playbooks

home / mcp / falcon mcp server

Falcon MCP Server

Connect AI agents to CrowdStrike Falcon for automated security analysis and threat hunting

Installation
Add the following to your MCP client configuration file.

Configuration

View docs
{
  "mcpServers": {
    "crowdstrike-falcon-mcp": {
      "command": "falcon-mcp",
      "args": [],
      "env": {
        "FALCON_BASE_URL": "https://api.crowdstrike.com",
        "FALCON_MCP_HOST": "127.0.0.1",
        "FALCON_MCP_PORT": "8000",
        "FALCON_CLIENT_ID": "your-client-id",
        "FALCON_MCP_DEBUG": "false",
        "FALCON_MCP_API_KEY": "your-api-key",
        "FALCON_MCP_MODULES": "detections,incidents,intel",
        "FALCON_CLIENT_SECRET": "your-client-secret",
        "FALCON_MCP_TRANSPORT": "stdio",
        "FALCON_MCP_STATELESS_HTTP": "false"
      }
    }
  }
}

Falcon MCP Server connects AI agents to the CrowdStrike Falcon platform, enabling programmatic access to detections, incidents, and behaviors so you can automate security workflows and perform rapid analysis within agentic systems.

How to use

You will run the Falcon MCP Server as a local process and connect your MCP client (such as uvx or another integration) to it. Start the server using the stdio transport for a quick, self-contained setup, then switch transports or enable remote HTTP access as your deployment needs evolve. Use the available modules to tailor capabilities like detections, incidents, intel, and more to your environment.

How to install

Prerequisites: ensure you have Python 3.11 or higher and either uv or pip installed on your system.

Install the Falcon MCP Server using the recommended tool for your environment.

# Install using uv (recommended for development and quick start)
uv tool install falcon-mcp

# Or install using pip (production-friendly with Python)
pip install falcon-mcp

Additional sections

API credentials and scopes are required to access CrowdStrike Falcon resources. You create a CrowdStrike API client, assign the necessary scopes for the modules you plan to use, and then configure those credentials in the server environment or a .env file. The Falcon MCP Server supports a range of modules such as Cloud Security, Detections, Discover, Hosts, Incidents, Intel, and more. You enable modules at startup with the --modules flag or via the FALCON_MCP_MODULES environment variable. For HTTP-style transports, consider enabling an API key for the transport to improve security.

Configuration of credentials can be done via a .env file or environment variables. Example contents include Client ID, Client Secret, and the base API URL for CrowdStrike. Optional settings include the modules you want to enable, the transport type (stdio, sse, or streamable-http), and transport-level options like host, port, and stateless HTTP mode. The CrowdStrike API regions provide different base URLs depending on your region.

Running a local server with the default, stdio transport is the simplest way to start. If you need remote access or scalable deployment, you can run with SSE or streamable HTTP and adjust host/port and stateless settings as needed. When using HTTP transports, protect the endpoint with an API key by passing it through --api-key or FALCON_MCP_API_KEY.

Examples and notes

Start with the default stdio transport (no arguments): the command is falcon-mcp.

Start with the SSE transport: falcon-mcp --transport sse.

Start with streamable-http transport: falcon-mcp --transport streamable-http --host 0.0.0.0 --port 8080.

Enable stateless HTTP mode for scalable deployments: falcon-mcp --transport streamable-http --stateless-http.

Protect HTTP transports with an API key: falcon-mcp --transport streamable-http --api-key your-secret-key.

Running examples

You can run example scripts or integrate with your editor/assistant. For example, you might run a basic usage script or an integration test to validate connectivity and module availability.

Available tools

falcon_check_connectivity

Check connectivity to the Falcon API to verify you can reach the service with your credentials.

falcon_list_enabled_modules

List the modules currently enabled in the Falcon MCP Server based on startup configuration.

falcon_list_modules

List all available modules that the server can enable.

falcon_search_detections

Search for detections and analyze potentially malicious activity.

falcon_get_detection_details

Retrieve detailed information for specific detections by ID.

falcon_search_incidents

Find and analyze security incidents to understand coordinated activity.

falcon_show_crowd_score

View CrowdScore and security posture metrics for your environment.

search_ngsiem

Execute a CQL query against CrowdStrike Next-Gen SIEM repositories.

falcon_search_actors

Research threat actors and adversary groups from Falcon Intelligence.

falcon_search_indicators

Search for indicators of compromise from Falcon Intelligence.

falcon_search_reports

Access intelligence publications and threat reports.

falcon_get_mitre_report

Generate MITRE ATT&CK reports for threat actors.

falcon_search_sensor_usage

Search weekly sensor usage data.

falcon_search_scheduled_reports

Search for scheduled reports and searches.

falcon_launch_scheduled_report

Launch a scheduled report on demand.

falcon_download_report_execution

Download generated scheduled report files.

falcon_search_serverless_vulnerabilities

Search for vulnerabilities in serverless functions.

falcon_search_vulnerabilities

Search for vulnerabilities in the Falcon environment.