logo
Free, unlimited AI code reviews that run on commit
git-lrc git-lrc GitHub Install Now We'd appreciate a star git-lrc - Free, unlimited AI code reviews that run on commit | Product Hunt git-lrc - Free, unlimited AI code reviews that run on commit | Product Hunt

binalyze-air-mcp-gateway

Facilitate conversational interfacing with Binalyze AIR platforms for comprehensive management of organizational structures, digital evidence acquisition blueprints, and managed endpoints. Access and retrieve AIR intelligence using any standard MCP client, leveraging advanced contextual processing capabilities.

Author

binalyze-air-mcp-gateway logo

binalyze

MIT License

Quick Info

GitHub GitHub Stars 7
NPM Weekly Downloads 5946
Tools 1
Last Updated 2026-02-19

Tags

binalyzetoolsaibinalyze airtools binalyzeinteraction binalyze

Binalyze AIR MCP Connector Service

smithery badge Runtime Environment Protocol Standard License: MIT

Binalyze AIR Server MCP server

This Node.js service implements the Model Context Protocol (MCP), creating a robust link to Binalyze AIR's digital investigation and incident response functionalities. It allows users to query and manage forensic operations using plain language.

✨ Core Capabilities

  • Endpoint Registry Oversight - Enumerate all connected endpoints within your environment.
  • Endpoint Specifics - Fetch comprehensive data regarding a singular endpoint via its identifier.
  • Endpoint Activity Log - Retrieve the complete queue of operations pending or executed for a given endpoint.
  • Collection Blueprint Catalog - List all defined evidence acquisition schematics.
  • Execution Blueprint Tasking - Schedule evidence gathering operations on remote devices.
  • Forensic Image Dispatch - Initiate full disk imaging tasks for target workstations.
  • Reference Data Acquisition - Gather standardized baseline data from systems to establish normative states.
  • Baseline Divergence Analysis - Compare multiple historical baseline collections for one endpoint to spot variances.
  • Comparison Artifact Retrieval - Obtain the formal report detailing baseline divergence analysis results.
  • Blueprint Definition Creation - Formulate new acquisition schematics specifying evidence types, artifacts, and network parameters.
  • Evidence Component Index - List all potential forensic evidence components available for collection.
  • Data Item Index - List all available core forensic data items that can be gathered.
  • System Reboot Directives - Command remote endpoints to cycle power.
  • System Shutdown Directives - Command remote endpoints to power off.
  • Endpoint Containment Control - Toggle the network isolation status of specific endpoints.
  • System Log Fetch - Request diagnostic logs from targeted endpoints.
  • Software Revision Update - Deploy tasks to refresh endpoint agent versions.
  • Organizational Structure Listing - View all registered client organizations.
  • Case File Index - List active case files associated with the current organizational unit.
  • Security Posture Review - Inspect defined security and compliance mandates across the organization.
  • Operational Task Status - Monitor the lifecycle and progress of all forensic collection jobs.
  • Threat Intelligence Ruleset - Inspect YARA, Osquery, and Sigma rules deployed for threat detection.
  • Personnel Registry - List all authorized personnel within the operational environment.
  • Personnel Profile Retrieval - Obtain detailed attributes for a specific user by their ID.
  • Drone Analyzer Inventory - View available analysis modules and their supported operating systems.
  • System Activity Export - Trigger a background job to export comprehensive audit records.
  • System Activity Log Review - Display historical audit trails of system operations.
  • Endpoint Decommissioning (Soft) - Remove specific assets from management without deleting retained data.
  • Endpoint Decommissioning (Hard) - Erase all associated data and uninstall the agent from targeted assets.
  • Asset Metadata Tagging (Addition) - Apply descriptive labels to assets based on defined criteria.
  • Asset Metadata Tagging (Removal) - Strip descriptive labels from targeted assets.
  • Automated Asset Labeling Rules - Define and manage logic for automatic asset classification based on attributes.
  • Automated Asset Labeling Rule Inventory - List all configured automated tagging policies.
  • Automated Asset Labeling Rule Inspection - Retrieve specifics for an individual automated tagging policy by its UUID.
  • Automated Asset Labeling Policy Deletion - Erase a specified automated tagging rule.
  • Initiate Automated Tagging Sweep - Manually trigger the evaluation of assets against active auto-tagging rules.
  • eDiscovery Pattern Catalog - List predefined patterns used for specific file type identification.
  • Policy Lifecycle Management - Create, modify, query, and eliminate organizational compliance policies.
  • Policy Applicability Metrics - View summary statistics showing policy enforcement across assets.
  • Task Assignment Oversight - Review and manage the delegation of operations to endpoints.
  • Threat Rule Lifecycle Management - Create, modify, query, and remove threat detection rulesets.
  • Threat Tagging Administration - Manage and create descriptive labels associated with threat findings.
  • Rule Syntax Verification - Validate the structural integrity of a threat detection rule without committing it.
  • Threat Analysis Task Dispatch - Assign targeted threat analysis operations to endpoints based on filtering rules.
