CrowdStrike Falcon MCP server for AI agents

The CrowdStrike Falcon MCP server provides a Model Context Protocol interface that connects AI agents with the Falcon security platform. It gives programmatic access to key security capabilities including detections, incidents, and behaviors, enabling advanced security operations and automation.

Installation

Prerequisites

Python 3.11 or higher
uv or pip
CrowdStrike Falcon API credentials

Setting Up API Credentials

Before using Falcon MCP Server, create API credentials in your CrowdStrike console:

Log into your CrowdStrike console
Navigate to Support > API Clients and Keys
Click "Add new API client"
Configure with a descriptive name and select appropriate API scopes based on modules you plan to use

Environment Configuration

Configure your CrowdStrike API credentials using a .env file or environment variables:

Option 1: Create a .env file with:

# Required Configuration
FALCON_CLIENT_ID=your-client-id
FALCON_CLIENT_SECRET=your-client-secret
FALCON_BASE_URL=https://api.crowdstrike.com

# Optional Configuration
#FALCON_MCP_MODULES=detections,incidents,intel
#FALCON_MCP_TRANSPORT=stdio
#FALCON_MCP_DEBUG=false
#FALCON_MCP_HOST=127.0.0.1
#FALCON_MCP_PORT=8000

Option 2: Set environment variables directly:

# Required Configuration
export FALCON_CLIENT_ID="your-client-id"
export FALCON_CLIENT_SECRET="your-client-secret" 
export FALCON_BASE_URL="https://api.crowdstrike.com"

CrowdStrike API Region URLs:

US-1 (Default): https://api.crowdstrike.com
US-2: https://api.us-2.crowdstrike.com
EU-1: https://api.eu-1.crowdstrike.com
US-GOV: https://api.laggar.gcw.crowdstrike.com

Install the Package

Using uv:

uv tool install falcon-mcp

Using pip:

pip install falcon-mcp

Basic Usage

Command Line

Run with default settings (stdio transport):

falcon-mcp

Run with SSE transport:

falcon-mcp --transport sse

Run with streamable-http transport:

falcon-mcp --transport streamable-http

Run with custom port:

falcon-mcp --transport streamable-http --host 0.0.0.0 --port 8080

Module Configuration

Specify which modules to enable:

Using command line arguments:

# Enable specific modules
falcon-mcp --modules detections,incidents,intel,spotlight,idp

# Enable only one module
falcon-mcp --modules detections

Using environment variable:

export FALCON_MCP_MODULES=detections,incidents,intel,spotlight,idp
falcon-mcp

If no modules are specified, all available modules are enabled by default.

Container Usage

Using Pre-built Image

# Pull the image
docker pull quay.io/crowdstrike/falcon-mcp:latest

# Run with .env file (stdio transport)
docker run -i --rm --env-file /path/to/.env quay.io/crowdstrike/falcon-mcp:latest

# Run with .env file and SSE transport
docker run --rm -p 8000:8000 --env-file /path/to/.env \
  quay.io/crowdstrike/falcon-mcp:latest --transport sse --host 0.0.0.0

# Run with .env file and streamable-http transport
docker run --rm -p 8000:8000 --env-file /path/to/.env \
  quay.io/crowdstrike/falcon-mcp:latest --transport streamable-http --host 0.0.0.0

Editor/Assistant Integration

Configure in your editor/AI assistant:

Using `uvx` (recommended)

{
  "mcpServers": {
    "falcon-mcp": {
      "command": "uvx",
      "args": [
        "--env-file",
        "/path/to/.env",
        "falcon-mcp"
      ]
    }
  }
}

With Module Selection

{
  "mcpServers": {
    "falcon-mcp": {
      "command": "uvx",
      "args": [
        "--env-file",
        "/path/to/.env",
        "falcon-mcp",
        "--modules",
        "detections,incidents,intel"
      ]
    }
  }
}

Available Modules and Tools

The Falcon MCP server provides various modules, each requiring specific API scopes:

