The Binalyze AIR MCP Server enables natural language interaction with Binalyze AIR for digital forensics and incident response tasks. Key capabilities include:
Enables querying and managing Linux-based endpoints in the Binalyze AIR forensics platform through natural language interactions.
Allows for management and forensic analysis of macOS endpoints within the Binalyze AIR platform through natural language queries.
Serves as the runtime environment for the MCP server, allowing the server to connect Binalyze AIR's digital forensics capabilities with language models.
A Node.js server implementing Model Context Protocol (MCP) for Binalyze AIR, enabling natural language interaction with AIR's digital forensics and incident response capabilities.
This MCP server creates a bridge between Large Language Models (LLMs) and Binalyze AIR, allowing interaction through natural language. Retrieve information about your digital forensics environment without writing code or learning complex APIs.
Important: An API token is required for authentication. Set it using the
AIR_API_TOKENenvironment variable.
Add the following configuration to your Claude Desktop config file:
Note: Don't forget to activate Agent mode in your editor.
Or use the Magic Link option in VSCode.
In Claude Desktop, or any MCP Client, you can use natural language commands:
| Command | Description |
|---|---|
List all assets in the system | Shows all managed/unmanaged endpoints with OS, platform info |
Get details about asset with ID "abc123" | Displays detailed information about a specific asset |
Get tasks for asset with ID "abc123" | Shows all tasks associated with a specific asset |
List all acquisition profiles | Displays available acquisition profiles |
Get acquisition profile details by ID | Shows detailed information about a specific acquisition profile, including evidence and artifacts |
List all acquisition artifacts | Shows all available artifacts for evidence collection, organized by platform and category |
List all acquisition evidences | Shows all available evidence items for forensic data collection, organized by platform and category |
Assign an acquisition task to endpoint 123abc using profile "full" for case "C-2022-0001" | Assigns an evidence acquisition task to specified endpoint(s) |
Assign an image acquisition task to endpoint 123abc for volume /dev/sda1 saving to repository 456def | Assigns a disk image acquisition task to a specific endpoint and volume, saving to a specified repository |
Create an acquisition profile named "My Custom Profile" with windows evidence ["clp"] and linux artifact ["apcl"] | Creates a new acquisition profile with the specified configuration |
Reboot endpoint 123abc | Assigns a reboot task to a specific endpoint |
Shutdown endpoint 123abc | Assigns a shutdown task to a specific endpoint |
Isolate endpoint 123abc | Assigns an isolation task to a specific endpoint |
Unisolate endpoint 123abc | Removes isolation from a specific endpoint |
Retrieve logs from endpoint 123abc | Assigns a log retrieval task to a specific endpoint |
Update version for endpoint 123abc | Assigns a version update task to a specific endpoint |
List all organizations | Shows all organizations in environments |
List all cases | Displays cases with status and creation time |
List all policies | Shows security policies and collection policies |
List all tasks | Lists all tasks with their statuses |
List all triage rules | Shows YARA, OSQuery and Sigma rules for threat detection |
List all users | Shows all users in the system with their details |
Get user by ID | Retrieves the details of a specific user by their ID |
List all drone analyzers | Shows available drone analyzers with supported operating systems |
Export audit logs | Initiates the export of audit logs. The export runs in the background on the AIR server. |
List audit logs | Shows audit logs with details like timestamp, user, action, entity |
Uninstall asset with ID "endpoint-id" | Uninstalls the specified asset without purging data (requires providing filter.includedEndpointIds) |
Purge and uninstall asset with ID "endpoint-id" | Purges data and uninstalls the specified asset (requires providing filter.includedEndpointIds) |
Add tags ["tag1", "tag2"] to asset with ID "endpoint-id" | Adds specified tags to the targeted asset(s) (requires providing filter.includedEndpointIds and tags) |
Remove tags ["tag1"] from asset with ID "endpoint-id" | Removes specified tags from the targeted asset(s) (requires providing filter.includedEndpointIds and tags) |
Create an auto asset tag named "Web Server" | Creates a new rule to automatically tag assets based on conditions. |
