explainx.aijoin newsletter3.01k
auth-security

CrowdStrike Falcon

by crowdstrike

Connect with CrowdStrike Falcon, a leading endpoint protection platform, for intelligent security analysis and advanced

Connect with the CrowdStrike Falcon platform for intelligent security analysis, providing programmatic access to detections, incidents, behaviors, threat intelligence, hosts, vulnerabilities, and identity protection capabilities.

github stars

115

GitHubnpm
Direct Falcon platform integrationPublic preview with active development

best for

  • / Security analysts automating threat investigation
  • / SOC teams building AI-powered security workflows
  • / Incident response automation
  • / Security operations intelligence gathering

capabilities

  • / Query security detections and incidents
  • / Analyze threat intelligence data
  • / Monitor host security status
  • / Access vulnerability information
  • / Investigate security behaviors
  • / Manage identity protection alerts

what it does

Connects AI agents to CrowdStrike Falcon's security platform for programmatic access to threat data, detections, incidents, and security analysis capabilities.

about

CrowdStrike Falcon is an official MCP server published by crowdstrike that provides AI assistants with tools and capabilities via the Model Context Protocol. Connect with CrowdStrike Falcon, a leading endpoint protection platform, for intelligent security analysis and advanced It is categorized under auth security.

how to install

You can install CrowdStrike Falcon in your AI client of choice. Use the install panel on this page to get one-click setup for Cursor, Claude Desktop, VS Code, and other MCP-compatible clients. This server runs locally on your machine via the stdio transport.

license

MIT

CrowdStrike Falcon is released under the MIT license. This is a permissive open-source license, meaning you can freely use, modify, and distribute the software.

readme

CrowdStrike Logo (Light) CrowdStrike Logo (Dark)

falcon-mcp

PyPI version PyPI - Python Version License: MIT

falcon-mcp is a Model Context Protocol (MCP) server that connects AI agents with the CrowdStrike Falcon platform, powering intelligent security analysis in your agentic workflows. It delivers programmatic access to essential security capabilities—including detections, incidents, and behaviors—establishing the foundation for advanced security operations and automation.

[!IMPORTANT] 🚧 Public Preview: This project is currently in public preview and under active development. Features and functionality may change before the stable 1.0 release. While we encourage exploration and testing, please avoid production deployments. We welcome your feedback through GitHub Issues to help shape the final release.

Table of Contents

API Credentials & Required Scopes

Setting Up CrowdStrike API Credentials

Before using the Falcon MCP Server, you need to create API credentials in your CrowdStrike console:

  1. Log into your CrowdStrike console
  2. Navigate to Support > API Clients and Keys
  3. Click "Add new API client"
  4. Configure your API client:
    • Client Name: Choose a descriptive name (e.g., "Falcon MCP Server")
    • Description: Optional description for your records
    • API Scopes: Select the scopes based on which modules you plan to use (see below)

Important: Ensure your API client has the necessary scopes for the modules you plan to use. You can always update scopes later in the CrowdStrike console.

Required API Scopes by Module

The Falcon MCP Server supports different modules, each requiring specific API scopes:

ModuleRequired API ScopesPurpose
Cloud SecurityFalcon Container Image:readFind and analyze kubernetes containers inventory and container imges vulnerabilities
CoreNo additional scopesBasic connectivity and system information
DetectionsAlerts:readFind and analyze detections to understand malicious activity
DiscoverAssets:readSearch and analyze application inventory across your environment
HostsHosts:readManage and query host/device information
Identity ProtectionIdentity Protection Entities:read<br>Identity Protection Timeline:read<br>Identity Protection Detections:read<br>Identity Protection Assessment:read<br>Identity Protection GraphQL:writeComprehensive entity investigation and identity protection analysis
IncidentsIncidents:readAnalyze security incidents and coordinated activities
NGSIEMNGSIEM:read<br>NGSIEM:writeExecute CQL queries against Next-Gen SIEM
IntelActors (Falcon Intelligence):read<br>Indicators (Falcon Intelligence):read<br>Reports (Falcon Intelligence):readResearch threat actors, IOCs, and intelligence reports
IOCIOC Management:read<br>IOC Management:writeSearch, create, and remove custom IOCs using IOC Service Collection endpoints
Scheduled ReportsScheduled Reports:readGet details about scheduled reports and searches, run reports on demand, and download report files
Sensor UsageSensor Usage:readAccess and analyze sensor usage data
ServerlessFalcon Container Image:readSearch for vulnerabilities in serverless functions across cloud service providers
SpotlightVulnerabilities:readManage and analyze vulnerability data and security assessments

Available Modules, Tools & Resources

[!IMPORTANT] ⚠️ Important Note on FQL Guide Resources: Several modules include FQL (Falcon Query Language) guide resources that provide comprehensive query documentation and examples. While these resources are designed to assist AI assistants and users with query construction, FQL has nuanced syntax requirements and field-specific behaviors that may not be immediately apparent. AI-generated FQL filters should be tested and validated before use in production environments. We recommend starting with simple queries and gradually building complexity while verifying results in a test environment first.

About Tools & Resources: This server provides both tools (actions you can perform) and resources (documentation and context). Tools execute operations like searching for detections or analyzing threats, while resources provide comprehensive documentation like FQL query guides that AI assistants can reference for context without requiring tool calls.

Cloud Security Module

API Scopes Required:

  • Falcon Container Image:read

Provides tools for accessing and analyzing CrowdStrike Cloud Security resources:

  • falcon_search_kubernetes_containers: Search for containers from CrowdStrike Kubernetes & Containers inventory
  • falcon_count_kubernetes_containers: Count for containers by filter criteria from CrowdStrike Kubernetes & Containers inventory
  • falcon_search_images_vulnerabilities: Search for images vulnerabilities from CrowdStrike Image Assessments

Resources:

  • falcon://cloud/kubernetes-containers/fql-guide: Comprehensive FQL documentation and examples for kubernetes containers searches
  • falcon://cloud/images-vulnerabilities/fql-guide: Comprehensive FQL documentation and examples for images vulnerabilities searches

Use Cases: Manage kubernetes containers inventory, container images vulnerabilities analysis

Core Functionality (Built into Server)

API Scopes: None required beyond basic API access

The server provides core tools for interacting with the Falcon API:

  • falcon_check_connectivity: Check connectivity to the Falcon API
  • falcon_list_enabled_modules: Lists enabled modules in the falcon-mcp server

    These modules are determined by the --modules flag when starting the server. If no modules are specified, all available modules are enabled.

  • falcon_list_modules: Lists all available modules in the falcon-mcp server

Detections Module

API Scopes Required: Alerts:read

Provides tools for accessing and analyzing CrowdStrike Falcon detections:

  • falcon_search_detections: Find and analyze detections to understand malicious activity in your environment
  • falcon_get_detection_details: Get comprehensive detection details for specific detection IDs to understand security threats

Resources:

  • falcon://detections/search/fql-guide: Comprehensive FQL documentation and examples for detection searches

Use Cases: Threat hunting, security analysis, incident response, malware investigation

Discover Module

API Scopes Required: Assets:read

Provides tools for accessing and managing CrowdStrike Falcon Discover applications and unmanaged assets:

  • falcon_search_applications: Search for applications in your CrowdStrike environment
  • falcon_search_unmanaged_assets: Search for unmanaged assets (systems without Falcon sensor installed) that have been discovered by managed systems

Resources:

  • falcon://discover/applications/fql-guide: Comprehensive FQL do