Core Functionality

falcon_check_connectivity: Check connectivity to the Falcon API
falcon_list_enabled_modules: Lists enabled modules
falcon_list_modules: Lists all available modules

Detections Module

API Scope: Alerts:read

falcon_search_detections: Find and analyze detections
falcon_get_detection_details: Get comprehensive detection details

Incidents Module

API Scope: Incidents:read

falcon_show_crowd_score: View CrowdScores and security posture metrics
falcon_search_incidents: Find and analyze security incidents
falcon_get_incident_details: Get comprehensive incident details
falcon_search_behaviors: Find and analyze behaviors
falcon_get_behavior_details: Get detailed behavior information

Intel Module

API Scopes: Actors (Falcon Intelligence):read, Indicators (Falcon Intelligence):read, Reports (Falcon Intelligence):read

falcon_search_actors: Research threat actors and adversary groups
falcon_search_indicators: Search for threat indicators and IOCs
falcon_search_reports: Access intelligence publications and threat reports

Spotlight Module

API Scope: Vulnerabilities:read

falcon_search_vulnerabilities: Search for vulnerabilities

Hosts Module

API Scope: Hosts:read

falcon_search_hosts: Search for hosts
falcon_get_host_details: Retrieve detailed host information

Identity Protection Module

API Scopes: Various Identity Protection related scopes

idp_investigate_entity: Entity investigation tool for analyzing users and endpoints

Additional Modules

Cloud Security Module
Discover Module
Sensor Usage Module
Serverless Module

Each module includes comprehensive FQL (Falcon Query Language) guide resources to assist with query construction.

Using as a Library

from falcon_mcp.server import FalconMCPServer

# Create and run the server
server = FalconMCPServer(
    base_url="https://api.us-2.crowdstrike.com",  # Optional
    debug=True,  # Optional
    enabled_modules=["detections", "incidents", "spotlight"]  # Optional
)

# Run with stdio transport (default)
server.run()

# Or with SSE transport
server.run("sse")

# Or with streamable-http transport
server.run("streamable-http", host="0.0.0.0", port=8080)

How to install this MCP server

For Claude Code

To add this MCP server to Claude Code, run this command in your terminal:

claude mcp add-json "falcon-mcp" '{"command":"uvx","args":["--env-file","/path/to/.env","falcon-mcp"]}'

See the official Claude Code MCP documentation for more details.

For Cursor

There are two ways to add an MCP server to Cursor. The most common way is to add the server globally in the ~/.cursor/mcp.json file so that it is available in all of your projects.

If you only need the server in a single project, you can add it to the project instead by creating or adding it to the .cursor/mcp.json file.

Adding an MCP server to Cursor globally

To add a global MCP server go to Cursor Settings > Tools & Integrations and click "New MCP Server".

When you click that button the ~/.cursor/mcp.json file will be opened and you can add your server like this:

{
    "mcpServers": {
        "falcon-mcp": {
            "command": "uvx",
            "args": [
                "--env-file",
                "/path/to/.env",
                "falcon-mcp"
            ]
        }
    }
}

Adding an MCP server to a project

To add an MCP server to a project you can create a new .cursor/mcp.json file or add it to the existing one. This will look exactly the same as the global MCP server example above.

How to use the MCP server

Once the server is installed, you might need to head back to Settings > MCP and click the refresh button.

The Cursor agent will then be able to see the available tools the added MCP server has available and will call them when it needs to.

You can also explicitly ask the agent to use the tool by mentioning the tool name and describing what the function does.

For Claude Desktop

To add this MCP server to Claude Desktop:

1. Find your configuration file:

macOS: ~/Library/Application Support/Claude/claude_desktop_config.json
Windows: %APPDATA%\Claude\claude_desktop_config.json
Linux: ~/.config/Claude/claude_desktop_config.json

2. Add this to your configuration file:

{
    "mcpServers": {
        "falcon-mcp": {
            "command": "uvx",
            "args": [
                "--env-file",
                "/path/to/.env",
                "falcon-mcp"
            ]
        }
    }
}

3. Restart Claude Desktop for the changes to take effect

CrowdStrike Falcon MCP server