A
securityA
licenseA
qualityNode.js server implementing Model Context Protocol (MCP) for filesystem operations.
Last updated -
14
70,141
68,255
MIT License
The Binalyze AIR MCP Server enables natural language interaction with Binalyze AIR for digital forensics and incident response tasks. Key capabilities include:
Asset Management: List, manage, tag, and retrieve details about endpoints
Acquisition Management: Create and manage profiles, artifacts, and evidences
Endpoint Control: Reboot, shutdown, isolate endpoints, retrieve logs, and update versions
Baseline Management: Acquire and compare baseline data for endpoints
Case Management: Create, update, and manage cases, including exporting data and managing notes
Policy Management: Create, update, and manage security policies
Task Management: Track, cancel, and delete forensic tasks
Triage Management: Manage rules and tags for threat detection
User & Organization Management: Manage users, roles, and organizational settings
Repository Management: Configure and manage evidence repositories (SMB, SFTP, FTPS, Azure, S3)
Audit Logs: Export and view system audit information
Webhook Integration: Interact with external systems via webhooks
System Configuration: Update system settings and banner messages
Enables querying and managing Linux-based endpoints in the Binalyze AIR forensics platform through natural language interactions.
Allows for management and forensic analysis of macOS endpoints within the Binalyze AIR platform through natural language queries.
Serves as the runtime environment for the MCP server, allowing the server to connect Binalyze AIR's digital forensics capabilities with language models.
Binalyze AIR MCP Server
A Node.js server implementing Model Context Protocol (MCP) for Binalyze AIR, enabling natural language interaction with AIR's digital forensics and incident response capabilities.
✨ Features
Asset Management - List assets in your organization.
Asset Details - Get detailed information about a specific asset by its ID.
Asset Tasks - Get all tasks associated with a specific asset by its ID.
Acquisition Profiles - List acquisition profiles.
Acquisition Tasks - Assign evidence acquisition tasks to endpoints.
Image Acquisition Tasks - Assign disk image acquisition tasks to endpoints.
Baseline Acquisition - Acquire baseline data from specific endpoints to establish a reference point.
Compare Baseline - Compare multiple baseline acquisition tasks for a specific endpoint to identify changes.
Get Comparison Report - Retrieve comparison result report for a specific endpoint and task.
Create Acquisition Profiles - Create new acquisition profiles with specific evidence/artifact/network settings.
Acquisition Artifacts - List available artifacts for evidence collection.
Acquisition Evidences - List available evidence items for forensic data collection.
Reboot Tasks - Assign reboot tasks to specific endpoints.
Shutdown Tasks - Assign shutdown tasks to specific endpoints.
Isolation Tasks - Isolate or unisolate specific endpoints.
Log Retrieval Tasks - Retrieve logs from specific endpoints.
Version Update Tasks - Assign version update tasks to specific endpoints.
Organization Management - List organizations.
Case Management - List cases in your organization.
Policy Management - See security policies across your organization.
Task Management - Track forensic collection tasks and their statuses.
Triage Rules - View YARA, Osquery and Sigma rules for threat detection.
User Management - List users in your organization.
User Details - Get detailed information about a specific user by their ID.
Drone Analyzers - View available drone analyzers with supported operating systems.
Audit Log Export - Initiate an export of audit logs.
List Audit Logs - View audit logs from the system.
Uninstall Assets - Uninstall specific assets based on filters without purging data.
Purge and Uninstall Assets - Purge data and uninstall specific assets based on filters.
Add Tags to Assets - Add tags to specific assets based on filters.
Remove Tags from Assets - Remove tags from specific assets based on filters.
Auto Asset Tagging - Create and update rules to automatically tag assets based on specific conditions.
List Auto Asset Tags - List all existing auto asset tag rules.
Get Auto Asset Tag Details - Get detailed information about a specific auto asset tag rule by its ID.
