crowdstrike-falcon

Official
Local
100
GitHub Repo

Overview

The crowdstrike-falcon-mcp-server is a Model Context Protocol (MCP) server that enables AI assistants and agents to interact directly with the CrowdStrike Falcon platform through a structured, AI-friendly interface. It allows AI-driven workflows to query security telemetry, investigate threats, manage detections, and inspect endpoint posture without switching tools or manually navigating the Falcon console.

This server is particularly useful for security operations (SOC), incident response, threat hunting, and security analysis workflows augmented by AI.

Transport

streamable-http

Tools

  • falcon_check_connectivity
  • falcon_get_available_modules
  • falcon_search_detections
  • falcon_get_detection_details
  • falcon_show_crowd_score
  • falcon_search_incidents
  • falcon_get_incident_details
  • falcon_search_behaviors
  • falcon_get_behavior_details
  • falcon_search_actors
  • falcon_Search_indicators
  • falcon_search_reports
  • falcon_search_hosts
  • falcon_get_host_details
  • falcon_search_vulnerabilities
  • falcon_search_kubernetes_containers
  • falcon_count_kubernetes_containers
  • falcon_search_images_vulnerabilities
  • idp_investigate_entity

Key Capabilities

  • Threat visibility — Inspect detections, alerts, and security events across endpoints.
  • Incident investigation — Drill into detection details, affected hosts, and related activity.
  • Endpoint inventory — Explore host metadata, status, and protection posture.
  • Security workflow automation — Acknowledge or update detections as part of guided or automated processes.
  • Contextual security analysis — Enable AI assistants to summarize threats, correlate events, and suggest next steps.

How It Works

The crowdstrike-falcon-mcp-server runs as a local or containerized MCP service and connects to the CrowdStrike Falcon platform using API client credentials (Client ID and Client Secret) configured as environment variables. Once authenticated, the server exposes Falcon API operations as MCP tools that AI clients can invoke.

When an agent calls a tool the server translates the MCP request into a Falcon API call, executes it on behalf of the user, and returns structured results over the MCP protocol. This abstraction handles authentication, pagination, and response normalization so AI assistants can focus on reasoning and analysis rather than API mechanics.

By exposing Falcon telemetry and management actions as native MCP tools, the server enables workflows such as “summarize the most critical detections,” “investigate this alert,” or “list endpoints affected by this threat” to be handled conversationally and programmatically within AI-driven security operations.