falcon-mcp is a Model Context Protocol (MCP) server that connects AI agents with the CrowdStrike Falcon platform, powering intelligent security analysis in your agentic workflows. It delivers programmatic access to essential security capabilities—including detections, incidents, and behaviors—establishing the foundation for advanced security operations and automation.
Important
🚧 Public Preview: This project is currently in public preview and under active development. Features and functionality may change before the stable 1.0 release. While we encourage exploration and testing, please avoid production deployments. We welcome your feedback through GitHub Issues to help shape the final release.
- API Credentials & Required Scopes
- Available Modules, Tools & Resources
- Installation & Setup
- Usage
- Container Usage
- Editor/Assitant Integration
- Additional Deployment Options
- Contributing
- License
- Support
Before using the Falcon MCP Server, you need to create API credentials in your CrowdStrike console:
- Log into your CrowdStrike console
- Navigate to Support > API Clients and Keys
- Click "Add new API client"
- Configure your API client:
- Client Name: Choose a descriptive name (e.g., "Falcon MCP Server")
- Description: Optional description for your records
- API Scopes: Select the scopes based on which modules you plan to use (see below)
The Falcon MCP Server supports different modules, each requiring specific API scopes:
| Module | Required API Scopes | Purpose |
|---|---|---|
| Core | No additional scopes | Basic connectivity and system information |
| Detections | Alerts:read |
Find and analyze detections to understand malicious activity |
| Incidents | Incidents:read |
Analyze security incidents and coordinated activities |
| Intel | Actors (Falcon Intelligence):readIndicators (Falcon Intelligence):readReports (Falcon Intelligence):read |
Research threat actors, IOCs, and intelligence reports |
| Hosts | Hosts:read |
Manage and query host/device information |
| Cloud Security | Falcon Container Image:read |
Find and analyze kubernetes containers inventory and container imges vulnerabilities |
| Spotlight | Vulnerabilities:read |
Manage and analyze vulnerability data and security assessments |
| Identity Protection | Identity Protection GraphQL:write |
Comprehensive entity investigation and identity protection analysis |
Important
About Tools & Resources: This server provides both tools (actions you can perform) and resources (documentation and context). Tools execute operations like searching for detections or analyzing threats, while resources provide comprehensive documentation like FQL query guides that AI assistants can reference for context without requiring tool calls.
API Scopes: None required beyond basic API access
The server provides core tools for interacting with the Falcon API:
falcon_check_connectivity: Check connectivity to the Falcon APIfalcon_get_available_modules: Get information about available modules
API Scopes Required: Alerts:read
Provides tools for accessing and analyzing CrowdStrike Falcon detections:
falcon_search_detections: Find and analyze detections to understand malicious activity in your environmentfalcon_get_detection_details: Get comprehensive detection details for specific detection IDs to understand security threats
Resources:
falcon://detections/search/fql-guide: Comprehensive FQL documentation and examples for detection searches
Use Cases: Threat hunting, security analysis, incident response, malware investigation
API Scopes Required: Incidents:read
Provides tools for accessing and analyzing CrowdStrike Falcon incidents:
falcon_show_crowd_score: View calculated CrowdScores and security posture metrics for your environmentfalcon_search_incidents: Find and analyze security incidents to understand coordinated activity in your environmentfalcon_get_incident_details: Get comprehensive incident details to understand attack patterns and coordinated activitiesfalcon_search_behaviors: Find and analyze behaviors to understand suspicious activity in your environmentfalcon_get_behavior_details: Get detailed behavior information to understand attack techniques and tactics
Resources:
falcon://incidents/crowd-score/fql-guide: Comprehensive FQL documentation for CrowdScore queriesfalcon://incidents/search/fql-guide: Comprehensive FQL documentation and examples for incident searchesfalcon://incidents/behaviors/fql-guide: Comprehensive FQL documentation and examples for behavior searches
Use Cases: Incident management, threat assessment, attack pattern analysis, security posture monitoring
API Scopes Required:
Actors (Falcon Intelligence):readIndicators (Falcon Intelligence):readReports (Falcon Intelligence):read
Provides tools for accessing and analyzing CrowdStrike Intelligence:
falcon_search_actors: Research threat actors and adversary groups tracked by CrowdStrike intelligencefalcon_search_indicators: Search for threat indicators and indicators of compromise (IOCs) from CrowdStrike intelligencefalcon_search_reports: Access CrowdStrike intelligence publications and threat reports
Resources:
falcon://intel/actors/fql-guide: Comprehensive FQL documentation and examples for threat actor searchesfalcon://intel/indicators/fql-guide: Comprehensive FQL documentation and examples for indicator searchesfalcon://intel/reports/fql-guide: Comprehensive FQL documentation and examples for intelligence report searches
Use Cases: Threat intelligence research, adversary tracking, IOC analysis, threat landscape assessment