Update auto asset tag "fkkEPhpqMNqJeHfi4RyxiWEm" to have tag name "Updated Container" with linux process "containerd" running | Updates an existing auto asset tag rule with new conditions. |
List all auto asset tag rules | Lists all existing auto asset tag rules with their configurations. |
Get auto asset tag with ID "f6kEPhpqMNqJeHfi4RyxiWEm" | Shows detailed information about a specific auto asset tag rule. |
Delete auto asset tag with ID "f6kEPhpqMNqJeHfi4RyxiWEm" | Deletes a specific auto asset tag rule by its ID. |
Start auto tagging for windows machines | Initiates the auto tagging process for Windows assets matching specified criteria. |
Acquire baseline for case "C-2022-001" from endpoints ["id1", "id2"] | Acquires baseline data from specified endpoints for a given case ID. |
Compare baselines for endpoint "id1" with task IDs ["task1", "task2"] | Compares multiple baseline acquisition tasks for a specific endpoint to identify changes. |
Get comparison report for endpoint "id1" and task "task1" | Retrieves the comparison result report for a specific endpoint and comparison task. |
List all e-discovery patterns | Shows all available e-discovery patterns for file type detection |
Create a policy named "Production Policy" with specific storage settings | Creates a new policy with custom settings |
Update policy with ID "abc123" | Updates an existing policy with new settings |
Get policy details for ID "System" | Displays detailed information about a specific policy |
Update policy priorities to ["policy1", "policy2", "policy3"] | Updates the order of policy application |
Show policy match statistics | Shows how many endpoints match each policy |
Get policy distribution for Windows endpoints | Shows policy matches filtered by platform |
Get policy match stats for offline endpoints | Shows policy matches for offline assets |
Delete policy with ID "abc123" | Permanently removes a policy from the system |
Get all assignments for task with ID "def456" | Shows all assignments associated with a specific task |
Cancel task assignment with ID "xyz789" | Cancels a specific task assignment |
Delete task assignment with ID "xyz789" | Permanently removes a task assignment |
Get details about task with ID "40a9dc46-d401-4bd1-82d3-ca9cf97c9024" | Displays detailed information about a specific task including evidence types and configuration |
Cancel task with ID "abc123" | Cancels a running task with the specified ID |
Delete task with ID "abc123" | Permanently deletes a specific task |
Create triage rule named "My Rule" | Creates a new triage rule |
List all triage tags | You can work with triage rules and their associated tags |
Create triage tag named "My Tag" | Creates a new triage tag |
Update triage rule with ID "abc123" | Updates an existing triage rule |
Delete triage rule with ID "abc123" | Permanently removes a triage rule |
Get triage rule with ID "abc123" | Retrieves the details of a specific triage rule |
Validate triage rule syntax | Validates a triage rule syntax without creating it |
Assign triage task to endpoints with IDs ["id1", "id2"] | Assigns a triage task to endpoints based on filter criteria |
Add note to case with ID "C-2022-0002" | Adds a note to a specific case by its ID |
Update note with ID "8d9baa16-9aa3-4e4f-a08e-a74341ce2f90" in case "C-2022-0002" | Updates an existing note in a specific case |
Delete note with ID "8d9baa16-9aa3-4e4f-a08e-a74341ce2f90" from case "C-2022-0002" | Deletes a specific note from a case by its ID |
Export cases data | Initiates an export of cases data for your organization |
Export notes for case with ID "case123" | Initiates an export of notes for a specific case by its ID |
Export endpoints for case with ID "case123" | Initiates an export of endpoints for a specific case by its ID |
Export activities for case with ID "case123" | Initiates an export of activities for a specific case by its ID |
Create a new case named "Incident Response" | Creates a new case in the system |
Update case with ID "C-2022-0003" to have name "Updated Case" | Updates an existing case by ID |
Get case with ID "C-2022-0003" | Retrieves the details of a specific case by its ID |
Close case with ID "C-2022-0003" | Closes a specific case by its ID |
Open case with ID "C-2022-0003" | Opens a specific case by its ID |
Archive case with ID "C-2022-0003" | Archives a specific case by its ID |
Change case owner with ID "C-2022-0003" to user with ID "user123" | Changes the owner of a specific case by its ID |
Check if case name "Incident 2023-05" is available | Checks if a case name is already in use |
Get case activities for case with ID "C-2022-0003" | Displays the activity history for a specific case by its ID |
Get endpoints for case with ID "C-2022-0001" | Retrieves all endpoints associated with a specific case by its ID |
