Binalyze AIR MCP Server

A Node.js server implementing Model Context Protocol (MCP) for Binalyze AIR, enabling natural language interaction with AIR's digital forensics and incident response capabilities.

✨ Features

• Asset Management - List assets in your organization.
• Asset Details - Get detailed information about a specific asset by its ID.
• Asset Tasks - Get all tasks associated with a specific asset by its ID.
• Acquisition Profiles - List acquisition profiles.
• Acquisition Tasks - Assign evidence acquisition tasks to endpoints.
• Image Acquisition Tasks - Assign disk image acquisition tasks to endpoints.
• Baseline Acquisition - Acquire baseline data from specific endpoints to establish a reference point.
• Compare Baseline - Compare multiple baseline acquisition tasks for a specific endpoint to identify changes.
• Get Comparison Report - Retrieve comparison result report for a specific endpoint and task.
• Create Acquisition Profiles - Create new acquisition profiles with specific evidence/artifact/network settings.
• Acquisition Artifacts - List available artifacts for evidence collection.
• Acquisition Evidences - List available evidence items for forensic data collection.
• Reboot Tasks - Assign reboot tasks to specific endpoints.
• Shutdown Tasks - Assign shutdown tasks to specific endpoints.
• Isolation Tasks - Isolate or unisolate specific endpoints.
• Log Retrieval Tasks - Retrieve logs from specific endpoints.
• Version Update Tasks - Assign version update tasks to specific endpoints.
• Organization Management - List organizations.
• Case Management - List cases in your organization.
• Policy Management - See security policies across your organization.
• Task Management - Track forensic collection tasks and their statuses.
• Triage Rules - View YARA, Osquery and Sigma rules for threat detection.
• User Management - List users in your organization.
• User Details - Get detailed information about a specific user by their ID.
• Drone Analyzers - View available drone analyzers with supported operating systems.
• Audit Log Export - Initiate an export of audit logs.
• List Audit Logs - View audit logs from the system.
• Uninstall Assets - Uninstall specific assets based on filters without purging data.
• Purge and Uninstall Assets - Purge data and uninstall specific assets based on filters.
• Add Tags to Assets - Add tags to specific assets based on filters.
• Remove Tags from Assets - Remove tags from specific assets based on filters.
• Auto Asset Tagging - Create and update rules to automatically tag assets based on specific conditions.
• List Auto Asset Tags - List all existing auto asset tag rules.
• Get Auto Asset Tag Details - Get detailed information about a specific auto asset tag rule by its ID.
• Delete Auto Asset Tag - Delete a specific auto asset tag rule by its ID.
• Start Auto Tagging - Initiate the auto tagging process for assets that match specific filter criteria.
• E-Discovery Patterns - List available e-discovery patterns for detecting different file types.
• Policy Management - List, create, update, and delete policies in your organization.
• Policy Match Statistics - See which policies apply to your assets based on various criteria.
• Task Assignment Management - View and manage task assignments.
• Triage Rules Management - List, create, update, and delete triage rules for threat detection.
• Triage Tags Management - List and create triage tags for threat detection.
• Validate Triage Rule - Validate a triage rule syntax without creating it.
• Assign Triage Task - Assign a triage task to endpoints based on filter criteria.
• Add Note to Case - Add a note to a specific case by its ID.
• Update Note in Case - Update an existing note in a specific case.
• Delete Note from Case - Delete a note from a case by its ID.
• Export Cases - Export cases data from the system.
• Export Case Notes - Export notes for a specific case by its ID.
• Export Case Endpoints - Export endpoints for a specific case by its ID.
• Export Case Activities - Export activities for a specific case by its ID.
• Create Case - Create a new case in the system.
• Update Case - Update an existing case by ID.
• Get Case by ID - Get detailed information about a specific case by its ID.
• Close Case by ID - Close a specific case by its ID.
• Open Case by ID - Open a specific case by its ID.
• Archive Case by ID - Archive a specific case by its ID.
• Check Case Name - Check if a case name is already in use.
• Get Case Activities - Get activity history for a specific case by its ID.
• Get Case Endpoints - Get all endpoints associated with a specific case by its ID.
• Get Case Tasks by ID - Get all tasks associated with a specific case by its ID.
• Get Case Users - Get all users associated with a specific case by its ID.
• Remove Endpoints from Case - Remove endpoints from a case based on specified filters.
• Remove Task Assignment from Case - Remove a specific task assignment from a case.
• Import Task Assignments to Case - Import task assignments to a specific case.
• List Repositories - List all evidence repositories in the organization.
• Create SMB Repository - Create a new SMB evidence repository.
• Update SMB Repository - Update an existing SMB evidence repository.
• Create SFTP Repository - Create a new SFTP evidence repository.
• Update SFTP Repository - Update an existing SFTP evidence repository.
• Create FTPS Repository - Create a new FTPS evidence repository.
• Update FTPS Repository - Update an existing FTPS evidence repository.
• Validate FTPS Repository - Validate FTPS repository configuration without creating it.
• Create Azure Storage Repository - Create a new Azure Storage evidence repository.
• Update Azure Storage Repository - Update an existing Azure Storage evidence repository.
• Validate Azure Storage Repository - Validate Azure Storage repository configuration without creating it.
• Create Amazon S3 Repository - Create a new Amazon S3 evidence repository.
• Update Amazon S3 Repository - Update an existing Amazon S3 evidence repository.
• Validate Amazon S3 Repository - Validate Amazon S3 repository configuration without creating it.
• Get Repository by ID - Get detailed information about a specific evidence repository by its ID.
• Delete Repository - Delete an evidence repository by its ID.
• Download Case PPC - Download a PPC file for a specific endpoint and task.
• Download Task Report - Download a task report for a specific endpoint and task.
• Get Report File Info - Get information about a PPC file for a specific endpoint and task.
• Get Organization Users - Get users for a specific organization by its ID.
• Assign Users to Organization - Assign users to a specific organization.
• Remove User from Organization - Remove a user from a specific organization.
• Create Organization - Create a new organization.
• Update Organization - Update an existing organization.
• Get Organization by ID - Get detailed information about a specific organization by its ID.
• Check Organization Name Exists - Check if an organization name already exists in the system.
• Get Shareable Deployment Info - Get information about a shareable deployment using a deployment token.
• Update Organization Shareable Deployment - Update an organization's shareable deployment settings.
• Update Organization Deployment Token - Update the deployment token for a specific organization.
• Delete Organization - Delete an organization by its ID.
• Add Tags to Organization - Add tags to an organization.
• Delete Tags from Organization - Delete tags from an organization.
• Call Webhook - Call a webhook with the specified parameters.
• Post Webhook - Post data to a webhook.
• Get Task Assignments - Get all assignments for a specific task by its ID.
• Update Banner Message - Update the system banner message settings.

