binalyze-air-mcp-gateway
Facilitate conversational interfacing with Binalyze AIR platforms for comprehensive management of organizational structures, digital evidence acquisition blueprints, and managed endpoints. Access and retrieve AIR intelligence using any standard MCP client, leveraging advanced contextual processing capabilities.
Author

binalyze
Quick Info
Actions
Tags
Binalyze AIR MCP Connector Service
This Node.js service implements the Model Context Protocol (MCP), creating a robust link to Binalyze AIR's digital investigation and incident response functionalities. It allows users to query and manage forensic operations using plain language.
✨ Core Capabilities
- Endpoint Registry Oversight - Enumerate all connected endpoints within your environment.
- Endpoint Specifics - Fetch comprehensive data regarding a singular endpoint via its identifier.
- Endpoint Activity Log - Retrieve the complete queue of operations pending or executed for a given endpoint.
- Collection Blueprint Catalog - List all defined evidence acquisition schematics.
- Execution Blueprint Tasking - Schedule evidence gathering operations on remote devices.
- Forensic Image Dispatch - Initiate full disk imaging tasks for target workstations.
- Reference Data Acquisition - Gather standardized baseline data from systems to establish normative states.
- Baseline Divergence Analysis - Compare multiple historical baseline collections for one endpoint to spot variances.
- Comparison Artifact Retrieval - Obtain the formal report detailing baseline divergence analysis results.
- Blueprint Definition Creation - Formulate new acquisition schematics specifying evidence types, artifacts, and network parameters.
- Evidence Component Index - List all potential forensic evidence components available for collection.
- Data Item Index - List all available core forensic data items that can be gathered.
- System Reboot Directives - Command remote endpoints to cycle power.
- System Shutdown Directives - Command remote endpoints to power off.
- Endpoint Containment Control - Toggle the network isolation status of specific endpoints.
- System Log Fetch - Request diagnostic logs from targeted endpoints.
- Software Revision Update - Deploy tasks to refresh endpoint agent versions.
- Organizational Structure Listing - View all registered client organizations.
- Case File Index - List active case files associated with the current organizational unit.
- Security Posture Review - Inspect defined security and compliance mandates across the organization.
- Operational Task Status - Monitor the lifecycle and progress of all forensic collection jobs.
- Threat Intelligence Ruleset - Inspect YARA, Osquery, and Sigma rules deployed for threat detection.
- Personnel Registry - List all authorized personnel within the operational environment.
- Personnel Profile Retrieval - Obtain detailed attributes for a specific user by their ID.
- Drone Analyzer Inventory - View available analysis modules and their supported operating systems.
- System Activity Export - Trigger a background job to export comprehensive audit records.
- System Activity Log Review - Display historical audit trails of system operations.
- Endpoint Decommissioning (Soft) - Remove specific assets from management without deleting retained data.
- Endpoint Decommissioning (Hard) - Erase all associated data and uninstall the agent from targeted assets.
- Asset Metadata Tagging (Addition) - Apply descriptive labels to assets based on defined criteria.
- Asset Metadata Tagging (Removal) - Strip descriptive labels from targeted assets.
- Automated Asset Labeling Rules - Define and manage logic for automatic asset classification based on attributes.
- Automated Asset Labeling Rule Inventory - List all configured automated tagging policies.
- Automated Asset Labeling Rule Inspection - Retrieve specifics for an individual automated tagging policy by its UUID.
- Automated Asset Labeling Policy Deletion - Erase a specified automated tagging rule.
- Initiate Automated Tagging Sweep - Manually trigger the evaluation of assets against active auto-tagging rules.
- eDiscovery Pattern Catalog - List predefined patterns used for specific file type identification.
- Policy Lifecycle Management - Create, modify, query, and eliminate organizational compliance policies.
- Policy Applicability Metrics - View summary statistics showing policy enforcement across assets.
- Task Assignment Oversight - Review and manage the delegation of operations to endpoints.
- Threat Rule Lifecycle Management - Create, modify, query, and remove threat detection rulesets.
- Threat Tagging Administration - Manage and create descriptive labels associated with threat findings.
- Rule Syntax Verification - Validate the structural integrity of a threat detection rule without committing it.
- Threat Analysis Task Dispatch - Assign targeted threat analysis operations to endpoints based on filtering rules.
- Case Annotation Addition - Append a new commentary entry to a specific case file.
- Case Annotation Modification - Update the content of an existing case commentary record.
- Case Annotation Deletion - Remove a specific commentary record from a case file.
- Case Data Export - Initiate the extraction of all case-related data.
