Retrieve Automox audit trail events performed by a user on a specific date.

Query OCSF-formatted audit events from the Automox Audit Service v2. Supports filtering by date, event category (authentication, account_change, entity_management, user_access, web_resource_activity), and event type name. Uses cursor-based pagination for large result sets. Permissions: as of 2025-10-27 the upstream endpoint requires the API key to have BOTH organization:manage and users:read scopes; keys missing either scope return 403.

List devices with detailed per-device information including hostname, OS, policy status, and patch status. Use this to explore and investigate specific devices, optionally filtered by management/policy status. For aggregate statistics and health metrics, use device_health_metrics instead.

Return detailed information and recent activity for a device.

Surface Automox devices flagged for immediate action.

Search Automox devices by hostname (including custom name), IP, tag, severity of missing patches, or patch status (only 'missing' is supported).

Aggregate organization-wide device health statistics including managed/unmanaged breakdown, device status breakdown, compliance metrics, and check-in recency analysis. Use this for monitoring dashboards and getting a fleet-wide health overview.

Retrieve detailed device inventory data including hardware, network, security, services, system, and user information. Optionally filter by category. Uses the Console API device-details endpoint.

List available inventory categories for a device. Categories are dynamic per device. Use this to discover what inventory data is available before requesting specific categories.

Issue an immediate command to a device (scan, patch, or reboot).

Apply bulk attribute actions to many devices at once (up to 500). Currently supports tag apply/remove via actions like {'attribute': 'tags', 'action': 'apply', 'value': ['env:prod']}.

Update a single device's mutable attributes: custom_name, server_group_id, exception (policy-enforcement exclusion), tags, and ip_addrs. Fills the single-device gap that batch_update_devices (tags-only, bulk) does not cover — e.g. renaming a device or moving it to a server group. Supply only the fields you want to change; at least one is required.

List saved device searches from the Advanced Device Search API. Returns saved search names, queries, and metadata.

Execute an advanced device search using the Automox Advanced Device Search API's structured query language. Enables complex queries like 'find all Windows devices not seen in 30 days' or 'devices with nginx installed' using field-based filtering. Pass query as a dict with a filters list of AND/OR groups, each a list of conditions: {"filters": [{"AND": [{"scope": "SOFTWARE", "field": "pkgDisplayName", "operator": "IN", "values": ["nginx"]}]}]}. Use get_searchable_fields for valid scope/field/operator combos and device_search_typeahead to discover values. The org is scoped automatically. limit sets the page size.

Get typeahead suggestions for device search fields. Useful for discovering valid values when building advanced device queries.

Get available fields for device queries. Returns the field names and types supported by the advanced device search API.

Get device-to-policy and device-to-group assignments.

Get device details by UUID using the Server Groups API v2. Provides device information via UUID-based lookup.

Retrieve a single saved device search by ID. Returns the saved search name, description, query, and metadata.

Execute a saved device search and retrieve its current device result set. Supports pagination via page + limit.

Retrieve cached server-side results for a previously-executed device search, keyed by search execution ID. Distinct from get_saved_search_results which re-executes a saved-search definition.

List available device-search scope options. Org-independent metadata describing the scopes (e.g., device, group, org) supported by the Advanced Device Search API.

List searchable device fields grouped by scope, with per-field type metadata. Richer than get_device_metadata_fields (a flat field-name array) — use this to construct typed advanced-search queries.

List the saved device searches whose result set currently contains a given device (by UUID). Triage primitive: 'which saved searches does this device match?' Optionally filter by saved-search type.

Execute a saved device search by UUID and return its device results, with paging (page/size) and an optional fields projection. Lighter-weight than get_saved_search_results when you only need a subset of fields.

Create a new saved device search. Provide a name, a structured query dict carrying a filters list (same syntax as advanced_device_search — e.g. {"filters": [{"AND": [{"scope": "SOFTWARE", "field": "pkgDisplayName", "operator": "IN", "values": ["nginx"]}]}]}), and an optional description. The org is scoped automatically.

Update an existing saved device search (partial update). Provide at least one of name, query, or description. The query dict uses the Automox Advanced Device Search API query syntax (see advanced_device_search).

Permanently delete a saved device search by ID.

Bulk-assign one or more policies to the result set of a saved device search. Takes the saved-search UUID and a list of policy IDs.

Force a re-cache of a saved device search's results when they may be stale. Triggers server-side recomputation; returns once queued.

Summarize recent Automox policy activity.

Review recent executions for a policy.

Retrieve per-device results and output for a specific policy execution token.

List Automox policies with type and status summaries.

Retrieve configuration and recent history for a policy.

Retrieve per-policy compliance statistics showing compliant vs non-compliant device counts and compliance rates for the organization.

Summarize pending patch approvals and their severity.

Dry-run: preview which devices a policy's device filters and/or server groups would target, before creating or updating the policy. Read-only — nothing is created or changed.

List the devices currently targeted by one or more policies (by policy UUID) — blast-radius assessment before executing or changing a policy. Read-only.

Approve or reject an Automox patch approval request.

Permanently delete an Automox policy by ID.

