Skip to main content

Model Context Protocol (MCP)

Early Access

Try our newest feature! Only available through reach out. Contact us to join the early access program and get priority support.

Unizo offers an MCP server that integrates endpoint detection and response (EDR) platforms with any LLM provider supporting the MCP protocol. This enables your AI agent to investigate threats, analyze device health, and automate security responses across CrowdStrike, SentinelOne, Microsoft Defender, and other EDR solutions via a single MCP server.

Supported Tools & Use Cases

The following tools are available in the Endpoint detection and response (EDR) MCP Server:

Tool NameDescription
list_devicesBrowse and search managed endpoints with comprehensive filtering
get_device_statusRetrieve comprehensive device security status and health information
list_alertsView and search security alerts across all endpoints
investigate_threatDeep dive into threat indicators, behaviors, and attack chains
isolate_deviceQuarantine compromised endpoints from the network
run_scanInitiate on-demand security scans on endpoints

list_devices

Browse and search managed endpoints with comprehensive filtering

Parameters:

  • integration: Target EDR platform integration (required)
  • status: Filter by device status (online, offline, isolated)
  • os_type: Filter by operating system (windows, mac, linux)
  • risk_level: Filter by risk score (critical, high, medium, low)
  • last_seen: Filter by last contact time
  • tags: Filter by device tags or groups
  • page: Pagination control
  • limit: Number of results per page

get_device_status

Retrieve comprehensive device security status and health information

Parameters:

  • integration: Target EDR platform integration (required)
  • device_id: Unique device identifier (required)
  • include_threats: Include active threats and alerts
  • include_vulnerabilities: Include vulnerability information
  • include_policies: Include applied security policies
  • include_forensics: Include forensic timeline data

list_alerts

View and search security alerts across all endpoints

Parameters:

  • integration: Target EDR platform integration (required)
  • severity: Filter by severity (critical, high, medium, low)
  • status: Filter by alert status (new, in_progress, resolved)
  • alert_type: Filter by threat type (malware, ransomware, fileless, etc.)
  • device_id: Filter alerts for specific device
  • time_range: Time period for alerts
  • tactics: Filter by MITRE ATT&CK tactics
  • limit: Maximum alerts to return

investigate_threat

Deep dive into threat indicators, behaviors, and attack chains

Parameters:

  • integration: Target EDR platform integration (required)
  • alert_id: Alert to investigate (required)
  • include_iocs: Include indicators of compromise
  • include_timeline: Include detailed event timeline
  • include_network: Include network connections
  • include_processes: Include process tree information
  • correlation_window: Time window for correlating events

isolate_device

Quarantine compromised endpoints from the network

Parameters:

  • integration: Target EDR platform integration (required)
  • device_id: Device to isolate (required)
  • isolation_type: Type of isolation (full, selective)
  • allow_list: IPs/domains to allow during isolation
  • duration: Isolation duration (permanent, temporary)
  • reason: Reason for isolation (for audit trail)
  • notify_user: Send notification to device user

run_scan

Initiate on-demand security scans on endpoints

Parameters:

  • integration: Target EDR platform integration (required)
  • device_ids: Devices to scan (required)
  • scan_type: Type of scan (quick, full, custom)
  • scan_areas: Specific areas to scan (memory, registry, files)
  • threat_types: Specific threats to look for
  • priority: Scan priority (high, normal, low)
  • schedule: Run immediately or schedule

Installation

Prerequisites

  • A Unizo API key
  • An active EDR & XDR integration (CrowdStrike, Defender, SentinelOne)
  • Node.js v20 or higher

MCP Configuration

Here is an example configuration for setting up the Unizo EDR MCP server:

{
  "mcpServers": {
    "unizo-edr&xdr": {
        "command": "npx",
      "args": [
        "mcp-remote",
        "http://api.unizo.ai/mcp/edr&xdr",
        "--allow-http",
        "--header",
        "apikey:${UNIZO_API_KEY}"
      ],
      "env": {
        "UNIZO_API_KEY": "your_api_key"
      }
    }
  }
}

Client Setup

For detailed setup instructions with specific AI clients:

Environment Variables

The following environment variables are required:

Error Handling

All tools return errors in a consistent format:

{
  "error": {
    "code": "DEVICE_NOT_FOUND",
    "message": "Device 'hostname-1234' not found"
  }
}

Common error codes:

  • INTEGRATION_NOT_FOUND: Invalid EDR platform integration ID
  • DEVICE_NOT_FOUND: Endpoint not found or inaccessible
  • ALERT_NOT_FOUND: Specified alert does not exist
  • UNAUTHORIZED: Invalid credentials or insufficient permissions
  • RATE_LIMIT_EXCEEDED: Too many requests sent to the EDR API
  • SCAN_FAILED: Security scan failed to initiate
  • ISOLATION_FAILED: Device isolation attempt unsuccessful