Delete Auto Asset Tag - Delete a specific auto asset tag rule by its ID.
Start Auto Tagging - Initiate the auto tagging process for assets that match specific filter criteria.
E-Discovery Patterns - List available e-discovery patterns for detecting different file types.
Policy Management - List, create, update, and delete policies in your organization.
Policy Match Statistics - See which policies apply to your assets based on various criteria.
Task Assignment Management - View and manage task assignments.
Triage Rules Management - List, create, update, and delete triage rules for threat detection.
Triage Tags Management - List and create triage tags for threat detection.
Validate Triage Rule - Validate a triage rule syntax without creating it.
Assign Triage Task - Assign a triage task to endpoints based on filter criteria.
Add Note to Case - Add a note to a specific case by its ID.
Update Note in Case - Update an existing note in a specific case.
Delete Note from Case - Delete a note from a case by its ID.
Export Cases - Export cases data from the system.
Export Case Notes - Export notes for a specific case by its ID.
Export Case Endpoints - Export endpoints for a specific case by its ID.
Export Case Activities - Export activities for a specific case by its ID.
Create Case - Create a new case in the system.
Update Case - Update an existing case by ID.
Get Case by ID - Get detailed information about a specific case by its ID.
Close Case by ID - Close a specific case by its ID.
Open Case by ID - Open a specific case by its ID.
Archive Case by ID - Archive a specific case by its ID.
Check Case Name - Check if a case name is already in use.
Get Case Activities - Get activity history for a specific case by its ID.
Get Case Endpoints - Get all endpoints associated with a specific case by its ID.
Get Case Tasks by ID - Get all tasks associated with a specific case by its ID.
Get Case Users - Get all users associated with a specific case by its ID.
Remove Endpoints from Case - Remove endpoints from a case based on specified filters.
Remove Task Assignment from Case - Remove a specific task assignment from a case.
Import Task Assignments to Case - Import task assignments to a specific case.
List Repositories - List all evidence repositories in the organization.
Create SMB Repository - Create a new SMB evidence repository.
Update SMB Repository - Update an existing SMB evidence repository.
Create SFTP Repository - Create a new SFTP evidence repository.
Update SFTP Repository - Update an existing SFTP evidence repository.
Create FTPS Repository - Create a new FTPS evidence repository.
Update FTPS Repository - Update an existing FTPS evidence repository.
Validate FTPS Repository - Validate FTPS repository configuration without creating it.
Create Azure Storage Repository - Create a new Azure Storage evidence repository.
Update Azure Storage Repository - Update an existing Azure Storage evidence repository.
Validate Azure Storage Repository - Validate Azure Storage repository configuration without creating it.
Create Amazon S3 Repository - Create a new Amazon S3 evidence repository.
Update Amazon S3 Repository - Update an existing Amazon S3 evidence repository.
Validate Amazon S3 Repository - Validate Amazon S3 repository configuration without creating it.
Get Repository by ID - Get detailed information about a specific evidence repository by its ID.
Delete Repository - Delete an evidence repository by its ID.
Download Case PPC - Download a PPC file for a specific endpoint and task.
Download Task Report - Download a task report for a specific endpoint and task.
Get Report File Info - Get information about a PPC file for a specific endpoint and task.
Get Organization Users - Get users for a specific organization by its ID.
Assign Users to Organization - Assign users to a specific organization.
Remove User from Organization - Remove a user from a specific organization.
Create Organization - Create a new organization.
Update Organization - Update an existing organization.
Get Organization by ID - Get detailed information about a specific organization by its ID.
Check Organization Name Exists - Check if an organization name already exists in the system.
Get Shareable Deployment Info - Get information about a shareable deployment using a deployment token.
Update Organization Shareable Deployment - Update an organization's shareable deployment settings.
Update Organization Deployment Token - Update the deployment token for a specific organization.
Delete Organization - Delete an organization by its ID.
Add Tags to Organization - Add tags to an organization.
