LimaCharlie MCP
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@LimaCharlie MCPlook up IOC for IP 192.168.1.1"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
Geoff's LimaCharlie MCP
A local MCP for LimaCharlie setup, administration, investigations, and tuning.
This is an alternative to the LimaCharlie hosted MCP. It uses LimaCharlie API surfaces directly, requires explicit scope for data, records a local audit line for each tool call, and can start adding value even with just read-only access.
Why?
Doesn't LimaCharlie already have an MCP? Yes.
Is something wrong with the LimaCharlie MCP? Nope.
Then... why? I love LimaCharlie, I had some free time, and wanted something that made LimaCharlie more accessible to people who dont live in the dark realm of EDR internals.
The official LimaCharlie docs describe:
a hosted HTTP MCP endpoint at
https://mcp.limacharlie.io/mcp,OAuth, JWT, and org API key authentication options,
CLI and SDK helper surfaces layered on top of the same APIs.
This server is different: it runs locally over stdio, exchanges an org API key for short-lived LimaCharlie JWTs, refreshes those JWTs automatically, and calls the APIs directly. That avoids shelling out to the CLI and keeps the MCP implementation small and reviewable.
Related MCP server: MCP Server ELK
Install From Geoff's Plugins
The easiest agent-facing install path is the geoffs-plugins marketplace:
/plugin marketplace add geoffbelknap/geoffs-plugins
/plugin install limacharlie-mcp@geoffs-pluginsThe plugin handles running the MCP server. Configure auth once before calling LimaCharlie tools.
By default, setup uses a managed local
Vault so the long-lived LimaCharlie API
key is not accidentally stored in chat history, .env files, MCP client
configuration, or audit logs. The MCP uses that protected key to mint
short-lived LimaCharlie JWTs when tools need API access.
First-Time Auth Setup
You need two values from LimaCharlie: an organization ID and a temporary bootstrap API key.
Open LimaCharlie, login, and choose your organization.
Copy the org ID from the URL:
app.limacharlie.io/orgs/<org-id>/....Open a terminal on the host running your MCP, swap in your org ID where it says
paste-your-org-id-here, and run this:
uvx --from git+https://github.com/geoffbelknap/limacharlie-mcp \
limacharlie-mcp-configure \
--oid "paste-your-org-id-here" \
--provision-runtime-keyThe command will print a temporary bootstrap key name and stop at a hidden
LimaCharlie API key secretprompt. Leave it waiting there.Go back to your browser and head to
Organization Settings->Access Management->REST API.Click
Create API Key, name it exactly what the command printed, and give it only:org.get apikey.ctrlThe setup command uses this temporary key to create one dedicated runtime key named
limacharlie-mcp-runtime, stores that runtime key in local Vault, and verifies it. It does not print either secret.Don't bother adding
live_stream.ctrl; this MCP does not expose live firehose or streaming telemetry tools. Spraying high pressure random telemetry at an AI is great for burning tokens, but it ain't going to make you more secure.Create your bootstrap key and copy the secret from the LimaCharlie dashboard.
Switch back to the terminal and paste the secret into the hidden prompt. It will not end up in your shell history.
After setup verifies the runtime key, delete the printed bootstrap key from LimaCharlie. The runtime key is already stored in Vault.
Then start a new chat with your favorite AI tool, with the plugin enabled, and ask:
Check my LimaCharlie MCP auth status.The agent should confirm credentials are configured without showing secrets.
For screenshots, permissions, user API key mode, advanced deployment, and troubleshooting, see Onboarding And Auth.
What You Can Ask It To Do
Start with one of these:
"Check my LimaCharlie MCP auth status."
"Show me which LimaCharlie MCP profile and tools are available."
"Review my LimaCharlie org posture."
"List my LimaCharlie sensors."
"Triage this LimaCharlie detection."
"Help me tune noisy LimaCharlie detections."
The MCP is split into focused profiles so normal agent sessions do not need to load every tool at once:
Profile | Intended use |
| Auth, org discovery, runtime status, schemas, ontology, and downloads. |
| Sensor onboarding, installation keys, tags, online state, and fleet maintenance. |
| Organizations, users, groups, API keys, billing, outputs, extensions, and org configuration. |
| D&R, false positives, YARA, Hive content, lookups, playbooks, SOPs, and content governance. |
| Bounded detection triage, events, cases, IOC lookups, audit, search, artifacts, and jobs. |
| Endpoint containment, response tasking, reliable tasks, job cancellation, and supporting evidence. |
| Response tasking plus content/YARA workflows used to remove adversary footholds. |
| Post-incident recovery verification and restoration previews. |
| Read-only posture review, tuning, content coverage, case backlog, and access hygiene. |
Ask the agent to call lc_tool_catalog when you want the current profile's
exact tool list.
Safety Model
This MCP is meant to help an agent work carefully, not turn LimaCharlie into an unbounded data pump.
Tools use bounded reads with explicit org scope, limits, cursors, selectors, or time windows.
Response and administration changes use preview/confirm flows.
API keys, JWTs, Vault tokens, and secret values are not returned in tool responses or audit excerpts.
Live telemetry streaming, spout, and firehose surfaces are intentionally not exposed. Use LimaCharlie outputs, storage, SIEM pipelines, or purpose-built stream processors for operational telemetry streams.
More Help
First-time setup, screenshots, user API keys, and reauth: Onboarding And Auth
Advanced operator deployment and MCP client config: Deployment
LimaCharlie docs: https://docs.limacharlie.io/
LimaCharlie API key docs: https://docs.limacharlie.io/7-administration/access/api-keys/
Maintenance
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.
Latest Blog Posts
- Your AI Chatbot Just Exposed Your CEO's Salary to an InternBy Om-Shree-0709 on .Agent IdentityMCP SecurityOAuth Delegation
- Why MCP Servers Need Execution Sandboxing (And Why Your Current Stack Isn't Enough)By Om-Shree-0709 on .Agentic AiPrompt InjectionWebAssembly
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/geoffbelknap/limacharlie-mcp'
If you have feedback or need assistance with the MCP directory API, please join our Discord server