MCP.directory
CrowdStrike Falcon

CrowdStrike Falcon

Official
crowdstrike

Connects AI agents to CrowdStrike Falcon's security platform for programmatic access to threat data, detections, incidents, and security analysis capabilities.

Connect with the CrowdStrike Falcon platform for intelligent security analysis, providing programmatic access to detections, incidents, behaviors, threat intelligence, hosts, vulnerabilities, and identity protection capabilities.

115384 views37Local (stdio)
auth security
GitHub

What it does

  • Query security detections and incidents
  • Analyze threat intelligence data
  • Monitor host security status
  • Access vulnerability information
  • Investigate security behaviors
  • Manage identity protection alerts

Best for

Security analysts automating threat investigationSOC teams building AI-powered security workflowsIncident response automationSecurity operations intelligence gathering
Direct Falcon platform integrationPublic preview with active development

About CrowdStrike Falcon

CrowdStrike Falcon is an official MCP server published by crowdstrike that provides AI assistants with tools and capabilities via the Model Context Protocol. Connect with CrowdStrike Falcon, a leading endpoint protection platform, for intelligent security analysis and advanced It is categorized under auth security.

How to install

You can install CrowdStrike Falcon in your AI client of choice. Use the install panel on this page to get one-click setup for Cursor, Claude Desktop, VS Code, and other MCP-compatible clients. This server runs locally on your machine via the stdio transport.

License

CrowdStrike Falcon is released under the MIT license. This is a permissive open-source license, meaning you can freely use, modify, and distribute the software.

CrowdStrike Logo (Light) CrowdStrike Logo (Dark)

falcon-mcp

PyPI version PyPI - Python Version License: MIT

falcon-mcp is a Model Context Protocol (MCP) server that connects AI agents with the CrowdStrike Falcon platform, powering intelligent security analysis in your agentic workflows. It delivers programmatic access to essential security capabilities—including detections, incidents, and behaviors—establishing the foundation for advanced security operations and automation.

[!IMPORTANT] 🚧 Public Preview: This project is currently in public preview and under active development. Features and functionality may change before the stable 1.0 release. While we encourage exploration and testing, please avoid production deployments. We welcome your feedback through GitHub Issues to help shape the final release.

Table of Contents

API Credentials & Required Scopes

Setting Up CrowdStrike API Credentials

Before using the Falcon MCP Server, you need to create API credentials in your CrowdStrike console:

  1. Log into your CrowdStrike console
  2. Navigate to Support > API Clients and Keys
  3. Click "Add new API client"
  4. Configure your API client:
    • Client Name: Choose a descriptive name (e.g., "Falcon MCP Server")
    • Description: Optional description for your records
    • API Scopes: Select the scopes based on which modules you plan to use (see below)

Important: Ensure your API client has the necessary scopes for the modules you plan to use. You can always update scopes later in the CrowdStrike console.

Required API Scopes by Module

The Falcon MCP Server supports different modules, each requiring specific API scopes:

ModuleRequired API ScopesPurpose
Cloud SecurityFalcon Container Image:readFind and analyze kubernetes containers inventory and container imges vulnerabilities
CoreNo additional scopesBasic connectivity and system information
DetectionsAlerts:readFind and analyze detections to understand malicious activity
DiscoverAssets:readSearch and analyze application inventory across your environment
HostsHosts:readManage and query host/device information
Identity ProtectionIdentity Protection Entities:read
Identity Protection Timeline:read
Identity Protection Detections:read
Identity Protection Assessment:read
Identity Protection GraphQL:write		Comprehensive entity investigation and identity protection analysis
IncidentsIncidents:readAnalyze security incidents and coordinated activities
NGSIEMNGSIEM:read
NGSIEM:write		Execute CQL queries against Next-Gen SIEM
IntelActors (Falcon Intelligence):read
Indicators (Falcon Intelligence):read
Reports (Falcon Intelligence):read		Research threat actors, IOCs, and intelligence reports
IOCIOC Management:read
IOC Management:write		Search, create, and remove custom IOCs using IOC Service Collection endpoints
Scheduled ReportsScheduled Reports:readGet details about scheduled reports and searches, run reports on demand, and download report files
Sensor UsageSensor Usage:readAccess and analyze sensor usage data
ServerlessFalcon Container Image:readSearch for vulnerabilities in serverless functions across cloud service providers
SpotlightVulnerabilities:readManage and analyze vulnerability data and security assessments

Available Modules, Tools & Resources

[!IMPORTANT] ⚠️ Important Note on FQL Guide Resources: Several modules include FQL (Falcon Query Language) guide resources that provide comprehensive query documentation and examples. While these resources are designed to assist AI assistants and users with query construction, FQL has nuanced syntax requirements and field-specific behaviors that may not be immediately apparent. AI-generated FQL filters should be tested and validated before use in production environments. We recommend starting with simple queries and gradually building complexity while verifying results in a test environment first.