Delete Tags from Organization - Delete tags from an organization.
Call Webhook - Call a webhook with the specified parameters.
Post Webhook - Post data to a webhook.
Get Task Assignments - Get all assignments for a specific task by its ID.
Update Banner Message - Update the system banner message settings.
Overview
This MCP server creates a bridge between Large Language Models (LLMs) and Binalyze AIR, allowing interaction through natural language. Retrieve information about your digital forensics environment without writing code or learning complex APIs.
🔑 API Token Requirement
Important: An API token is required for authentication. Set it using the
AIR_API_TOKENenvironment variable.
📦 Installation
Local Development
Usage with Claude Desktop
Add the following configuration to your Claude Desktop config file:
Usage with Cursor
Navigate to Cursor Settings > MCP
Add new MCP server with the following configuration:
🧩 Usage with Smithery
Note: Don't forget to activate Agent mode in your editor.
One-Line Installation Commands
Claude
Cursor
Windsurf
VSCode
Or use the Magic Link option in VSCode.
How to Use
In Claude Desktop, or any MCP Client, you can use natural language commands:
Command | Description |
| Shows all managed/unmanaged endpoints with OS, platform info |
| Displays detailed information about a specific asset |
| Shows all tasks associated with a specific asset |
| Displays available acquisition profiles |
| Shows detailed information about a specific acquisition profile, including evidence and artifacts |
| Shows all available artifacts for evidence collection, organized by platform and category |
| Shows all available evidence items for forensic data collection, organized by platform and category |
| Assigns an evidence acquisition task to specified endpoint(s) |
| Assigns a disk image acquisition task to a specific endpoint and volume, saving to a specified repository |
| Creates a new acquisition profile with the specified configuration |
| Assigns a reboot task to a specific endpoint |
| Assigns a shutdown task to a specific endpoint |
| Assigns an isolation task to a specific endpoint |
| Removes isolation from a specific endpoint |
| Assigns a log retrieval task to a specific endpoint |
| Assigns a version update task to a specific endpoint |
| Shows all organizations in environments |
| Displays cases with status and creation time |
| Shows security policies and collection policies |
| Lists all tasks with their statuses |
| Shows YARA, OSQuery and Sigma rules for threat detection |
| Shows all users in the system with their details |
| Retrieves the details of a specific user by their ID |
| Shows available drone analyzers with supported operating systems |
| Initiates the export of audit logs. The export runs in the background on the AIR server. |
| Shows audit logs with details like timestamp, user, action, entity |
| Uninstalls the specified asset without purging data (requires providing
) |
| Purges data and uninstalls the specified asset (requires providing
) |
| Adds specified tags to the targeted asset(s) (requires providing
and
) |
| Removes specified tags from the targeted asset(s) (requires providing
and
) |
| Creates a new rule to automatically tag assets based on conditions. |
| Updates an existing auto asset tag rule with new conditions. |
| Lists all existing auto asset tag rules with their configurations. |
| Shows detailed information about a specific auto asset tag rule. |
| Deletes a specific auto asset tag rule by its ID. |
| Initiates the auto tagging process for Windows assets matching specified criteria. |
| Acquires baseline data from specified endpoints for a given case ID. |
| Compares multiple baseline acquisition tasks for a specific endpoint to identify changes. |
| Retrieves the comparison result report for a specific endpoint and comparison task. |
| Shows all available e-discovery patterns for file type detection |
| Creates a new policy with custom settings |
| Updates an existing policy with new settings |
| Displays detailed information about a specific policy |
| Updates the order of policy application |
| Shows how many endpoints match each policy |
| Shows policy matches filtered by platform |
| Shows policy matches for offline assets |
| Permanently removes a policy from the system |
| Shows all assignments associated with a specific task |
| Cancels a specific task assignment |
| Permanently removes a task assignment |
| Displays detailed information about a specific task including evidence types and configuration |
| Cancels a running task with the specified ID |
| Permanently deletes a specific task |
| Creates a new triage rule |
