information about your digital forensics environment without writing code or learning complex APIs.
🔑 API Token Requirement
Important: An API token is required for authentication. Set it using the
AIR_API_TOKEN
environment variable.
📦 Installation
Local Development
Usage with Claude Desktop
Add the following configuration to your Claude Desktop config file:
Usage with Cursor
- Navigate to Cursor Settings > MCP
- Add new MCP server with the following configuration:Copy
🧩 Usage with Smithery
Note: Don't forget to activate Agent mode in your editor.
One-Line Installation Commands
Claude
Cursor
Windsurf
VSCode
Or use the Magic Link option in VSCode.
How to Use
In Claude Desktop, or any MCP Client, you can use natural language commands:
Command | Description |
---|---|
List all assets in the system | Shows all managed/unmanaged endpoints with OS, platform info |
Get details about asset with ID "abc123" | Displays detailed information about a specific asset |
Get tasks for asset with ID "abc123" | Shows all tasks associated with a specific asset |
List all acquisition profiles | Displays available acquisition profiles |
Get acquisition profile details by ID | Shows detailed information about a specific acquisition profile, including evidence and artifacts |
List all acquisition artifacts | Shows all available artifacts for evidence collection, organized by platform and category |
List all acquisition evidences | Shows all available evidence items for forensic data collection, organized by platform and category |
Assign an acquisition task to endpoint 123abc using profile "full" for case "C-2022-0001" | Assigns an evidence acquisition task to specified endpoint(s) |
Assign an image acquisition task to endpoint 123abc for volume /dev/sda1 saving to repository 456def | Assigns a disk image acquisition task to a specific endpoint and volume, saving to a specified repository |
Create an acquisition profile named "My Custom Profile" with windows evidence ["clp"] and linux artifact ["apcl"] | Creates a new acquisition profile with the specified configuration |
Reboot endpoint 123abc | Assigns a reboot task to a specific endpoint |
Shutdown endpoint 123abc | Assigns a shutdown task to a specific endpoint |
Isolate endpoint 123abc | Assigns an isolation task to a specific endpoint |
Unisolate endpoint 123abc | Removes isolation from a specific endpoint |
Retrieve logs from endpoint 123abc | Assigns a log retrieval task to a specific endpoint |
Update version for endpoint 123abc | Assigns a version update task to a specific endpoint |
List all organizations | Shows all organizations in environments |
List all cases | Displays cases with status and creation time |
List all policies | Shows security policies and collection policies |
List all tasks | Lists all tasks with their statuses |
List all triage rules | Shows YARA, OSQuery and Sigma rules for threat detection |
List all users | Shows all users in the system with their details |
List all drone analyzers | Shows available drone analyzers with supported operating systems |
Export audit logs | Initiates the export of audit logs. The export runs in the background on the AIR server. |
List audit logs | Shows audit logs with details like timestamp, user, action, entity |
Uninstall asset with ID "endpoint-id" | Uninstalls the specified asset without purging data (requires providing filter.includedEndpointIds ) |
Purge and uninstall asset with ID "endpoint-id" | Purges data and uninstalls the specified asset (requires providing filter.includedEndpointIds ) |
Add tags ["tag1", "tag2"] to asset with ID "endpoint-id" | Adds specified tags to the targeted asset(s) (requires providing filter.includedEndpointIds and tags ) |
Remove tags ["tag1"] from asset with ID "endpoint-id" | Removes specified tags from the targeted asset(s) (requires providing filter.includedEndpointIds and tags ) |
Create an auto asset tag named "Web Server" | Creates a new rule to automatically tag assets based on conditions. |
Update auto asset tag "fkkEPhpqMNqJeHfi4RyxiWEm" to have tag name "Updated Container" with linux process "containerd" running | Updates an existing auto asset tag rule with new conditions. |
List all auto asset tag rules | Lists all existing auto asset tag rules with their configurations. |
Get auto asset tag with ID "f6kEPhpqMNqJeHfi4RyxiWEm" | Shows detailed information about a specific auto asset tag rule. |
Delete auto asset tag with ID "f6kEPhpqMNqJeHfi4RyxiWEm" | Deletes a specific auto asset tag rule by its ID. |
Start auto tagging for windows machines | Initiates the auto tagging process for Windows assets matching specified criteria. |
Acquire baseline for case "C-2022-001" from endpoints ["id1", "id2"] | Acquires baseline data from specified endpoints for a given case ID. |
Compare baselines for endpoint "id1" with task IDs ["task1", "task2"] | Compares multiple baseline acquisition tasks for a specific endpoint to identify changes. |
Get comparison report for endpoint "id1" and task "task1" | Retrieves the comparison result report for a specific endpoint and comparison task. |
List all e-discovery patterns | Shows all available e-discovery patterns for file type detection |
Create a policy named "Production Policy" with specific storage settings | Creates a new policy with custom settings |
Update policy with ID "abc123" | Updates an existing policy with new settings |
Get policy details for ID "System" | Displays detailed information about a specific policy |
Update policy priorities to ["policy1", "policy2", "policy3"] | Updates the order of policy application |
Show policy match statistics | Shows how many endpoints match each policy |
Get policy distribution for Windows endpoints | Shows policy matches filtered by platform |
Get policy match stats for offline endpoints | Shows policy matches for offline assets |
Delete policy with ID "abc123" | Permanently removes a policy from the system |
Get all assignments for task with ID "def456" | Shows all assignments associated with a specific task |
Cancel task assignment with ID "xyz789" | Cancels a specific task assignment |
Delete task assignment with ID "xyz789" | Permanently removes a task assignment |
Get details about task with ID "40a9dc46-d401-4bd1-82d3-ca9cf97c9024" | Displays detailed information about a specific task including evidence types and configuration |
Cancel task with ID "abc123" | Cancels a running task with the specified ID |
Delete task with ID "abc123" | Permanently deletes a specific task |
Viewing Acquisition Artifacts
You can list all available acquisition artifacts for evidence collection:
This will display a categorized list of artifacts that can be collected during an acquisition task, organized by platform (Windows, Linux, macOS, etc.) and group categories (Server, Communication, Cloud, etc.).