- Case Commentary Export - Extract all annotations associated with a targeted case.
- Case Endpoint Roster Export - Extract the list of endpoints related to a specific case.
- Case Chronology Export - Extract the event timeline associated with a specific case.
- Case Creation - Establish a new investigation file within the system.
- Case Record Update - Modify attributes of an existing case record identified by its unique ID.
- Case Retrieval by Identifier - Fetch complete details for a specific case file.
- Case Finalization (Closure) - Mark a specified case file as resolved/closed.
- Case Reopening - Re-activate a previously closed case file.
- Case Archival - Move a case file to long-term, inactive storage.
- Case Name Uniqueness Check - Verify if a proposed case title is already in use.
- Case Activity Stream Retrieval - Obtain the detailed event history for a specific case.
- Case Associated Endpoint Listing - Get the full roster of endpoints linked to a case.
- Case Associated Task Retrieval - Obtain the complete list of assigned operations for a case.
- Case Associated Personnel Retrieval - Get the list of users linked to a specific case.
- Case Endpoint Disassociation - Remove endpoints from a case based on defined criteria.
- Case Task Assignment Revocation - Unlink a specific task assignment from a case record.
- Case Task Assignment Ingestion - Load predefined task assignments into a case file.
- Evidence Storage Location Index - List all configured evidence deposition sites within the environment.
- SMB Deposition Point Setup - Create a new evidence repository using Server Message Block protocol.
- SMB Deposition Point Configuration Update - Modify parameters for an existing SMB repository.
- SFTP Deposition Point Setup - Create a new evidence repository utilizing Secure File Transfer Protocol.
- SFTP Deposition Point Configuration Update - Modify parameters for an existing SFTP repository.
- FTPS Deposition Point Setup - Create a new evidence repository using File Transfer Protocol Secure.
- FTPS Deposition Point Configuration Update - Modify parameters for an existing FTPS repository.
- FTPS Configuration Verification - Validate FTPS repository settings without materializing the repository.
- Azure Storage Deposition Point Setup - Create a new evidence repository leveraging Azure Storage services.
- Azure Storage Deposition Point Configuration Update - Modify parameters for an existing Azure Storage repository.
- Azure Storage Configuration Verification - Validate Azure Storage connection parameters.
- Amazon S3 Deposition Point Setup - Create a new evidence repository using Amazon Simple Storage Service.
- Amazon S3 Deposition Point Configuration Update - Modify parameters for an existing S3 repository.
- Amazon S3 Configuration Verification - Validate Amazon S3 repository connectivity and credentials.
- Deposition Point Inspection - Fetch comprehensive details for a specific evidence repository.
- Deposition Point Removal - Permanently delete an evidence repository.
- Endpoint PPC Artifact Download - Retrieve the Portable Property Container file for a specific endpoint and task ID.
- Operational Task Artifact Download - Retrieve the standard report output generated by a specified task on an endpoint.
- Artifact File Metadata Fetch - Get metadata related to an endpoint's PPC file for a specific operation.
- Organization Personnel Index - Retrieve users mapped to a particular organizational entity by its ID.
- Organization Personnel Assignment - Link specified users to a target organization.
- Organization Personnel Removal - Detach a user from a specified organization.
- Organization Instantiation - Establish a new organizational entity within the platform.
- Organization Record Modification - Update details for an existing organization.
- Organization Profile Retrieval - Fetch detailed information for an organization by its unique identifier.
- Organization Name Availability Check - Determine if a chosen organization name is currently unique.
- Shareable Deployment Information Retrieval - Access details about a deployment instance accessible via a deployment token.
- Organization Shareable Deployment Configuration Update - Modify the sharing settings associated with an organization.
- Organization Access Token Refresh - Generate a new deployment token for a specific organization.
- Organization Dissolution - Permanently remove an organization entity.
- Organization Tagging (Addition) - Apply descriptive labels to an organizational unit.
- Organization Tagging (Deletion) - Remove specified labels from an organization.
- External Service Hook Invocation - Execute a predefined webhook with specified payload details.
- External Service Hook Data Transmission - Send structured data via an HTTP POST request to a registered webhook endpoint.
- Task Assignment Enumeration - Retrieve all recorded instances of task delegation for a given task identifier.
- System Notification Banner Update - Modify the global, persistent message displayed across the user interface.
Overview
This MCP conduit establishes a communication layer between Large Language Models (LLMs) and the Binalyze AIR suite, enabling intuitive, language-based command execution. Gain mastery over your digital forensics landscape without requiring direct API programming.