  • Case Annotation Addition - Append a new commentary entry to a specific case file.
  • Case Annotation Modification - Update the content of an existing case commentary record.
  • Case Annotation Deletion - Remove a specific commentary record from a case file.
  • Case Data Export - Initiate the extraction of all case-related data.
  • Case Commentary Export - Extract all annotations associated with a targeted case.
  • Case Endpoint Roster Export - Extract the list of endpoints related to a specific case.
  • Case Chronology Export - Extract the event timeline associated with a specific case.
  • Case Creation - Establish a new investigation file within the system.
  • Case Record Update - Modify attributes of an existing case record identified by its unique ID.
  • Case Retrieval by Identifier - Fetch complete details for a specific case file.
  • Case Finalization (Closure) - Mark a specified case file as resolved/closed.
  • Case Reopening - Re-activate a previously closed case file.
  • Case Archival - Move a case file to long-term, inactive storage.
  • Case Name Uniqueness Check - Verify if a proposed case title is already in use.
  • Case Activity Stream Retrieval - Obtain the detailed event history for a specific case.
  • Case Associated Endpoint Listing - Get the full roster of endpoints linked to a case.
  • Case Associated Task Retrieval - Obtain the complete list of assigned operations for a case.
  • Case Associated Personnel Retrieval - Get the list of users linked to a specific case.
  • Case Endpoint Disassociation - Remove endpoints from a case based on defined criteria.
  • Case Task Assignment Revocation - Unlink a specific task assignment from a case record.
  • Case Task Assignment Ingestion - Load predefined task assignments into a case file.
  • Evidence Storage Location Index - List all configured evidence deposition sites within the environment.
  • SMB Deposition Point Setup - Create a new evidence repository using Server Message Block protocol.
  • SMB Deposition Point Configuration Update - Modify parameters for an existing SMB repository.
  • SFTP Deposition Point Setup - Create a new evidence repository utilizing Secure File Transfer Protocol.
  • SFTP Deposition Point Configuration Update - Modify parameters for an existing SFTP repository.
  • FTPS Deposition Point Setup - Create a new evidence repository using File Transfer Protocol Secure.
  • FTPS Deposition Point Configuration Update - Modify parameters for an existing FTPS repository.
  • FTPS Configuration Verification - Validate FTPS repository settings without materializing the repository.
  • Azure Storage Deposition Point Setup - Create a new evidence repository leveraging Azure Storage services.
  • Azure Storage Deposition Point Configuration Update - Modify parameters for an existing Azure Storage repository.
  • Azure Storage Configuration Verification - Validate Azure Storage connection parameters.
  • Amazon S3 Deposition Point Setup - Create a new evidence repository using Amazon Simple Storage Service.
  • Amazon S3 Deposition Point Configuration Update - Modify parameters for an existing S3 repository.
  • Amazon S3 Configuration Verification - Validate Amazon S3 repository connectivity and credentials.
  • Deposition Point Inspection - Fetch comprehensive details for a specific evidence repository.
  • Deposition Point Removal - Permanently delete an evidence repository.
  • Endpoint PPC Artifact Download - Retrieve the Portable Property Container file for a specific endpoint and task ID.
  • Operational Task Artifact Download - Retrieve the standard report output generated by a specified task on an endpoint.
  • Artifact File Metadata Fetch - Get metadata related to an endpoint's PPC file for a specific operation.
  • Organization Personnel Index - Retrieve users mapped to a particular organizational entity by its ID.
  • Organization Personnel Assignment - Link specified users to a target organization.
  • Organization Personnel Removal - Detach a user from a specified organization.
  • Organization Instantiation - Establish a new organizational entity within the platform.
  • Organization Record Modification - Update details for an existing organization.
  • Organization Profile Retrieval - Fetch detailed information for an organization by its unique identifier.
  • Organization Name Availability Check - Determine if a chosen organization name is currently unique.
  • Shareable Deployment Information Retrieval - Access details about a deployment instance accessible via a deployment token.
  • Organization Shareable Deployment Configuration Update - Modify the sharing settings associated with an organization.
  • Organization Access Token Refresh - Generate a new deployment token for a specific organization.
  • Organization Dissolution - Permanently remove an organization entity.
  • Organization Tagging (Addition) - Apply descriptive labels to an organizational unit.
  • Organization Tagging (Deletion) - Remove specified labels from an organization.
  • External Service Hook Invocation - Execute a predefined webhook with specified payload details.
  • External Service Hook Data Transmission - Send structured data via an HTTP POST request to a registered webhook endpoint.
  • Task Assignment Enumeration - Retrieve all recorded instances of task delegation for a given task identifier.
  • System Notification Banner Update - Modify the global, persistent message displayed across the user interface.