Viewing Acquisition Evidences
You can list all available evidence items for forensic data collection:
This will display a categorized list of evidence items that can be collected during a forensic investigation, organized by platform (Windows, Linux, macOS, etc.) and group categories (System, Network, Memory, etc.).
Viewing E-Discovery Patterns
You can list all available e-discovery patterns for file type detection:
Filtering by Organization
You can filter results by organization ID:
Getting Asset Details
You can retrieve detailed information about a specific asset:
Getting Asset Tasks
You can retrieve all tasks associated with a specific asset:
Assigning Acquisition Tasks
You can assign evidence acquisition tasks to specific endpoints:
Assigning Image Acquisition Tasks
You can assign disk image acquisition tasks to specific endpoints and volumes:
Assigning Reboot Tasks
You can assign reboot tasks to specific endpoints:
Assigning Shutdown Tasks
You can assign shutdown tasks to specific endpoints:
Assigning Isolation Tasks
You can isolate or unisolate specific endpoints:
Assigning Log Retrieval Tasks
You can retrieve logs from specific endpoints:
Note: Always specify the organization ID when assigning log retrieval tasks. The endpoint must exist in the specified organization.
Assigning Version Update Tasks
You can assign version update tasks to specific endpoints:
Uninstalling Assets
You can uninstall assets without purging their data using filters. You must specify the exact IDs of the assets to uninstall via filter.includedEndpointIds
.
Purging and Uninstalling Assets
You can purge asset data and uninstall assets using filters. You must specify the exact IDs of the assets to purge and uninstall via filter.includedEndpointIds
.
Adding Tags to Assets
You can add tags to specific assets using filters. You must specify the exact IDs of the assets to add tags to via filter.includedEndpointIds
and provide at least one tag in the tags
array.
Removing Tags from Assets
You can remove tags from specific assets using filters. You must specify the exact IDs of the assets to remove tags from via filter.includedEndpointIds
and provide at least one tag in the tags
array.
Creating Auto Asset Tag Rules
You can define rules to automatically tag assets based on conditions across different operating systems. Describe the tag name and the conditions for Linux, Windows, and macOS.
Getting Auto Asset Tag Details
You can retrieve detailed information about a specific auto asset tag rule by its ID:
Deleting Auto Asset Tag
You can delete an auto asset tag rule by its ID:
Listing Auto Asset Tag Rules
You can list all configured auto asset tag rules to see their IDs, tags, and conditions.
Starting Auto Asset Tagging Process
You can initiate the auto tagging process for assets that match specific filter criteria.
Acquiring Baseline
You can acquire baseline data from specific endpoints by providing a case ID and filter criteria. Baselines establish a reference point for comparison in forensic investigations.
Comparing Baseline Acquisition Tasks
You can compare multiple baseline acquisition tasks for a specific endpoint to identify changes over time or between different system states:
Getting Comparison Report
You can retrieve the comparison result report for a specific endpoint and comparison task:
Creating Policies
You can create new policies with specific storage, compression, and security settings:
Viewing Task Assignments
You can check the status of task assignments:
You must be authenticated.
remote-capable server
The server can be hosted and run remotely because it primarily relies on remote services or has no dependency on the local environment.
A Node.js server implementing Model Context Protocol (MCP) that enables natural language interaction with Binalyze AIR's digital forensics and incident response capabilities.
- ✨ Features
- Overview
- 📦 Installation
- 🧩 Usage with Smithery
- How to Use
- Viewing Acquisition Artifacts
- Viewing Acquisition Evidences
- Viewing E-Discovery Patterns
- Filtering by Organization
- Getting Asset Details
- Getting Asset Tasks
- Assigning Acquisition Tasks
- Assigning Image Acquisition Tasks
- Assigning Reboot Tasks
- Assigning Shutdown Tasks
- Assigning Isolation Tasks
- Assigning Log Retrieval Tasks
- Assigning Version Update Tasks
- Uninstalling Assets
- Purging and Uninstalling Assets
- Adding Tags to Assets
- Removing Tags from Assets
- Creating Auto Asset Tag Rules
- Getting Auto Asset Tag Details
- Deleting Auto Asset Tag
- Listing Auto Asset Tag Rules
- Starting Auto Asset Tagging Process
- Acquiring Baseline
- Comparing Baseline Acquisition Tasks
- Getting Comparison Report
- Creating Policies
- Viewing Task Assignments
Related Resources
Related MCP Servers
- AsecurityFlicenseAqualityA Model Context Protocol (MCP) server that enables AI assistants like Claude to interact with your AWS environment. This allows for natural language querying and management of your AWS resources during conversations. Think of better Amazon Q alternative.Last updated -3222TypeScript
- AsecurityAlicenseAqualityA Model Context Protocol (MCP) server that provides tools for searching and fetching information from Hacker News.Last updated -46PythonMIT License
- AsecurityFlicenseAqualityModel Context Protocol (MCP) server that integrates Redash with AI assistants like Claude, allowing them to query data, manage visualizations, and interact with dashboards through natural language.Last updated -105316JavaScript
- -securityFlicense-qualityA Node.js server that implements Model Context Protocol (MCP) for controlling HWP (Korean word processor) documents, allowing AI assistants like Claude to create and manipulate Hangul documents.Last updated -27Python