🔑 Authentication Prerequisite
Crucial: Successful operation necessitates an active API credential. Configure this via the
AIR_API_TOKENenvironment variable.
📦 Deployment Instructions
Local Environment Setup
bash
Obtain the source repository
git clone https://github.com/binalyze/air-mcp
Enter the project directory
cd air-mcp
Install required dependencies
npm install
Compile source files
npm run build
Configuration for Claude Desktop
In your Claude Desktop configuration file, integrate the service as follows:
{ "mcpServers": { "air-mcp": { "command": "npx", "args": ["-y", "@binalyze/air-mcp"], "env": { "AIR_HOST": "your-api-host.com", "AIR_API_TOKEN": "your-api-token" } } } }
Configuration for Cursor IDE
- Access Cursor Settings -> MCP section.
- Add a new MCP service entry using this structure:
{ "mcpServers": { "air-mcp": { "command": "npx", "args": ["-y", "@binalyze/air-mcp"], "env": { "AIR_HOST": "your-api-host.com", "AIR_API_TOKEN": "your-api-token" } } } }
🧩 Integration via Smithery Framework
Reminder: Ensure Agent mode is active within your Smithery-compatible editor environment.
Rapid Installation Commands
Claude Integration
bash npx -y @smithery/cli@latest install @binalyze/air-mcp --client claude --key {smithery_key}
Cursor Integration
bash npx -y @smithery/cli@latest install @binalyze/air-mcp --client cursor --key {smithery_key}
Windsurf Integration
bash npx -y @smithery/cli@latest install@rapidappio/rapidapp-mcp --client windsurf --key {smithery_key}
VSCode Integration
bash npx -y @smithery/cli@latest install @binalyze/air-mcp --client vscode --key {smithery_key}
Alternatively, leverage the one-click Magic Link option available within VSCode.
How to Execute Commands
Within Claude Desktop or any supporting MCP client, utilize natural language directives:
| Directive Example | Functionality Description |
|---|---|
Enumerate all endpoints in the ecosystem |
Displays all managed/unmanaged devices including OS and platform metadata |
Provide specifics for endpoint identified as "abc123" |
Shows detailed attribute data for a singular asset |
Fetch all pending operations for endpoint "abc123" |
Shows the complete task queue tied to a specific endpoint |
List all configured collection blueprints |
Displays available evidence acquisition schematics |
Retrieve details for acquisition blueprint by its ID |
Shows granular information about a chosen blueprint, including evidence targets and artifacts |
Index all available acquisition artifacts |
Shows every artifact component cataloged for evidence gathering |
Index all available forensic data items |
Shows every core data item available for forensic extraction |
Schedule an evidence collection job on endpoint 123abc using blueprint "full" tied to case "C-2022-0001" |
Schedules an evidence acquisition operation on specified endpoints |
Dispatch a disk image acquisition on endpoint 123abc for partition /dev/sda1, saving output to repository 456def |
Schedules a full disk image capture on a target system, directing output to a specified storage location |
Formulate a new blueprint named "My Custom Profile" specifying windows evidence types ["clp"] and linux artifacts ["apcl"] |
Creates a novel acquisition blueprint with custom settings |
Issue a system reboot command for endpoint 123abc |
Assigns a reboot directive to a specific remote device |
Issue a system power-off command for endpoint 123abc |
Assigns a shutdown directive to a specific remote device |
Initiate containment sequence for endpoint 123abc |
Assigns an isolation directive to a specific remote device |
Terminate containment sequence for endpoint 123abc |
Removes network isolation from a specific remote device |
Request system logs retrieval from endpoint 123abc |
Assigns a diagnostic log capture task to a specific remote device |
Schedule agent version update for endpoint 123abc |
Assigns a task to upgrade the endpoint agent software |
List every organization entity |
Shows all organizations registered in the environment |
List all active case files |
Displays case files along with their resolution status and creation timestamps |
Review current security compliance mandates |
Shows defined security policies and data collection mandates |
List status for all operational tasks |
Lists all queued and executing forensic jobs |
Show all deployed threat detection rules (YARA, OSQuery, Sigma) |
Lists all rulesets configured for threat identification |
List all registered personnel |
Shows all users in the system with their associated attributes |
Get profile data for user ID |
Retrieves the attributes of a specific user by their ID |
List all available drone analysis modules |
Shows drone analyzers and supported operating system compatibility |
Trigger audit log export sequence |
Initiates the background export of the entire system audit trail. |
Display system audit records |
Shows historical logs detailing user actions, timestamps, and affected entities |
Uninstall asset matching ID "endpoint-id" |
Removes the agent from the specified asset without data erasure (requires filter context) |