| You can work with triage rules and their associated tags |
| Creates a new triage tag |
| Updates an existing triage rule |
| Permanently removes a triage rule |
| Retrieves the details of a specific triage rule |
| Validates a triage rule syntax without creating it |
| Assigns a triage task to endpoints based on filter criteria |
| Adds a note to a specific case by its ID |
| Updates an existing note in a specific case |
| Deletes a specific note from a case by its ID |
| Initiates an export of cases data for your organization |
| Initiates an export of notes for a specific case by its ID |
| Initiates an export of endpoints for a specific case by its ID |
| Initiates an export of activities for a specific case by its ID |
| Creates a new case in the system |
| Updates an existing case by ID |
| Retrieves the details of a specific case by its ID |
| Closes a specific case by its ID |
| Opens a specific case by its ID |
| Archives a specific case by its ID |
| Changes the owner of a specific case by its ID |
| Checks if a case name is already in use |
| Displays the activity history for a specific case by its ID |
| Retrieves all endpoints associated with a specific case by its ID |
| Displays all tasks associated with the specified case |
| Retrieves all users associated with a specific case by its ID |
| Removes endpoints from a case based on specified filters |
| Removes a specific task assignment from a case |
| Imports task assignments to a specific case |
| Lists all evidence repositories in the organization |
| Creates a new SMB evidence repository with specified credentials |
| Updates an existing SMB repository's configuration |
| Creates a new SFTP evidence repository with specified credentials |
| Updates an existing SFTP repository's configuration |
| Tests if a FTPS repository configuration is valid without creating it |
| Creates a new Azure Storage evidence repository with specified credentials |
| Updates an existing Azure Storage repository's configuration |
| Checks if the provided SAS URL is valid for Azure Storage access |
| Sets up a new S3 bucket as an evidence repository |
| Modifies an existing S3 repository configuration |
| Checks if S3 credentials and bucket are valid |
| Displays detailed information about a specific evidence repository |
| Deletes a specific evidence repository |
| Downloads a PPC file for the specified endpoint and task |
| Downloads a task report for the specified endpoint and task |
| Retrieves information about a PPC file for a specific endpoint and task |
| Displays all users belonging to the specified organization |
| Assigns users to the specified organization |
| Removes a user from the specified organization |
| Creates a new organization with the specified name and contact information |
| Updates an existing organization with new settings |
| Displays detailed information about a specific organization |
| Checks if an organization name is already in use |
| Retrieves information about a shareable deployment using a deployment token |
| Updates an organization's shareable deployment settings |
| Updates the deployment token for a specific organization |
| Permanently removes an organization from the system |
| Adds tags to an organization |
| Removes tags from an organization |
| Calls a webhook with the specified parameters |
| Sends a POST request to a webhook with provided data |
| Retrieves all assignments for a specific task by its ID |
| Updates the system banner message settings |
remote-capable server
The server can be hosted and run remotely because it primarily relies on remote services or has no dependency on the local environment.
Tools
A Node.js server implementing Model Context Protocol (MCP) that enables natural language interaction with Binalyze AIR's digital forensics and incident response capabilities.
Related Resources
Related MCP Servers
- AsecurityAlicenseAqualityA Model Context Protocol server providing utility tools for development and testing, offering functionalities like personalized greetings, random card drawing, and datetime formatting with an extensible architecture.Last updated -19917MIT License
- -securityAlicense-qualityNode.js server implementing Model Context Protocol (MCP) for filesystem operations, allowing AI systems to read, write, edit files and manage directories within specified allowed paths.Last updated -70,141MIT License
- -securityAlicense-qualityNode.js server implementing Model Context Protocol (MCP) for filesystem operations with regex support for allowed directories, enabling AI assistants to safely read, write, and manipulate files through natural language.Last updated -70,141MIT License