Server Configuration
Describes the environment variables required to run the server.
| Name | Required | Description | Default |
|---|---|---|---|
No arguments | |||
Tools
Functions exposed to the LLM to take actions
| Name | Description |
|---|---|
| list_assets | List all assets in the system |
| get_asset_by_id | Get detailed information about a specific asset by its ID |
| get_asset_tasks_by_id | Get all tasks associated with a specific asset by its ID |
| list_acquisition_profiles | List all acquisition profiles in the system |
| assign_acquisition_task | Assign an evidence acquisition task to specific endpoints |
| get_acquisition_profile_by_id | Get details of a specific acquisition profile by its ID |
| assign_image_acquisition_task | Assign a disk image acquisition task to specific endpoints and volumes |
| create_acquisition_profile | Create a new acquisition profile |
| assign_reboot_task | Assign a reboot task to specific endpoints |
| assign_shutdown_task | Assign a shutdown task to specific endpoints |
| assign_isolation_task | Assign an isolation task to specific endpoints |
| assign_log_retrieval_task | Assign a log retrieval task to specific endpoints |
| assign_version_update_task | Assign a version update task to specific endpoints |
| list_organizations | List all organizations in the system |
| list_cases | List all cases in the system |
| list_policies | List all policies in the system |
| list_tasks | List all tasks in the system |
| list_triage_rules | List all triage rules in the system |
| list_users | List all users in the system |
| list_drone_analyzers | List all drone analyzers in the system |
| export_audit_logs | Initiate an export of audit logs from the AIR system |
| list_audit_logs | List audit logs from the AIR system |
| uninstall_assets | Uninstall specific assets based on filters without purging data. Requires specifying |
| purge_and_uninstall_assets | Purge data and uninstall specific assets based on filters. Requires specifying |
| add_tags_to_assets | Add tags to specific assets based on filters. Requires specifying |
| remove_tags_from_assets | Remove tags from specific assets based on filters. Requires specifying |
| create_auto_asset_tag | Create a new rule to automatically tag assets based on specified conditions for Linux, Windows, and macOS. |
| update_auto_asset_tag | Update an existing auto asset tag rule. |
| get_auto_asset_tag_by_id | Get details of a specific auto asset tag rule by its ID |
| delete_auto_asset_tag_by_id | Delete a specific auto asset tag rule by its ID |
| list_auto_asset_tags | List all auto asset tag rules in the system. |
| start_tagging | Start the auto asset tagging process for assets matching filter criteria. |
| acquire_baseline | Assign a baseline acquisition task to specific endpoints |
| compare_baseline | Compare baseline acquisition tasks for a specific endpoint |
| get_comparison_report | Get comparison result report for a specific endpoint and task |
| list_acquisition_artifacts | List all acquisition artifacts available for evidence collection |
| list_e_discovery_patterns | List all e-discovery patterns for file type detection |
| create_policy | Create a new policy with specific storage and compression settings |
| update_policy | Update an existing policy with specific storage and filter settings |
| get_policy_by_id | Get detailed information about a specific policy by its ID |
| update_policy_priorities | Update the priority order of policies |
| get_policy_match_stats | Get statistics on how many endpoints match each policy based on filter criteria |
| delete_policy_by_id | Delete a specific policy by its ID |
| get_task_assignments_by_id | Get all assignments associated with a specific task by its ID |
| cancel_task_assignment | Cancel a task assignment by its ID |
| delete_task_assignment | Delete a specific task assignment by its ID |
| get_task_by_id | Get detailed information about a specific task by its ID |
| cancel_task_by_id | Cancel a specific task by its ID |
| delete_task_by_id | Delete a specific task by its ID |
| list_triage_tags | List all triage rule tags in the system |
| create_triage_tag | Create a new triage rule tag |
| create_triage_rule | Create a new triage rule |
| update_triage_rule | Update an existing triage rule by ID |
| delete_triage_rule | Delete an existing triage rule by ID |
| get_triage_rule_by_id | Get a specific triage rule by its ID |
| validate_triage_rule | Validate a triage rule syntax without creating it |
| assign_triage_task | Assign a triage task to endpoints based on filter criteria |
| add_note_to_case | Add a note to a specific case by its ID |
| update_note_in_case | Update an existing note in a specific case |
| delete_note_from_case | Delete a note from a case by its ID |
| export_cases | Export cases data from the system |
| export_case_notes | Export notes for a specific case by its ID |
| export_case_endpoints | Export endpoints for a specific case by its ID |
| export_case_activities | Export activities for a specific case by its ID |
| create_case | Create a new case in the system |
| update_case | Update an existing case by ID |
| get_case_by_id | Get detailed information about a specific case by its ID |
| close_case_by_id | Close a case by its ID |
| open_case_by_id | Open a previously closed case by its ID |
| archive_case_by_id | Archive a case by its ID |
| change_case_owner | Change the owner of a case |
| check_case_name | Check if a case name is already in use |
| get_case_activities | Get activity history for a specific case by its ID |
| get_case_endpoints | Get all endpoints associated with a specific case by its ID |
| get_case_tasks_by_id | Get all tasks associated with a specific case by its ID |
| get_case_users | Get all users associated with a specific case by its ID |
| remove_endpoints_from_case | Remove endpoints from a case based on specified filters |
| remove_task_assignment_from_case | Remove a specific task assignment from a case |
| import_task_assignments_to_case | Import task assignments to a specific case |
| list_repositories | List all evidence repositories in the system |
| get_repository_by_id | Get detailed information about a specific evidence repository by its ID |
| create_smb_repository | Create a new SMB evidence repository |
| update_smb_repository | Update an existing SMB repository by ID |
| create_sftp_repository | Create a new SFTP evidence repository |
| update_sftp_repository | Update an existing SFTP repository |
| create_ftps_repository | Create a new FTPS evidence repository |
| update_ftps_repository | Update an existing FTPS evidence repository |
| validate_ftps_repository | Validate FTPS repository configuration without creating it |
| create_azure_storage_repository | Create a new Azure Storage repository |
| update_azure_storage_repository | Update an existing Azure Storage repository |
| validate_azure_storage_repository | Validate an Azure Storage repository configuration |
| create_amazon_s3_repository | Create a new Amazon S3 repository for evidence storage |
| update_amazon_s3_repository | Update an existing Amazon S3 repository |
| validate_amazon_s3_repository | Validate Amazon S3 repository configuration |
| get_repository_by_id | Get detailed information about a specific evidence repository by its ID |
| delete_repository | Delete an evidence repository by its ID |
| download_case_ppc | Download a PPC file for a specific endpoint and task |
| download_task_report | Download a task report for a specific endpoint and task |
| get_report_file_info | Get information about a PPC file for a specific endpoint and task |
| get_organization_users | Get users for a specific organization by its ID |
Prompts
Interactive templates invoked by user choice
| Name | Description |
|---|---|
No prompts | |
Resources
Contextual data attached and managed by the client
| Name | Description |
|---|---|
No resources | |