Overview

This MCP conduit establishes a communication layer between Large Language Models (LLMs) and the Binalyze AIR suite, enabling intuitive, language-based command execution. Gain mastery over your digital forensics landscape without requiring direct API programming.

🔑 Authentication Prerequisite

Crucial: Successful operation necessitates an active API credential. Configure this via the AIR_API_TOKEN environment variable.

📦 Deployment Instructions

Local Environment Setup

bash

Obtain the source repository

git clone https://github.com/binalyze/air-mcp

Enter the project directory

cd air-mcp

Install required dependencies

npm install

Compile source files

npm run build

Configuration for Claude Desktop

In your Claude Desktop configuration file, integrate the service as follows:

{ "mcpServers": { "air-mcp": { "command": "npx", "args": ["-y", "@binalyze/air-mcp"], "env": { "AIR_HOST": "your-api-host.com", "AIR_API_TOKEN": "your-api-token" } } } }

Configuration for Cursor IDE

  1. Access Cursor Settings -> MCP section.
  2. Add a new MCP service entry using this structure:

{ "mcpServers": { "air-mcp": { "command": "npx", "args": ["-y", "@binalyze/air-mcp"], "env": { "AIR_HOST": "your-api-host.com", "AIR_API_TOKEN": "your-api-token" } } } }

🧩 Integration via Smithery Framework

Reminder: Ensure Agent mode is active within your Smithery-compatible editor environment.

Rapid Installation Commands

Claude Integration

bash npx -y @smithery/cli@latest install @binalyze/air-mcp --client claude --key {smithery_key}

Cursor Integration

bash npx -y @smithery/cli@latest install @binalyze/air-mcp --client cursor --key {smithery_key}

Windsurf Integration

bash npx -y @smithery/cli@latest install@rapidappio/rapidapp-mcp --client windsurf --key {smithery_key}

VSCode Integration

bash npx -y @smithery/cli@latest install @binalyze/air-mcp --client vscode --key {smithery_key}

Alternatively, leverage the one-click Magic Link option available within VSCode.

How to Execute Commands

Within Claude Desktop or any supporting MCP client, utilize natural language directives:

Directive Example Functionality Description
Enumerate all endpoints in the ecosystem Displays all managed/unmanaged devices including OS and platform metadata
Provide specifics for endpoint identified as "abc123" Shows detailed attribute data for a singular asset
Fetch all pending operations for endpoint "abc123" Shows the complete task queue tied to a specific endpoint
List all configured collection blueprints Displays available evidence acquisition schematics
Retrieve details for acquisition blueprint by its ID Shows granular information about a chosen blueprint, including evidence targets and artifacts
Index all available acquisition artifacts Shows every artifact component cataloged for evidence gathering
Index all available forensic data items Shows every core data item available for forensic extraction
Schedule an evidence collection job on endpoint 123abc using blueprint "full" tied to case "C-2022-0001" Schedules an evidence acquisition operation on specified endpoints
Dispatch a disk image acquisition on endpoint 123abc for partition /dev/sda1, saving output to repository 456def Schedules a full disk image capture on a target system, directing output to a specified storage location
Formulate a new blueprint named "My Custom Profile" specifying windows evidence types ["clp"] and linux artifacts ["apcl"] Creates a novel acquisition blueprint with custom settings
Issue a system reboot command for endpoint 123abc Assigns a reboot directive to a specific remote device
Issue a system power-off command for endpoint 123abc Assigns a shutdown directive to a specific remote device
Initiate containment sequence for endpoint 123abc Assigns an isolation directive to a specific remote device
Terminate containment sequence for endpoint 123abc Removes network isolation from a specific remote device
Request system logs retrieval from endpoint 123abc Assigns a diagnostic log capture task to a specific remote device
Schedule agent version update for endpoint 123abc Assigns a task to upgrade the endpoint agent software
List every organization entity Shows all organizations registered in the environment
List all active case files Displays case files along with their resolution status and creation timestamps
Review current security compliance mandates Shows defined security policies and data collection mandates
List status for all operational tasks Lists all queued and executing forensic jobs
Show all deployed threat detection rules (YARA, OSQuery, Sigma) Lists all rulesets configured for threat identification
List all registered personnel Shows all users in the system with their associated attributes
Get profile data for user ID Retrieves the attributes of a specific user by their ID
List all available drone analysis modules Shows drone analyzers and supported operating system compatibility
Trigger audit log export sequence Initiates the background export of the entire system audit trail.
Display system audit records Shows historical logs detailing user actions, timestamps, and affected entities
Uninstall asset matching ID "endpoint-id" Removes the agent from the specified asset without data erasure (requires filter context)
Erase data and uninstall asset matching ID "endpoint-id" Completely removes the asset and purges its data (requires filter context)
Apply tags ["tag1", "tag2"] to asset matching ID "endpoint-id" Attaches specified descriptive labels to targeted assets (requires filter and tag context)
Strip tags ["tag1"] from asset matching ID "endpoint-id" Removes specified descriptive labels from targeted assets (requires filter and tag context)
Define a new automated asset tag titled "Web Server" Creates a novel rule for conditional, automatic asset labeling.
Modify automated tag "fkkEPhpqMNqJeHfi4RyxiWEm" to be named "Updated Container" with condition: linux process "containerd" is active Updates an existing automated tag policy with new rules.
List every automated asset tagging policy Lists all current rules governing automatic asset classification.
Inspect details for automated tag ID "f6kEPhpqMNqJeHfi4RyxiWEm" Shows the full configuration of a specific automated tagging rule.
Remove automated tag policy with ID "f6kEPhpqMNqJeHfi4RyxiWEm" Deletes a specific automated tagging rule.
Execute automated tagging sweep for all assets matching Windows criteria Manually runs the classification process based on predefined filters.
Index all e-discovery file signature patterns Shows all available patterns used for specific file type identification
Establish a new policy named "Production Policy" with optimized storage configuration Creates a novel compliance policy with tailored settings
Modify policy associated with ID "abc123" Updates an existing compliance policy with revised settings
Fetch policy details for identifier "System" Displays granular configuration data for a specific policy
Reorder policy application sequence to ["policy1", "policy2", "policy3"] Updates the priority order in which policies are evaluated
Visualize policy match statistics across the fleet Shows a summary of which policies apply to which endpoints
Show policy enforcement metrics for Linux endpoints Displays policy matching statistics filtered by operating system
Show policy adherence statistics for isolated assets Shows policy matches specifically for endpoints currently in quarantine
Retire policy with ID "abc123" Permanently deletes a policy from the configuration
Retrieve all task assignments linked to task ID "def456" Shows all delegation records for a specific operation
Revoke task assignment identified as "xyz789" Cancels a specific task delegation record
Delete task assignment record "xyz789" Permanently removes a task delegation record
Get specifics for operational task ID "40a9dc46-d401-4bd1-82d3-ca9cf97c9024" Displays detailed information about a specific task, including its operational scope
Halt execution of task ID "abc123" Cancels a currently active task identified by its ID
Permanently erase task ID "abc123" Deletes a specific task record from the system
Instantiate a new threat detection rule titled "My Rule" Creates a new rule in the threat detection framework
List all threat analysis tags You can interact with threat rules and their linked classification tags
Instantiate a new threat classification tag named "My Tag" Creates a new descriptive label for threat findings
Update threat detection rule identified by ID "abc123" Modifies an existing threat detection rule
Remove threat detection rule with ID "abc123" Permanently deletes a specific threat detection rule