Erase data and uninstall asset matching ID "endpoint-id" |
Completely removes the asset and purges its data (requires filter context) |
Apply tags ["tag1", "tag2"] to asset matching ID "endpoint-id" |
Attaches specified descriptive labels to targeted assets (requires filter and tag context) |
Strip tags ["tag1"] from asset matching ID "endpoint-id" |
Removes specified descriptive labels from targeted assets (requires filter and tag context) |
Define a new automated asset tag titled "Web Server" |
Creates a novel rule for conditional, automatic asset labeling. |
Modify automated tag "fkkEPhpqMNqJeHfi4RyxiWEm" to be named "Updated Container" with condition: linux process "containerd" is active |
Updates an existing automated tag policy with new rules. |
List every automated asset tagging policy |
Lists all current rules governing automatic asset classification. |
Inspect details for automated tag ID "f6kEPhpqMNqJeHfi4RyxiWEm" |
Shows the full configuration of a specific automated tagging rule. |
Remove automated tag policy with ID "f6kEPhpqMNqJeHfi4RyxiWEm" |
Deletes a specific automated tagging rule. |
Execute automated tagging sweep for all assets matching Windows criteria |
Manually runs the classification process based on predefined filters. |
Index all e-discovery file signature patterns |
Shows all available patterns used for specific file type identification |
Establish a new policy named "Production Policy" with optimized storage configuration |
Creates a novel compliance policy with tailored settings |
Modify policy associated with ID "abc123" |
Updates an existing compliance policy with revised settings |
Fetch policy details for identifier "System" |
Displays granular configuration data for a specific policy |
Reorder policy application sequence to ["policy1", "policy2", "policy3"] |
Updates the priority order in which policies are evaluated |
Visualize policy match statistics across the fleet |
Shows a summary of which policies apply to which endpoints |
Show policy enforcement metrics for Linux endpoints |
Displays policy matching statistics filtered by operating system |
Show policy adherence statistics for isolated assets |
Shows policy matches specifically for endpoints currently in quarantine |
Retire policy with ID "abc123" |
Permanently deletes a policy from the configuration |
Retrieve all task assignments linked to task ID "def456" |
Shows all delegation records for a specific operation |
Revoke task assignment identified as "xyz789" |
Cancels a specific task delegation record |
Delete task assignment record "xyz789" |
Permanently removes a task delegation record |
Get specifics for operational task ID "40a9dc46-d401-4bd1-82d3-ca9cf97c9024" |
Displays detailed information about a specific task, including its operational scope |
Halt execution of task ID "abc123" |
Cancels a currently active task identified by its ID |
Permanently erase task ID "abc123" |
Deletes a specific task record from the system |
Instantiate a new threat detection rule titled "My Rule" |
Creates a new rule in the threat detection framework |
List all threat analysis tags |
You can interact with threat rules and their linked classification tags |
Instantiate a new threat classification tag named "My Tag" |
Creates a new descriptive label for threat findings |
Update threat detection rule identified by ID "abc123" |
Modifies an existing threat detection rule |
Remove threat detection rule with ID "abc123" |
Permanently deletes a specific threat detection rule |
Fetch details for threat detection rule ID "abc123" |
Retrieves the complete definition of a specific threat rule |
Verify syntax of a proposed threat rule |
Validates the structure of a rule definition without deployment |
Assign threat analysis task to endpoints with IDs ["id1", "id2"] |
Dispatches a threat analysis operation to endpoints based on filter matching |
Append note to case ID "C-2022-0002" |
Adds a new commentary entry to a specified case file |
Modify note ID "8d9baa16-9aa3-4e4f-a08e-a74341ce2f90" within case "C-2022-0002" |
Updates the content of an existing case annotation |
Delete note ID "8d9baa16-9aa3-4e4f-a08e-a74341ce2f90" from case "C-2022-0002" |
Removes a specific annotation record from a case file |
Initiate export of all case data |
Triggers a bulk export of all existing case records |
Export annotations for case ID "case123" |
Triggers an export of all commentary records specific to one case |
Export endpoint roster for case ID "case123" |
Triggers an export of all endpoints associated with one case |
Export event chronology for case ID "case123" |
Triggers an export of the activity timeline for one case |
Establish a new case file named "Incident Response" |
Creates a new case file in the system |
Update case ID "C-2022-0003" to be titled "Updated Case" |
Modifies the name attribute of an existing case record |
Retrieve full record for case ID "C-2022-0003" |
Fetches the complete details for a specific case file |
Finalize case with ID "C-2022-0003" |
Marks a specific case file as closed/complete |
Re-activate case with ID "C-2022-0003" |
Reopens a case file that was previously closed |
