# Kolide MCP

> Kolide helps you audit fleet security posture in seconds. Connect your AI agent to get full visibility into every managed device, track active vulnerabilities across your entire hardware inventory, and check user compliance states instantly. Audit logs, device details, and issue tracking—all available through one MCP.

## Overview
- **Category:** cloud-infrastructure
- **Price:** Free
- **Tags:** endpoint-security, device-management, fleet-inventory, vulnerability-scanning, security-auditing

## Description

Connect Kolide via Vinkius to gain complete oversight of your organization's fleet security and device health. You can use your AI agent to audit every managed device and track specific vulnerabilities or misconfigurations across the entire hardware inventory. It lets you see which users are linked to which devices and whether those individuals meet compliance standards. Need a deeper dive? You can pull up detailed reports on available security checks, view chronological administrative logs, or get high-level fleet statistics at a glance. This MCP handles all that complex data retrieval, letting your agent do the heavy lifting so you don't have to.

## Tools

### list_kolide_devices
Lists every managed device in the fleet for a full security posture check.

### get_device_details
Retrieves specific, granular details about one particular device ID.

### list_kolide_issues
Pulls a list of all active security vulnerabilities and misconfigurations across the fleet.

### get_issue_details
Provides deep information about one specific, reported security issue.

### list_kolide_people
Lists all users associated with the system for compliance review.

### get_person_details
Retrieves specific details about a single user account.

### list_kolide_checks
Shows all the available security checks you can run against your fleet.

### get_check_details
Gets detailed information about a specific type of security check.

### list_kolide_audit_logs
Retrieves the full, chronological history of all administrative and security events.

### get_kolide_fleet_stats
Generates a high-level summary of the entire fleet's current health metrics.

## Prompt Examples

**Prompt:** 
```
List all devices currently online in Kolide
```

**Response:** 
```
Retrieving online devices… I've found 42 devices currently active. Most are MacBooks running macOS 14. Would you like to see if any of these have pending security issues?
```

**Prompt:** 
```
What are the most common security issues in my fleet?
```

**Response:** 
```
The most frequent issues are 'Outdated OS' (12 devices) and 'Full Disk Encryption Disabled' (5 devices). I can provide the names of the affected users if you'd like.
```

**Prompt:** 
```
Show fleet statistics for today
```

**Response:** 
```
Current fleet stats: 150 total devices, 92% compliance rate, 12 active issues, and 5 new devices enrolled this week. Overall health is 'Good'.
```

## Capabilities

### Inventory Device Status
List every device in the fleet and check its current security status.

### Check for Security Vulnerabilities
Pull a list of active security issues or misconfigurations across the entire device pool.

### Review User Compliance
See which users are assigned to devices and whether they meet required compliance policies.

### Audit System Events
Access a complete, chronological history of security and administrative actions taken on the fleet.

### View High-Level Metrics
Get immediate statistics like total device count, online status percentage, and current issue counts.

## Use Cases

### Investigating an alleged data leak
The agent runs through the audit logs using `list_kolide_audit_logs` to trace who accessed a sensitive resource and when. It then uses `get_person_details` to identify that user's role, pinpointing the source of the risk.

### Quarterly compliance review
The team runs `list_kolide_people` followed by checks on each individual. They use this data to confirm every employee’s assigned device is compliant and properly owned, satisfying auditors instantly.

### Post-incident analysis
After a breach alert, the agent first calls `get_kolide_fleet_stats` for an overall picture. Then it uses `list_kolide_issues` to determine if other devices were affected by the same vulnerability.

### Onboarding a new department
The IT manager runs `list_kolide_checks` to see what standards apply, and then uses `get_check_details` to confirm that every new device meets those exact criteria before it goes live.

## Benefits

- You stop guessing about your network. By running `list_kolide_devices`, you get a clear, actionable list of every asset ID and its current security posture in one query.
- Instead of digging through ten different dashboards, you use the MCP to pull all active vulnerabilities by calling `list_kolide_issues` and immediately know what needs patching.
- Compliance checks are faster. Use the toolset to list users via `list_kolide_people`, then check individual compliance using `get_person_details`—all without switching tabs.
- You get immediate answers about system changes by calling `list_kolide_audit_logs`. You don't have to manually sift through days of event records to find one key incident.
- High-level overviews are instant. `get_kolide_fleet_stats` gives you a summary (total devices, compliance rate) so fast it feels like magic.

## How It Works

The bottom line is: your agent uses the connection to query Kolide directly and spits out the answers in natural language.

1. Subscribe to this MCP and generate a Bearer Token from the Kolide settings.
2. Configure your AI client with that token so it can authenticate against the service.
3. Tell your agent exactly what you need—for example, 'What are the top three security issues affecting my MacBooks?'

## Frequently Asked Questions

**How do I use the list_kolide_devices tool?**
You ask your agent to 'list all devices.' The system uses `list_kolide_devices` and returns a comprehensive roster of every asset ID in the fleet.

**Can Kolide MCP tell me who owns a problematic device?**
Yes. After running `list_kolide_issues`, you can follow up by asking for details on affected users. The agent uses tools like `get_person_details` to pinpoint ownership.

**Is Kolide MCP only good for current issues?**
No, it handles history too. By listing fleet audit logs using `list_kolide_audit_logs`, you get a chronological record of every security event that has happened previously.

**What is the best way to check overall compliance?**
Run `get_kolide_fleet_stats` first for a summary, then follow up with `list_kolide_people` and run checks on the most critical users to verify their status.

**Do I need to know specific vulnerability names?**
Not at all. You can ask your agent generally about 'security issues.' It will use `list_kolide_issues` and then offer options for deeper dives using `get_issue_details`.