Model Context Protocol (MCP)
Unizo offers an MCP server that integrates endpoint detection and response (EDR) platforms with any LLM provider supporting the MCP protocol. This enables your AI agent to investigate threats, analyze device health, and automate security responses across CrowdStrike, SentinelOne, Microsoft Defender, and other EDR solutions via a single MCP server.
Supported Tools & Use Cases
The following tools are available in the EDR MCP Server:
| Tool Name | Description |
|---|---|
edr_list_integrations | Get integrations for a specific EDR service |
edr_list_devices | Browse devices with pagination and sorting |
edr_get_device_details | Retrieve comprehensive device information |
edr_list_device_alerts | Browse alerts for a specific device |
edr_get_device_alert_details | Retrieve detailed alert information |
Tool Reference
Integration Discovery Tools
edr_list_integrations
Get integrations for a specific EDR service
Parameters:
connector(string, required): Name of the service (e.g., "crowdstrike", "sentinelone")
Returns: List of integrations available for the specified service
Example Response:
[
{
"id": "integration-123",
"name": "Production CrowdStrike"
},
{
"id": "integration-456",
"name": "Development SentinelOne"
}
]
Device Management Tools
edr_list_devices
Browse devices with pagination and sorting
Parameters:
integration_id(string, required): Unique identifier for the integration
Returns: Paginated list of devices
Example Response:
{
"status": "success",
"message": "Retrieved 15 devices",
"data": {
"devices": [
{
"id": "DESKTOP-ABC123",
"state": "ACTIVE",
"platform": {
"href": "https://api.unizo.ai/api/v1/platforms/windows-10",
"type": "ENDPOINT",
"id": "WIN-10-ENT-x64",
"name": "Windows 10 Enterprise"
},
"os": {
"version": "10.0.19045",
"major": "10",
"minor": "0"
},
"hostnames": ["DESKTOP-ABC123", "workstation-01"],
"fqdns": ["desktop-abc123.corp.example.com"],
"ipv4s": ["192.168.1.100", "10.0.0.25"],
"ipv6s": ["2001:db8::1"],
"macAddresses": ["00:11:22:33:44:55"],
"sourceVendors": [
{
"vendor": "CrowdStrike",
"vendorId": "CS-FALCON-SENSOR-001",
"agentInfo": {
"agentVersion": "7.15.16806.0",
"signatureVersion": "2024.06.04.001",
"policies": [
{
"name": "Corporate Endpoint Protection Policy",
"id": "POL-EPP-001"
}
]
}
}
],
"installedSoftware": [
"Microsoft Office 365",
"Google Chrome",
"Slack Desktop"
],
"adInfo": {
"orgUnit": "OU=Workstations,OU=IT,DC=corp,DC=example,DC=com",
"siteName": "Corporate-HQ-Site",
"domain": "CORP.EXAMPLE.COM",
"deviceId": "CN=DESKTOP-ABC123,CN=Computers,DC=corp,DC=example,DC=com"
},
"tags": [
{
"key": "Department",
"value": "IT-Security",
"source": "EDR-Agent"
},
{
"key": "Criticality",
"value": "High",
"source": "Manual"
}
],
"identities": [
{
"userName": "john.doe@corp.example.com",
"userId": "S-1-5-21-1234567890-987654321-1122334455-1001"
}
],
"changeLog": {
"createdDateTime": "2023-01-15T10:00:00Z",
"lastUpdatedDateTime": "2024-11-05T09:30:00Z"
}
}
],
"pagination": {
"total": 150,
"offset": 0,
"limit": 20,
"next": 20,
"previous": null
},
"total_count": 150
}
}
edr_get_device_details
Retrieve comprehensive device information
Parameters:
integration_id(string, required): Unique identifier for the integrationdevice_id(string, required): Unique identifier of the device
Returns: Comprehensive device information
Example Response:
{
"status": "success",
"message": "Retrieved device details for DESKTOP-ABC123",
"data": {
"device": {
"id": "DESKTOP-ABC123",
"state": "ACTIVE",
"platform": {
"href": "https://api.unizo.ai/api/v1/platforms/windows-10",
"type": "ENDPOINT",
"id": "WIN-10-ENT-x64",
"name": "Windows 10 Enterprise"
},
"os": {
"version": "10.0.19045",
"major": "10",
"minor": "0"
},
"hostnames": ["DESKTOP-ABC123", "workstation-01"],
"fqdns": ["desktop-abc123.corp.example.com", "workstation-01.internal.local"],
"ipv4s": ["192.168.1.100", "10.0.0.25"],
"ipv6s": ["2001:db8::1", "fe80::1234:5678:9abc:def0"],
"macAddresses": ["00:11:22:33:44:55", "AA:BB:CC:DD:EE:FF"],
"sourceVendors": [
{
"vendor": "CrowdStrike",
"vendorId": "CS-FALCON-SENSOR-001",
"agentInfo": {
"agentVersion": "7.15.16806.0",
"signatureVersion": "2024.06.04.001",
"policies": [
{
"name": "Corporate Endpoint Protection Policy",
"id": "POL-EPP-001"
},
{
"name": "Enhanced Threat Detection",
"id": "POL-ETD-002"
}
]
}
}
],
"installedSoftware": [
"Microsoft Office 365",
"Google Chrome",
"Slack Desktop",
"Visual Studio Code",
"Docker Desktop"
],
"adInfo": {
"orgUnit": "OU=Workstations,OU=IT,DC=corp,DC=example,DC=com",
"siteName": "Corporate-HQ-Site",
"domain": "CORP.EXAMPLE.COM",
"deviceId": "CN=DESKTOP-ABC123,CN=Computers,DC=corp,DC=example,DC=com"
},
"cloudMetadata": {
"cloudProvider": "AWS",
"accountId": "123456789012",
"region": "us-east-1",
"availabilityZone": "us-east-1a",
"instanceId": "i-0abcd1234efgh5678",
"instanceType": "t3.medium",
"imageId": "ami-0123456789abcdef0",
"vpcId": "vpc-12345678",
"subnetId": "subnet-abcdef12"
},
"tags": [
{
"key": "Department",
"value": "IT-Security",
"source": "EDR-Agent"
},
{
"key": "Criticality",
"value": "High",
"source": "Manual"
},
{
"key": "Environment",
"value": "Production",
"source": "Cloud-Sync"
}
],
"identities": [
{
"userName": "john.doe@corp.example.com",
"userId": "S-1-5-21-1234567890-987654321-1122334455-1001"
}
],
"changeLog": {
"createdDateTime": "2023-01-15T10:00:00Z",
"lastUpdatedDateTime": "2024-11-05T09:30:00Z",
"createdBy": {
"href": "https://api.unizo.ai/api/v1/users/admin-001",
"id": "admin-001",
"firstName": "Admin",
"lastName": "User"
},
"lastUpdatedBy": {
"href": "https://api.unizo.ai/api/v1/users/system-001",
"id": "system-001",
"firstName": "System",
"lastName": "Agent"
}
}
}
}
}
Device Alert Management Tools
edr_list_device_alerts
Browse alerts for a specific device
Parameters:
integration_id(string, required): Unique identifier for the integrationdevice_id(string, required): Unique identifier of the device
Returns: Paginated list of device alerts
Example Response:
{
"status": "success",
"message": "Retrieved 5 alerts for device DESKTOP-ABC123",
"data": {
"alerts": [
{
"id": "ALT-2024-001-MALWARE",
"state": "ACTIVE",
"title": "Suspicious Process Execution Detected",
"description": "A potentially malicious process 'powershell.exe' was detected executing suspicious commands on the system",
"severity": "HIGH",
"vendor": {
"id": "CROWDSTRIKE-FALCON",
"severity": "HIGH",
"status": "NEW"
},
"source": {
"system": "CrowdStrike Falcon EDR"
},
"status": {
"internal": "UNDER_INVESTIGATION",
"external": "OPEN"
},
"changeLog": {
"createdDateTime": "2024-11-05T14:30:00Z",
"lastUpdatedDateTime": "2024-11-05T15:45:00Z"
}
},
{
"id": "ALT-2024-002-NETWORK",
"state": "ACTIVE",
"title": "Unusual Network Traffic Pattern",
"description": "Device initiated connections to multiple unknown external IP addresses",
"severity": "MEDIUM",
"vendor": {
"id": "CROWDSTRIKE-FALCON",
"severity": "MEDIUM",
"status": "INVESTIGATING"
},
"source": {
"system": "CrowdStrike Falcon EDR"
},
"status": {
"internal": "NEW",
"external": "OPEN"
},
"changeLog": {
"createdDateTime": "2024-11-05T16:20:00Z",
"lastUpdatedDateTime": "2024-11-05T16:20:00Z"
}
},
{
"id": "ALT-2024-003-POLICY",
"state": "INACTIVE",
"title": "Security Policy Violation",
"description": "Unauthorized software installation attempt detected",
"severity": "LOW",
"vendor": {
"id": "CROWDSTRIKE-FALCON",
"severity": "LOW",
"status": "RESOLVED"
},
"source": {
"system": "CrowdStrike Falcon EDR"
},
"status": {
"internal": "RESOLVED",
"external": "CLOSED"
},
"changeLog": {
"createdDateTime": "2024-11-04T10:15:00Z",
"lastUpdatedDateTime": "2024-11-04T18:30:00Z"
}
}
],
"pagination": {
"total": 25,
"offset": 0,
"limit": 20,
"next": null,
"previous": null
},
"device_id": "DESKTOP-ABC123",
"total_count": 25
}
}
edr_get_device_alert_details
Retrieve detailed alert information
Parameters:
integration_id(string, required): Unique identifier for the integrationdevice_id(string, required): Unique identifier of the devicealert_id(string, required): Unique identifier of the alert
Returns: Comprehensive alert information
Example Response:
{
"status": "success",
"message": "Retrieved alert details for ALT-2024-001-MALWARE",
"data": {
"alert": {
"id": "ALT-2024-001-MALWARE",
"state": "ACTIVE",
"title": "Suspicious Process Execution Detected",
"description": "A potentially malicious process 'powershell.exe' was detected executing suspicious commands. The process attempted to download and execute code from an external source. Indicators suggest this may be part of a fileless malware attack targeting system credentials.",
"severity": "HIGH",
"vendor": {
"id": "CROWDSTRIKE-FALCON",
"severity": "HIGH",
"status": "INVESTIGATING"
},
"source": {
"system": "CrowdStrike Falcon EDR"
},
"status": {
"internal": "UNDER_INVESTIGATION",
"external": "OPEN"
},
"changeLog": {
"createdDateTime": "2024-11-05T14:30:00Z",
"lastUpdatedDateTime": "2024-11-05T15:45:00Z",
"createdBy": {
"href": "https://api.unizo.ai/api/v1/users/system-edr",
"id": "system-edr-001",
"firstName": "EDR",
"lastName": "System"
},
"lastUpdatedBy": {
"href": "https://api.unizo.ai/api/v1/users/analyst-001",
"id": "analyst-001",
"firstName": "Security",
"lastName": "Analyst"
}
}
},
"device_id": "DESKTOP-ABC123"
}
}
Installation
Prerequisites
- A Unizo API key
- An active EDR & XDR integration (CrowdStrike, Defender, SentinelOne)
- Node.js v20 or higher
MCP Configuration
Here is an example configuration for setting up the Unizo EDR MCP server:
{
"mcpServers": {
"unizo": {
"command": "npx",
"args": [
"mcp-remote",
"https://api.unizo.ai/mcp",
"--header",
"apikey:${UNIZO_API_KEY}",
"--header",
"x-mcp-scopes:edr"
],
"env": {
"UNIZO_API_KEY": "your_api_key"
}
}
}
}
Client Setup
For detailed setup instructions with specific AI clients:
Environment Variables
The following environment variables are required:
UNIZO_API_KEY: Your Unizo API key
Error Handling
All tools return errors in a consistent format:
{
"status": "error",
"message": "Device 'DESKTOP-ABC123' not found",
"traceback": "..."
}