About Tools & Resources: This server provides both tools (actions you can perform) and resources (documentation and context). Tools execute operations like searching for detections or analyzing threats, while resources provide comprehensive documentation like FQL query guides that AI assistants can reference for context without requiring tool calls.

Cloud Security Module

API Scopes Required:

  • Falcon Container Image:read

Provides tools for accessing and analyzing CrowdStrike Cloud Security resources:

  • falcon_search_kubernetes_containers: Search for containers from CrowdStrike Kubernetes & Containers inventory
  • falcon_count_kubernetes_containers: Count for containers by filter criteria from CrowdStrike Kubernetes & Containers inventory
  • falcon_search_images_vulnerabilities: Search for images vulnerabilities from CrowdStrike Image Assessments

Resources:

  • falcon://cloud/kubernetes-containers/fql-guide: Comprehensive FQL documentation and examples for kubernetes containers searches
  • falcon://cloud/images-vulnerabilities/fql-guide: Comprehensive FQL documentation and examples for images vulnerabilities searches

Use Cases: Manage kubernetes containers inventory, container images vulnerabilities analysis

Core Functionality (Built into Server)

API Scopes: None required beyond basic API access

The server provides core tools for interacting with the Falcon API:

  • falcon_check_connectivity: Check connectivity to the Falcon API
  • falcon_list_enabled_modules: Lists enabled modules in the falcon-mcp server

    These modules are determined by the --modules flag when starting the server. If no modules are specified, all available modules are enabled.

  • falcon_list_modules: Lists all available modules in the falcon-mcp server

Detections Module

API Scopes Required: Alerts:read

Provides tools for accessing and analyzing CrowdStrike Falcon detections:

  • falcon_search_detections: Find and analyze detections to understand malicious activity in your environment
  • falcon_get_detection_details: Get comprehensive detection details for specific detection IDs to understand security threats

Resources:

  • falcon://detections/search/fql-guide: Comprehensive FQL documentation and examples for detection searches

Use Cases: Threat hunting, security analysis, incident response, malware investigation

Discover Module

API Scopes Required: Assets:read

Provides tools for accessing and managing CrowdStrike Falcon Discover applications and unmanaged assets:

  • falcon_search_applications: Search for applications in your CrowdStrike environment
  • falcon_search_unmanaged_assets: Search for unmanaged assets (systems without Falcon sensor installed) that have been discovered by managed systems

Resources:

  • falcon://discover/applications/fql-guide: Comprehensive FQL do

README truncated. View full README on GitHub.

Alternatives

GhidraMCP

GhidraMCP

LaurieWired
7.8k

MCP server for Ghidra reverse engineering. Enables AI assistants to decompile binaries, analyze functions, rename variab

CommunityPopular
362
HexStrike AI

HexStrike AI

0x4m4
7.3k

Advanced MCP server enabling AI agents to autonomously run 150+ security and penetration testing tools. Covers reconnais

CommunityPopular
282
Snyk Agent Scan

Snyk Agent Scan

Snyk
1.8k

Security scanner for AI agents, MCP servers, and agent skills. Automatically scan code for vulnerabilities, license issu

Official
224
Semgrep

Semgrep

semgrep
638

Semgrep is a leading code analysis tool that scans code for vulnerabilities, helping developers fix issues swiftly withi

OfficialRemote
1.3k9

Related Skills

Browse all skills
backend-security-coder

Expert in secure backend coding practices specializing in input validation, authentication, and API security. Use PROACTIVELY for backend security implementations or security code reviews.

17
firebase

Firebase gives you a complete backend in minutes - auth, database, storage, functions, hosting. But the ease of setup hides real complexity. Security rules are your last line of defense, and they're often wrong. Firestore queries are limited, and you learn this after you've designed your data model. This skill covers Firebase Authentication, Firestore, Realtime Database, Cloud Functions, Cloud Storage, and Firebase Hosting. Key insight: Firebase is optimized for read-heavy, denormalized data. I

16
senior-backend

Comprehensive backend development skill for building scalable backend systems using NodeJS, Express, Go, Python, Postgres, GraphQL, REST APIs. Includes API scaffolding, database optimization, security implementation, and performance tuning. Use when designing APIs, optimizing database queries, implementing business logic, handling authentication/authorization, or reviewing backend code.

11
supabase-rls-policy-generator

This skill should be used when the user requests to generate, create, or add Row-Level Security (RLS) policies for Supabase databases in multi-tenant or role-based applications. It generates comprehensive RLS policies using auth.uid(), auth.jwt() claims, and role-based access patterns. Trigger terms include RLS, row level security, supabase security, generate policies, auth policies, multi-tenant security, role-based access, database security policies, supabase permissions, tenant isolation.

10
api-security-best-practices

Implement secure API design patterns including authentication, authorization, input validation, rate limiting, and protection against common API vulnerabilities

9
email

Send and draft professional emails with seasonal HTML formatting, authentic writing style, contact lookup via Google Contacts, security-first approach, and Google Gmail API via Ruby CLI. This skill should be used for ALL email operations (mandatory per RULES.md).

6