Contents x
    MCP Server
    • 11 May 2025
    • 2 Minutes to read
    • Contributors
    • Print
    • Dark
      Light
    Contents

    MCP Server

    • Updated on 11 May 2025
    • 2 Minutes to read
    • Contributors
    • Print
    • Dark
      Light
    Article summary

    LimaCharlie MCP Server

    Overview

    The Model Context Protocol (MCP) is a standardized protocol use by AI Agents to access and leverage external tools and resources.

    Note that MCP itself is still experimental and cutting edge.

    LimaCharlie offers an MCP server at https://mcp.limacharlie.io which can be used to easily enable AI agents to gather information from LimaCharlie like:

    • Query historical telemetry from any Sensor

    • Actively fetch/investigate using the LimaCharlie Agent (EDR) in real-time

    • Take active remediation measures like isolating an endpoint from the network, killing processes etc

    This opens up the world of LimaCharlie to all AI agents regardless of where they live or how they’re implemented without having to re-invent the wheel.

    Requirements

    The LimaCharlie MCP server is stateless, meaning it does not store credentials. Instead it operates using normal LC credentials provided to it at run-time, just like the LC API.

    This means issuing requests to the LC MCP server requires two HTTP headers to be provided on top of the normal MCP protocol:

    1. The Authorization header, like Authorization: Bearer XXXXXXXXXXXXXXXXXXX where XXXXX is a LimaCharlie JWT.

    2. The x-lc-oid header, like x-lc-oid: a326700d-3cd7-49d1-ad08-20b396d8549d where a326700d-3cd7-49d1-ad08-20b396d8549d is the Organization ID (tenant) you wish to operate under.

    Capabilities

    The set of capabilities exposed is constantly growing (which is why it’s a good idea to do filtering of tools for your agent). If you encounter a capability available in LimaCharlie that isn’t available in the MCP server, drop us a line at https://community.limacharlie.com and we can add it quickly.

    Currently exposed capabilities:

    • get_processes

    • get_historic_events

    • get_process_modules

    • get_process_strings

    • find_strings

    • get_packages

    • get_services

    • get_autoruns

    • get_drivers

    • get_users

    • get_network_connections

    • get_os_version

    • get_registry_keys

    • yara_scan_process

    • yara_scan_file

    • yara_scan_directory

    • yara_scan_memory

    • isolate_network

    • rejoin_network

    • is_isolated

    • is_online

    • add_tag

    • remove_tag

    • get_schema

    • get_schemas

    • get_ontology

    • get_mitre_report

    • list_with_platform

    • get_time_when_sensor_has_data

    • get_hictoric_detections

    • get_detection_rules

    • get_fp_rules

    Examples

    These examples show using the LC MCP server using the Python Google Agent Development Toolkip (ADK) though other AI agent frameworks should be similar.

    Note that filtering of the tools available is not included in these examples, but it is highly recommended you do it to avoid an agent use an LC capability you did not anticipate.

    from google.adk.tools.mcp_tool.mcp_toolset import MCPToolset, SseServerParams, MCPTool
from contextlib import AsyncExitStack
from google.adk.agents import Agent
from google.genai.types import GenerateContentConfig
import limacharlie

async def get_mcp_tools(jwt: str, oid: str) -> tuple[list[MCPTool], AsyncExitStack[bool | None]]:
    print("Getting MCP tools from server...")
    # Create SSE server params with proper authentication
    sse_params = SseServerParams(
        url="https://mcp.limacharlie.io/sse",
        headers={
            "Authorization": f"Bearer {jwt}",
            "Content-Type": "application/json",
            "x-lc-oid": oid,
        }
    )

    # Create the toolset
    tools, exit_stack = await MCPToolset.from_server(
        connection_params=sse_params
    )

    return tools, exit_stack

async def create_agent(api_key: str, oid: str) -> tuple[Agent, AsyncExitStack[bool | None]]:
    # Generate a JWT from the credentials
    tmpSDK = limacharlie.Manager(oid, api_key)
    tmpSDK._refreshJWT()
    jwt = tmpSDK._jwt
    tools, exit_stack = await get_mcp_tools(jwt, oid)

    # The tools are already of the correct type from get_mcp_tools
    root_agent = Agent(
        name="my_ai_agent",
        model="gemini-2.0-flash",
        description="Simple AI Agent to help investigate using LimaCharlie",
        instruction="You will be given a detection (alert) that comes from LimaCharlie and you will investigate it to determine if it is a False Positive",
        tools=tools,
        generate_content_config=GenerateContentConfig(
            temperature=0.0
        ),
    )
    
    return root_agent, exit_stack

    Was this article helpful?