- 23 Sep 2025
- 3 Minutes to read
- Print
- DarkLight
MCP Server
- Updated on 23 Sep 2025
- 3 Minutes to read
- Print
- DarkLight
Overview
The Model Context Protocol (MCP) is a standardized protocol used by AI Agents to access and leverage external tools and resources.
Note that MCP itself is still experimental and cutting edge.
LimaCharlie offers an MCP server at https://mcp.limacharlie.io which enables AI agents to:
Query and analyze historical telemetry from any sensor
Actively investigate endpoints using the LimaCharlie Agent (EDR) in real-time
Take remediation actions like isolating endpoints, killing processes, and managing tags
Generate content using AI-powered tools for LCQL queries, D&R rules, playbooks, and detection summaries
Manage platform configuration including rules, outputs, adapters, secrets, and more
Access threat intelligence through IOC searches and MITRE ATT&CK mappings
This opens up the entire LimaCharlie platform to AI agents, regardless of their implementation or location.
Transport Modes
The server supports two transport modes based on the PUBLIC_MODE environment variable:
STDIO Mode (PUBLIC_MODE=false, default)
Used for local MCP clients like Claude Desktop or Claude Code:
Communication through stdin/stdout using JSON-RPC
Uses LimaCharlie SDK's default authentication
Reads credentials from environment variables or config files
HTTP Mode (PUBLIC_MODE=true)
Used when deploying as a public service:
Server runs as a stateless HTTP API with JSON responses
Authentication via HTTP headers
Supports multiple organizations concurrently
Run with:
uvicorn server:app
Requirements & Authentication
For HTTP Mode
The server requires authentication headers:
1. Authorization header in one of these formats:
Authorization: Bearer <jwt>
(OID must be in x-lc-oid header)Authorization: Bearer <jwt>:<oid>
(combined format)Authorization: Bearer <api_key>:<oid>
(API key with OID)
2. x-lc-oid header (if not included in Authorization):
x-lc-oid: <organization_id>
For STDIO Mode
Set environment variables:
LC_OID
: Your LimaCharlie Organization IDLC_API_KEY
: Your LimaCharlie API keyGOOGLE_API_KEY
: For AI-powered generation features (optional)
Capabilities
The LimaCharlie MCP server exposes over 100 tools organized by category:
Investigation & Telemetry
Process inspection:
get_processes
,get_process_modules
,get_process_strings
,yara_scan_process
System information:
get_os_version
,get_users
,get_services
,get_drivers
,get_autoruns, get_packages
Network analysis:
get_network_connections
,is_online
,get_online_sensors
File operations:
find_strings
,yara_scan_file
,yara_scan_directory
,yara_scan_memory
Registry access:
get_registry_keys
Historical data:
get_historic_events
,get_historic_detections
,get_time_when_sensor_has_data
Threat Response & Remediation
Network isolation:
isolate_network
,rejoin_network
,is_isolated
Sensor management:
add_tag
,remove_tag
,delete_sensor
Reliable tasking:
reliable_tasking
,list_reliable_tasks
AI-Powered Generation (requires GOOGLE_API_KEY)
Query generation:
generate_lcql_query
- Create LCQL queries from natural languageRule creation:
generate_dr_rule_detection
,generate_dr_rule_respond
- Generate D&R rulesAutomation:
generate_python_playbook
- Create Python playbooksAnalysis:
generate_detection_summary
- Summarize detection dataSensor selection:
generate_sensor_selector
- Generate sensor selectors
Platform Configuration
Detection & Response:
get_detection_rules
,set_dr_general_rule
,set_dr_managed_rule
,delete_dr_general_rule
False Positive Management:
get_fp_rules
,set_fp_rule
,delete_fp_rule
YARA Rules:
list_yara_rules
,set_yara_rule
,validate_yara_rule
,delete_yara_rule
Outputs & Adapters:
list_outputs
,add_output
,delete_output
,list_external_adapters
,set_external_adapter
Extensions:
list_extension_configs
,set_extension_config
,delete_extension_config
Playbooks:
list_playbooks
,set_playbook
,delete_playbook
Secrets Management:
list_secrets
,set_secret
,delete_secret
Saved Queries:
list_saved_queries
,set_saved_query
,run_saved_query
Lookups:
list_lookups
,set_lookup
,query_lookup
,delete_lookup
Threat Intelligence
IOC Search:
search_iocs
,batch_search_iocs
Host Search:
search_hosts
MITRE ATT&CK:
get_mitre_report
Administrative
API Keys:
list_api_keys
,create_api_key
,delete_api_key
Installation Keys:
list_installation_keys
,create_installation_key
,delete_installation_key
Cloud Sensors:
list_cloud_sensors
,set_cloud_sensor
,delete_cloud_sensor
Organization Info:
get_org_info
,get_usage_stats
Artifacts:
list_artifacts
,get_artifact
Schema & Documentation
Event Schemas:
get_event_schema
,get_event_schemas_batch
,get_event_types_with_schemas
Platform Support:
get_platform_names
,list_with_platform
,get_event_types_with_schemas_for_platform
Advanced Features
Large Result Handling
The server automatically handles large responses by uploading them to Google Cloud Storage (if configured):
Set
GCS_BUCKET_NAME
for the storage bucketConfigure
GCS_TOKEN_THRESHOLD
(default: 1000 tokens)Results are returned as signed URLs valid for 24 hours
LCQL Query Execution
The run_lcql_query
tool supports:
Streaming results for real-time monitoring
Flexible time windows and limits
Output formatting options
Examples
Claude Desktop/Code Configuration (STDIO)
{
"mcpServers": {
"limacharlie": {
"command": "python3",
"args": ["/path/to/server.py"],
"env": {
"LC_OID": "your-org-id",
"LC_API_KEY": "your-api-key",
"GOOGLE_API_KEY": "your-google-api-key"
}
}
}
}
HTTP Service Usage
claude mcp add --transport http limacharlie https://mcp.limacharlie.io/mcp \
--header "Authorization: Bearer API_KEY:OID" \
--header "x-lc-oid: OID"
Environment Variables
PUBLIC_MODE
: Set to true for HTTP mode, false for STDIO (default: false)GOOGLE_API_KEY
: API key for AI-powered featuresGCS_BUCKET_NAME
: Google Cloud Storage bucket for large resultsGCS_SIGNER_SERVICE_ACCOUNT
: Service account for GCS URL signingGCS_TOKEN_THRESHOLD
: Token count threshold for GCS upload (default: 1000)GCS_URL_EXPIRY_HOURS
: Hours until GCS URLs expire (default: 24)LC_OID
: Organization ID (STDIO mode only)LC_API_KEY
: API key (STDIO mode only)
Notes
The server is stateless when running in HTTP mode
HTTP mode uses JSON responses (not Server-Sent Events)
No OAuth flow is used - authentication is via bearer tokens only
If you encounter missing capabilities, contact https://community.limacharlie.com for quick additions