Fetch details for threat detection rule ID "abc123" Retrieves the complete definition of a specific threat rule
Verify syntax of a proposed threat rule Validates the structure of a rule definition without deployment
Assign threat analysis task to endpoints with IDs ["id1", "id2"] Dispatches a threat analysis operation to endpoints based on filter matching
Append note to case ID "C-2022-0002" Adds a new commentary entry to a specified case file
Modify note ID "8d9baa16-9aa3-4e4f-a08e-a74341ce2f90" within case "C-2022-0002" Updates the content of an existing case annotation
Delete note ID "8d9baa16-9aa3-4e4f-a08e-a74341ce2f90" from case "C-2022-0002" Removes a specific annotation record from a case file
Initiate export of all case data Triggers a bulk export of all existing case records
Export annotations for case ID "case123" Triggers an export of all commentary records specific to one case
Export endpoint roster for case ID "case123" Triggers an export of all endpoints associated with one case
Export event chronology for case ID "case123" Triggers an export of the activity timeline for one case
Establish a new case file named "Incident Response" Creates a new case file in the system
Update case ID "C-2022-0003" to be titled "Updated Case" Modifies the name attribute of an existing case record
Retrieve full record for case ID "C-2022-0003" Fetches the complete details for a specific case file
Finalize case with ID "C-2022-0003" Marks a specific case file as closed/complete
Re-activate case with ID "C-2022-0003" Reopens a case file that was previously closed
Archive case with ID "C-2022-0003" Moves a specific case file to long-term storage
Transfer ownership of case ID "C-2022-0003" to user ID "user123" Changes the designated case owner
Verify availability of case name "Incident 2023-05" Checks if a proposed case title is already utilized
Get activity history for case ID "C-2022-0003" Displays the chronological event log for a specific case
List all endpoints linked to case ID "C-2022-0001" Retrieves the complete roster of endpoints attached to a case
List all operations assigned to case ID "C-2022-0001" Displays the full set of tasks associated with the specified case
List all personnel linked to case ID "C-2022-0001" Retrieves all users associated with a specific case
Remove endpoints from case ID "C-2022-0001" Disassociates endpoints from a case based on provided selection criteria
Remove task assignment ID "f04666c9-62c7-4cb0-8638-967f05eb7936" from case "C-2022-0001" Unlinks a specific task assignment from a case record
Ingest task assignments into case ID "C-2022-0001" Loads predefined task assignments into a specific case
List all configured evidence repositories Lists every evidence deposition site in the organization
Define a new SMB repository named "My SMB Repository" Creates a new evidence deposition point using SMB protocol
Modify SMB repository with ID "abc123" Updates the configuration settings for an existing SMB deposition point
Define a new SFTP repository named "My SFTP Repository" Creates a new evidence deposition point using SFTP protocol
Modify SFTP repository with ID "abc123" Updates the configuration settings for an existing SFTP deposition point
Validate FTPS repository settings Tests if a FTPS repository configuration is valid without creation
Define a new Azure Storage repository named "My Azure Storage Repository" Creates a new evidence deposition point leveraging Azure Storage
Modify Azure Storage repository with ID "abc123" Updates the configuration settings for an existing Azure Storage deposition point
Validate Azure Storage repository access via SAS URL Checks if the provided SAS URL permits access to the Azure Storage resource
Establish a new Amazon S3 repository Sets up a new S3 bucket as an evidence deposition point
Modify Amazon S3 repository with ID "abc123" Updates the configuration settings for an existing S3 deposition point
Validate Amazon S3 repository credentials and connection Checks if S3 access parameters are functional
Fetch details for deposition point ID "abc123" Displays comprehensive information about a specific evidence repository
Delete deposition point with ID "abc123" Permanently removes a specific evidence repository
Download PPC artifact for endpoint "ep-1" and operation "task-1" Retrieves the PPC file corresponding to a specific endpoint and task
Download operational report for endpoint "123" and task "456" Downloads the standard output report for a specified operation
Get metadata for PPC file associated with endpoint "123" and task "456" Retrieves information about a specific artifact file for an operation
List users linked to organization ID "2" Displays all personnel assigned to the specified organization
Assign users with IDs ["user1", "user2"] to organization "123" Links specified users to the target organization
Remove user with ID "user1" from organization "123" Detaches a user from the specified organization
Instantiate organization named "My Organization" with contact info Creates a new organizational entity with specified details
Modify organization details with ID "123" Updates an existing organization's configuration
Fetch details for organization ID 2 Displays comprehensive information about a specific organization
Check if organization name "My Organization" is available Checks if an organization name is currently unique
Retrieve shareable deployment info using token "token123" Accesses deployment instance details via a deployment token
Enable/Update shareable deployment for organization ID "123" Modifies the sharing configuration status for an organization
Refresh deployment token for organization ID 2 Generates a new deployment token for a specific organization
Dissolve organization with ID "123" Permanently removes an organization entity
Apply tags to organization ID "123" Adds descriptive labels to an organizational unit
Strip tags ["tag1", "tag2" ] from organization ID "123" Removes specified labels from an organization
Trigger webhook with slug "air-generic-url-webhook" and payload "192.168.1.100" using token "token123" Executes an external service hook with defined parameters
Post data to webhook slug "air-generic-url-webhook" Sends a POST request with provided data to a webhook endpoint
Get all delegation records for task ID "task123" Retrieves all assignment records tied to a specific task identifier
Modify system notification banner settings Updates the global informational message displayed to users

See Also

`