Clone an existing Automox policy. By default creates an in-org copy with an optional new name and server group assignments. Pass target_zone_ids to instead clone a patch policy into one or more zones/orgs in a single server-side call (patch policies only; mutually exclusive with name/server_groups).

Create or update Automox policies with automatic format correction.

Execute an Automox policy immediately for remediation (all devices or specific device).

List policy runs with time-range filtering, policy name/type filters, and result status filtering. Uses the Policy History v2 API for richer data than the standard policy execution timeline.

Get aggregate policy execution counts. Optionally filter by number of days to look back.

Get policy runs grouped by policy for cross-policy comparison. Shows which policies have been running and their aggregate results.

Get policy history details by UUID, including run history and status.

Get execution runs for a specific policy by UUID. Optionally filter by number of days and sort order.

List fleet-wide policy execution counts over a time window: one row per policy with its run count, in a single round-trip. Answers 'which policies ran most last quarter?' without per-policy calls or client-side aggregation. Distinct from policy_run_count (single aggregate) and policy_runs_for_policy (per-run records for one policy).

Get detailed per-device results for a specific policy run. Uses UUID-based queries and supports device name filtering.

Invite a user to the Automox account with optional zone assignments.

Remove a user from the Automox account by UUID.

List API keys for the Automox organization. Returns key names and IDs only — secrets are never exposed.

List organizations visible to the API key, with tier, device count, device limit, parent org, and trial end time. Useful for MSP/multi-org navigation, feature-tier checks, capacity posture, and trial warnings.

List users in the organization with name, email, and RBAC roles. Secrets (e.g. intercom_hmac) are never surfaced.

Get a single user by numeric ID, including org/server-group membership and RBAC roles. Secrets are never surfaced.

Get Automox account detail (id, name, type, timestamps).

List the RBAC roles available in the Automox account.

Get an account-scoped user record by UUID: status, account RBAC role, verification, and 2FA state.

List the zones (organizations) a given user belongs to.

List the zones (organizations) in the Automox account.

Get a single zone (organization) by UUID. The zone access_key is never surfaced.

List the users assigned to a given zone (by zone UUID).

List a user's API keys by user ID. Returns key metadata (name, enabled, expiry) only — secrets are never exposed.

Get one user API key by user ID and key ID. Returns metadata only — the secret is never exposed.

List global (account-scoped) API keys. Returns key metadata (name, enabled, expiry) only — secrets are never exposed.

Create a new zone (organization) in the account. The zone access_key is never surfaced.

Update a user's profile fields (firstname, lastname, email, tfa_type) by user ID. Passwords cannot be set through this tool.

Create an API key for a user. Returns metadata only — the key secret is never surfaced and cannot be retrieved via MCP.

Enable or disable a user API key by user ID and key ID.

Permanently delete a user API key by user ID and key ID.

Create a global (account-scoped) API key. Returns metadata only — the key secret is never surfaced and cannot be retrieved via MCP.

Enable or disable a global (account-scoped) API key by ID.

Permanently delete a global (account-scoped) API key by ID.

List all Automox server groups with their device counts and assigned policies.

Get detailed information about a specific Automox server group.

Create a new Automox server group.

Update an existing Automox server group.

Delete an Automox server group permanently.

List Automox organization events with optional filters by policy, device, user, event name, or date range.

Retrieve the Automox pre-patch readiness report showing devices with pending patches before the next scheduled patch window.

Retrieve the Automox non-compliant devices report showing devices that need attention due to policy failures or missing patches.

List software packages installed on a specific Automox device. Returns package names, versions, patch status, and severity. By default returns the complete package set (auto-paginated), so it is reliable for 'is package X installed?' checks. Pass an explicit page to fetch a single page instead.

Search software packages across the Automox organization. Filter by managed status or packages awaiting installation.

List all available Automox webhook event types with descriptions. Use this to see which events can trigger webhook deliveries.

List all webhook subscriptions for the Automox organization. Supports cursor-based pagination.

Retrieve details for a specific Automox webhook subscription.

List recent delivery attempts (status, latency, error) for a webhook -- delivery troubleshooting. Results are newest-first and cursor-paginated; optional startDate/endDate filters.

Create a new Automox webhook subscription. The response includes a signing secret that is ONLY shown once — save it immediately. Max 5 webhooks per organization. URL must be HTTPS.

Update an existing Automox webhook. Only provided fields are changed (partial update). Can update name, URL, enabled status, or event types.

Delete an Automox webhook subscription permanently.

Send a test delivery to an Automox webhook endpoint. Returns success status, HTTP status code, and response time.

Rotate the signing secret for an Automox webhook. The old secret is immediately invalidated. Save the new secret — it is only shown once.

Search the Automox community worklet catalog. Returns worklet names, descriptions, categories, and OS compatibility. Use to discover pre-built evaluation and remediation scripts.

Get detailed information for a specific community worklet, including evaluation code, remediation code, and requirements.

List available data extracts for the Automox organization. Returns extract names, statuses, and download information.

Get details and download information for a specific data extract.

Request a new data extract for bulk reporting. Returns the extract ID and initial status.

List vulnerability remediation action sets for the organization. Shows imported vulnerability data and remediation tracking.