Get tasks for case with ID "C-2022-0001" | Displays all tasks associated with the specified case |
Get users for case with ID "C-2022-0001" | Retrieves all users associated with a specific case by its ID |
Remove endpoints from case with ID "C-2022-0001" | Removes endpoints from a case based on specified filters |
Remove task assignment with ID "f04666c9-62c7-4cb0-8638-967f05eb7936" from case "C-2022-0001" | Removes a specific task assignment from a case |
Import task assignments to case with ID "C-2022-0001" | Imports task assignments to a specific case |
List repositories | Lists all evidence repositories in the organization |
Create SMB repository with name "My SMB Repository" | Creates a new SMB evidence repository with specified credentials |
Update SMB repository with ID "abc123" | Updates an existing SMB repository's configuration |
Create SFTP repository with name "My SFTP Repository" | Creates a new SFTP evidence repository with specified credentials |
Update SFTP repository with ID "abc123" | Updates an existing SFTP repository's configuration |
Validate FTPS repository configuration | Tests if a FTPS repository configuration is valid without creating it |
Create Azure Storage repository with name "My Azure Storage Repository" | Creates a new Azure Storage evidence repository with specified credentials |
Update Azure Storage repository with ID "abc123" | Updates an existing Azure Storage repository's configuration |
Validate Azure Storage repository with SAS URL | Checks if the provided SAS URL is valid for Azure Storage access |
Create a new Amazon S3 repository | Sets up a new S3 bucket as an evidence repository |
Update Amazon S3 repository with ID "abc123" | Modifies an existing S3 repository configuration |
Validate Amazon S3 repository configuration | Checks if S3 credentials and bucket are valid |
Get details about repository with ID "abc123" | Displays detailed information about a specific evidence repository |
Delete repository with ID "abc123" | Deletes a specific evidence repository |
Download PPC file for endpoint "ep-1" and task "task-1" | Downloads a PPC file for the specified endpoint and task |
Download task report for endpoint "123" and task "456" | Downloads a task report for the specified endpoint and task |
Get report file information for endpoint "123" and task "456" | Retrieves information about a PPC file for a specific endpoint and task |
Get users for organization with ID "2" | Displays all users belonging to the specified organization |
Assign users with IDs ["user1", "user2"] to organization "123" | Assigns users to the specified organization |
Remove user with ID "user1" from organization "123" | Removes a user from the specified organization |
Create organization with name "My Organization" and contact information | Creates a new organization with the specified name and contact information |
Update organization with ID "123" | Updates an existing organization with new settings |
Get details about organization with ID 2 | Displays detailed information about a specific organization |
Check if organization name "My Organization" already exists | Checks if an organization name is already in use |
Get shareable deployment information using deployment token "token123" | Retrieves information about a shareable deployment using a deployment token |
Update organization shareable deployment with ID "123" to be enabled | Updates an organization's shareable deployment settings |
Update deployment token for organization with ID 2 | Updates the deployment token for a specific organization |
Delete organization with ID "123" | Permanently removes an organization from the system |
Add tags to organization with ID "123" | Adds tags to an organization |
Delete tags ["tag1", "tag2" ] from organization with ID "123" | Removes tags from an organization |
Call webhook with slug "air-generic-url-webhook" and data "192.168.1.100" and token "token123" | Calls a webhook with the specified parameters |
Post data to webhook with slug "air-generic-url-webhook" | Sends a POST request to a webhook with provided data |
Get task assignments for task with ID "task123" | Retrieves all assignments for a specific task by its ID |
Update banner message | Updates the system banner message settings |
You must be authenticated.
remote-capable server
The server can be hosted and run remotely because it primarily relies on remote services or has no dependency on the local environment.
A Node.js server implementing Model Context Protocol (MCP) that enables natural language interaction with Binalyze AIR's digital forensics and incident response capabilities.
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/binalyze/air-mcp'
If you have feedback or need assistance with the MCP directory API, please join our Discord server