Archive case with ID "C-2022-0003" |
Moves a specific case file to long-term storage |
Transfer ownership of case ID "C-2022-0003" to user ID "user123" |
Changes the designated case owner |
Verify availability of case name "Incident 2023-05" |
Checks if a proposed case title is already utilized |
Get activity history for case ID "C-2022-0003" |
Displays the chronological event log for a specific case |
List all endpoints linked to case ID "C-2022-0001" |
Retrieves the complete roster of endpoints attached to a case |
List all operations assigned to case ID "C-2022-0001" |
Displays the full set of tasks associated with the specified case |
List all personnel linked to case ID "C-2022-0001" |
Retrieves all users associated with a specific case |
Remove endpoints from case ID "C-2022-0001" |
Disassociates endpoints from a case based on provided selection criteria |
Remove task assignment ID "f04666c9-62c7-4cb0-8638-967f05eb7936" from case "C-2022-0001" |
Unlinks a specific task assignment from a case record |
Ingest task assignments into case ID "C-2022-0001" |
Loads predefined task assignments into a specific case |
List all configured evidence repositories |
Lists every evidence deposition site in the organization |
Define a new SMB repository named "My SMB Repository" |
Creates a new evidence deposition point using SMB protocol |
Modify SMB repository with ID "abc123" |
Updates the configuration settings for an existing SMB deposition point |
Define a new SFTP repository named "My SFTP Repository" |
Creates a new evidence deposition point using SFTP protocol |
Modify SFTP repository with ID "abc123" |
Updates the configuration settings for an existing SFTP deposition point |
Validate FTPS repository settings |
Tests if a FTPS repository configuration is valid without creation |
Define a new Azure Storage repository named "My Azure Storage Repository" |
Creates a new evidence deposition point leveraging Azure Storage |
Modify Azure Storage repository with ID "abc123" |
Updates the configuration settings for an existing Azure Storage deposition point |
Validate Azure Storage repository access via SAS URL |
Checks if the provided SAS URL permits access to the Azure Storage resource |
Establish a new Amazon S3 repository |
Sets up a new S3 bucket as an evidence deposition point |
Modify Amazon S3 repository with ID "abc123" |
Updates the configuration settings for an existing S3 deposition point |
Validate Amazon S3 repository credentials and connection |
Checks if S3 access parameters are functional |
Fetch details for deposition point ID "abc123" |
Displays comprehensive information about a specific evidence repository |
Delete deposition point with ID "abc123" |
Permanently removes a specific evidence repository |
Download PPC artifact for endpoint "ep-1" and operation "task-1" |
Retrieves the PPC file corresponding to a specific endpoint and task |
Download operational report for endpoint "123" and task "456" |
Downloads the standard output report for a specified operation |
Get metadata for PPC file associated with endpoint "123" and task "456" |
Retrieves information about a specific artifact file for an operation |
List users linked to organization ID "2" |
Displays all personnel assigned to the specified organization |
Assign users with IDs ["user1", "user2"] to organization "123" |
Links specified users to the target organization |
Remove user with ID "user1" from organization "123" |
Detaches a user from the specified organization |
Instantiate organization named "My Organization" with contact info |
Creates a new organizational entity with specified details |
Modify organization details with ID "123" |
Updates an existing organization's configuration |
Fetch details for organization ID 2 |
Displays comprehensive information about a specific organization |
Check if organization name "My Organization" is available |
Checks if an organization name is currently unique |
Retrieve shareable deployment info using token "token123" |
Accesses deployment instance details via a deployment token |
Enable/Update shareable deployment for organization ID "123" |
Modifies the sharing configuration status for an organization |
Refresh deployment token for organization ID 2 |
Generates a new deployment token for a specific organization |
Dissolve organization with ID "123" |
Permanently removes an organization entity |
Apply tags to organization ID "123" |
Adds descriptive labels to an organizational unit |
Strip tags ["tag1", "tag2" ] from organization ID "123" |
Removes specified labels from an organization |
Trigger webhook with slug "air-generic-url-webhook" and payload "192.168.1.100" using token "token123" |
Executes an external service hook with defined parameters |
Post data to webhook slug "air-generic-url-webhook" |
Sends a POST request with provided data to a webhook endpoint |
Get all delegation records for task ID "task123" |
Retrieves all assignment records tied to a specific task identifier |
Modify system notification banner settings |
Updates the global informational message displayed to users |
