playbooks

home / mcp / falcon mcp server

Falcon MCP Server

Provides programmatic access to CrowdStrike Falcon capabilities including detections, incidents, intel, and identity protection for agent workflows.

Installation
Add the following to your MCP client configuration file.

Configuration

View docs
{
  "mcpServers": {
    "itsjahaziel-falcon-mcp-ai": {
      "command": "falcon-mcp",
      "args": [],
      "env": {
        "FALCON_BASE_URL": "https://api.crowdstrike.com",
        "FALCON_MCP_HOST": "127.0.0.1",
        "FALCON_MCP_PORT": "8000",
        "FALCON_CLIENT_ID": "your-client-id",
        "FALCON_MCP_MODULES": "detections,incidents,intel,spotlight,idp",
        "FALCON_CLIENT_SECRET": "your-client-secret",
        "FALCON_MCP_TRANSPORT": "stdio"
      }
    }
  }
}

You deploy falcon-mcp to connect AI agents with CrowdStrike Falcon, providing programmatic access to security capabilities and enabling automated investigations, detections analysis, and incident workflows within your agentic processes.

How to use

You run the Falcon MCP Server locally or in a container and connect your MCP client to it. Start with the default stdio transport to interact directly from your environment, or use SSE/streamable-http transports to enable remote access. You can enable specific modules to tailor the server to your security workflow, such as detections, incidents, intel, and identity protection. Use the client to perform searches, fetch details, and drive automated security tasks from your agent.

How to install

Prerequisites: ensure you have Python 3.11 or higher and a way to install Python packages.

Install using the provided package manager for your environment.

Option 1: Install with uv (recommended for development and running the server directly)

uv tool install falcon-mcp

Option 2: Install with pip (a straightforward Python packaging approach)

pip install falcon-mcp

Note: If the falcon-mcp command is not found, update your PATH to include the installation location.

Run the server with the default stdio transport to begin interaction from your shell or IDE.

Additional sections

Configuration overview: you control which modules are enabled at startup. By default, all available modules are enabled if you do not specify modules. You can override this with a comma-separated list of modules via the command line or environment variables.

Module configuration notes: you require CrowdStrike API credentials to access the Falcon platform. You typically provide a client ID, client secret, and the base API URL. Optional settings let you choose transports, host/port for HTTP-based transports, and debug mode.

Security and credentials: keep your CrowdStrike API credentials secure. Use environment variables or a .env file to pass sensitive information to the server, and avoid embedding secrets in code or logs.

Container usage: you can run Falcon MCP Server in a pre-built container image or build locally for development. The container supports transports such as stdio, SSE, and streamable-http, and you can mount a .env file for configuration.

Editor/Assistant integration: configure your MCP client to connect to falcon-mcp using supported tooling. You can use your editor's MCP integration to run the server and interact with its endpoints directly from your development environment.

Available tools

falcon_check_connectivity

Check connectivity to the Falcon API to verify credentials and reachability.

falcon_list_enabled_modules

List modules currently enabled on the Falcon MCP Server.

falcon_list_modules

List all available modules that can be enabled.

falcon_search_detections

Search for detections to understand malicious activity across the environment.

falcon_get_detection_details

Retrieve detailed information for specific detections by ID.

falcon_search_applications

Search for CrowdStrike Discover applications within the environment.

falcon_search_unmanaged_assets

Find unmanaged assets discovered by managed systems.

falcon_search_hosts

Search for hosts/devices within the CrowdStrike environment.

falcon_get_host_details

Get detailed information for specified hosts.

idp_investigate_entity

Investigate an entity in Identity Protection with timeline and risk assessment.

falcon_show_crowd_score

Show CrowdScore and security posture metrics.

falcon_search_incidents

Find and analyze security incidents.

falcon_get_incident_details

Get comprehensive details for a specific incident.

falcon_search_behaviors

Search for behaviors to understand suspicious activity.

falcon_get_behavior_details

Get details for specific security behaviors.

falcon_search_actors

Research threat actors tracked by intelligence.

falcon_search_indicators

Search indicators and IOCs from threat intel.

falcon_search_reports

Access intelligence reports and publications.

falcon_search_sensor_usage

Search weekly sensor usage data.

falcon_search_serverless_vulnerabilities

Search vulnerabilities in serverless functions.

falcon_search_vulnerabilities

Search vulnerabilities within the environment for risk management.