MCP Server
  • 17 Jul 2025
  • 1 Minute to read
  • Dark
    Light

MCP Server

  • Dark
    Light

Article summary

LimaCharlie MCP Server

Overview

The Model Context Protocol (MCP) is a standardized protocol use by AI Agents to access and leverage external tools and resources.

Note that MCP itself is still experimental and cutting edge.

LimaCharlie offers an MCP server at https://mcp.limacharlie.io which can be used to easily enable AI agents to gather information from LimaCharlie like:

  • Query historical telemetry from any Sensor

  • Actively fetch/investigate using the LimaCharlie Agent (EDR) in real-time

  • Take active remediation measures like isolating an endpoint from the network, killing processes etc

This opens up the world of LimaCharlie to all AI agents regardless of where they live or how they’re implemented without having to re-invent the wheel.

Requirements

The LimaCharlie MCP server is stateless, meaning it does not store credentials. Instead it operates using normal LC credentials provided to it at run-time, just like the LC API.

This means issuing requests to the LC MCP server requires two bits of information (authentication data and an OID) to be provided on top of the normal MCP protocol:

  1. The Authorization header, like Authorization: Bearer XXXXXXXXXXXXXXXXXXX where XXXXX is a one of:

    1. LimaCharlie JWT

    2. an API Key + OID in the format api_key:oid

    3. a LimaCharlie JWT + OID in the format jwt:oid

  2. The x-lc-oid header, like x-lc-oid: a326700d-3cd7-49d1-ad08-20b396d8549d where a326700d-3cd7-49d1-ad08-20b396d8549d is the Organization ID (tenant) you wish to operate under.

Capabilities

The set of capabilities exposed is constantly growing (which is why it’s a good idea to do filtering of tools for your agent). If you encounter a capability available in LimaCharlie that isn’t available in the MCP server, drop us a line at https://community.limacharlie.com and we can add it quickly.

Currently exposed capabilities:

  • get_processes

  • get_historic_events

  • get_process_modules

  • get_process_strings

  • find_strings

  • get_packages

  • get_services

  • get_autoruns

  • get_drivers

  • get_users

  • get_network_connections

  • get_os_version

  • get_registry_keys

  • yara_scan_process

  • yara_scan_file

  • yara_scan_directory

  • yara_scan_memory

  • isolate_network

  • rejoin_network

  • is_isolated

  • is_online

  • add_tag

  • remove_tag

  • get_schema

  • get_schemas

  • get_ontology

  • get_mitre_report

  • list_with_platform

  • get_time_when_sensor_has_data

  • get_hictoric_detections

  • get_detection_rules

  • get_fp_rules

Examples

claude mcp add --transport http limacharlie https://mcp.limacharlie.io/mcp --header "Authorization: Bearer API_KEY_VALUE:OID"


Was this article helpful?