Overview

This MCP server creates a bridge between Large Language Models (LLMs) and Binalyze AIR, allowing interaction through natural language. Retrieve information about your digital forensics environment without writing code or learning complex APIs.

🔑 API Token Requirement

Important: An API token is required for authentication. Set it using the AIR_API_TOKEN environment variable.

📦 Installation

Local Development

# Clone the repository
git clone https://github.com/binalyze/air-mcp

# Change to the project directory
cd air-mcp

# Install dependencies
npm install

# Build the project
npm run build

Usage with Claude Desktop

Add the following configuration to your Claude Desktop config file:

{
  "mcpServers": {
    "air-mcp": {
      "command": "npx",
      "args": ["-y", "@binalyze/air-mcp"],
      "env": {
        "AIR_HOST": "your-api-host.com",
        "AIR_API_TOKEN": "your-api-token"
      }
    }
  }
}

Usage with Cursor

1. Navigate to Cursor Settings > MCP

2. Add new MCP server with the following configuration:

{
     "mcpServers": {
       "air-mcp": {
         "command": "npx",
         "args": ["-y", "@binalyze/air-mcp"],
         "env": {
           "AIR_HOST": "your-api-host.com",
           "AIR_API_TOKEN": "your-api-token"
         }
       }
     }
   }

🧩 Usage with Smithery

Note: Don't forget to activate Agent mode in your editor.

One-Line Installation Commands

Claude

npx -y @smithery/cli@latest install @binalyze/air-mcp --client claude --key {smithery_key}

Cursor

npx -y @smithery/cli@latest install @binalyze/air-mcp --client cursor --key {smithery_key}

Windsurf

npx -y @smithery/cli@latest install@rapidappio/rapidapp-mcp --client windsurf --key {smithery_key}

VSCode

npx -y @smithery/cli@latest install @binalyze/air-mcp --client vscode --key {smithery_key}

Or use the Magic Link option in VSCode.

How to Use

In Claude Desktop, or any MCP Client, you can use natural language commands: