MCP EDR/XDR

Unizo's EDR/XDR MCP Server delivers a unified, agent-friendly interface for accessing, querying, and acting upon security telemetry and threat data from Endpoint Detection and Response (EDR) and Extended Detection and Response (XDR) platforms. Integrated via the Model Context Protocol (MCP), this server allows AI agents and LLM clients to interact with security event feeds, asset inventories, and incident workflows across multiple security platforms.

Designed for modern SecOps automation, this guide outlines installation, tool reference, and runtime configuration required to use the Unizo EDR/XDR MCP Server.

Overview

The Unizo EDR/XDR MCP Server enables seamless integration of security platforms with AI agents through a standardized interface that abstracts the complexity of different EDR and XDR systems.

Key Benefits

Unified Security Intelligence: Normalize telemetry from disparate EDR and XDR platforms like SentinelOne, CrowdStrike, and Microsoft Defender into a single query model
AI Agent Compatibility: Built to integrate seamlessly with Claude, GPT, and other agents that speak the MCP protocol
Investigation-Ready Tools: Perform incident lookups, retrieve asset state, and investigate threats directly through your agent interface

Available Tools

Tool Reference

Tool Name	Description	Parameters
`list_assets`	Retrieves assets from the connected service or integration	Required: integration id or name Optional: filters (hostname, IP, tag)
`list_alerts`	Lists alerts/events from the connected XDR/EDR system	Required: integration id/name Optional: filters (asset id, severity, time range)
`list_incidents`	Fetches incident tickets or case data from the service	Required: integration id/name Optional: filters (status, priority)

Installation & Setup

Prerequisites

Node.js or Python runtime (based on your MCP proxy toolchain)
MCP-compatible AI agent (e.g., Claude, GPT)
Unizo EDR/XDR API credentials (see environment setup below)

Example MCP Server Setup (JSON)

{
  "mcpServers": {
    "unizo": {
      "command": "mcp-proxy",
      "args": ["http://172.184.130.51:8999/mcp"],
      "env": {
        "API_ACCESS_TOKEN": "your_account_token"
      }
    }
  }
}

Integration Tip

Integrate this EDR/XDR server alongside your Unizo Ticketing or SCM servers for complete threat-to-response automation.

Environment Variables

Variable	Description
`API_ACCESS_TOKEN`	Your Unizo-issued API key for secure MCP authentication

Client Integration Flow

Start the MCP Server
- Use your orchestrator (Claude Desktop, GPT plugin, or equivalent)
- Load the MCP JSON config with the unizo-edr-xdr target
Discover Security Context
- Call list_services → list_integrations → list_assets
- Drill into specific endpoints via get_asset or list_alerts
Investigate & Act
- Launch alert investigation with investigate_alert
- Retrieve incidents with list_incidents or get details with get_incident

The MCP server abstracts the differences between various EDR and XDR platforms, allowing agents to use a consistent set of tools and parameters regardless of the underlying service.

Observability & Logging

All EDR/XDR tool invocations are logged by the MCP server with full agent context, timestamped correlation IDs, and system attribution.

Early Access Program

The Unizo EDR/XDR MCP Server is currently available through our Early Access Program. All customers can gain priority access to these powerful security management tools and receive dedicated implementation support.

Get Started Today

Reach out to our team to schedule a personalized demo and discuss integration options for your organization. Connect With Us

Overview​

Key Benefits​

Available Tools​

Tool Reference​

Installation & Setup​

Prerequisites​

Example MCP Server Setup (JSON)​

Environment Variables​

Client Integration Flow​

Observability & Logging​

Early Access Program​