API Scopes Required: Hosts:read
Provides tools for accessing and managing CrowdStrike Falcon hosts/devices:
falcon_search_hosts: Search for hosts in your CrowdStrike environmentfalcon_get_host_details: Retrieve detailed information for specified host device IDs
Resources:
falcon://hosts/search/fql-guide: Comprehensive FQL documentation and examples for host searches
Use Cases: Asset management, device inventory, host monitoring, compliance reporting
API Scopes Required: Vulnerabilities:read
Provides tools for accessing and managing CrowdStrike Spotlight vulnerabilities:
falcon_search_vulnerabilities: Search for vulnerabilities in your CrowdStrike environment
Resources:
falcon://spotlight/vulnerabilities/fql-guide: Comprehensive FQL documentation and examples for vulnerability searches
Use Cases: Vulnerability management, security assessments, compliance reporting, risk analysis, patch prioritization
API Scopes Required:
Falcon Container Image:read
Provides tools for accessing and analyzing CrowdStrike Cloud Security resources:
falcon_search_kubernetes_containers: Search for containers from CrowdStrike Kubernetes & Containers inventoryfalcon_count_kubernetes_containers: Count for containers by filter criteria from CrowdStrike Kubernetes & Containers inventoryfalcon_search_images_vulnerabilities: Search for images vulnerabilities from CrowdStrike Image Assessments
Resources:
falcon://cloud/kubernetes-containers/fql-guide: Comprehensive FQL documentation and examples for kubernetes containers searchesfalcon://cloud/images-vulnerabilities/fql-guide: Comprehensive FQL documentation and examples for images vulnerabilities searches
Use Cases: Manage kubernetes containers inventory, container images vulnerabilities analysis
API Scopes Required: Identity Protection GraphQL:write
Provides tools for accessing and managing CrowdStrike Falcon Identity Protection capabilities:
idp_investigate_entity: Entity investigation tool for analyzing users, endpoints, and other entities with support for timeline analysis, relationship mapping, and risk assessment
Use Cases: Entity investigation, identity protection analysis, user behavior analysis, endpoint security assessment, relationship mapping, risk assessment
- Python 3.11 or higher
uv- CrowdStrike Falcon API credentials (see above)
Copy the example environment file and configure your credentials:
cp .env.example .envThen edit .env with your CrowdStrike API credentials:
Required Configuration:
FALCON_CLIENT_ID: Your CrowdStrike API client IDFALCON_CLIENT_SECRET: Your CrowdStrike API client secretFALCON_BASE_URL: Your CrowdStrike API region URL (see options in.env.example)
Optional Configuration:
FALCON_MCP_MODULES: Comma-separated list of modules to enable (default: all modules)FALCON_MCP_TRANSPORT: Transport method -stdio,sse, orstreamable-http(default:stdio)FALCON_MCP_DEBUG: Enable debug logging -trueorfalse(default:false)FALCON_MCP_HOST: Host for HTTP transports (default:127.0.0.1)FALCON_MCP_PORT: Port for HTTP transports (default:8000)
Alternatively, you can set these as environment variables instead of using a .env file.
Important: Ensure your API client has the necessary scopes for the modules you plan to use. You can always update scopes later in the CrowdStrike console.
uvx falcon-mcpRun the server with default settings (stdio transport):
falcon-mcpRun with SSE transport:
falcon-mcp --transport sseRun with streamable-http transport:
falcon-mcp --transport streamable-httpRun with streamable-http transport on custom port:
falcon-mcp --transport streamable-http --host 0.0.0.0 --port 8080The Falcon MCP Server supports multiple ways to specify which modules to enable:
Specify modules using comma-separated lists:
# Enable specific modules
falcon-mcp --modules detections,incidents,intel,spotlight,idp
# Enable only one module
falcon-mcp --modules detectionsSet the FALCON_MCP_MODULES environment variable:
# Export environment variable
export FALCON_MCP_MODULES=detections,incidents,intel,spotlight,idp
falcon-mcp
# Or set inline
FALCON_MCP_MODULES=detections,incidents,intel,spotlight,idp falcon-mcpIf no modules are specified via command line or environment variable, all available modules are enabled by default.
Module Priority Order:
- Command line
--modulesargument (overrides all) FALCON_MCP_MODULESenvironment variable (fallback)- All modules (default when none specified)
For all available options:
falcon-mcp --helpfrom falcon_mcp.server import FalconMCPServer
# Create and run the server
server = FalconMCPServer(
base_url="https://api.us-2.crowdstrike.com", # Optional, defaults to env var
debug=True, # Optional, enable debug logging
enabled_modules=["detections", "incidents", "spotlight", "idp"] # Optional, defaults to all modules
)
# Run with stdio transport (default)
server.run()
# Or run with SSE transport
server.run("sse")
# Or run with streamable-http transport
server.run("streamable-http")
# Or run with streamable-http transport on custom host/port
server.run("streamable-http", host="0.0.0.0", port=8080)# Run with stdio transport
python examples/basic_usage.py
# Run with SSE transport
python examples/sse_usage.py
# Run with streamable-http transport
python examples/streamable_http_usage.pyThe Falcon MCP Server is available as a pre-built container image for easy deployment:
# Pull the latest pre-built image
docker pull quay.io/crowdstrike/falcon-mcp:latest
# Run with .env file (recommended)
docker run --rm --env-file /path/to/.env quay.io/crowdstrike/falcon-mcp:latest
# Run with .env file and SSE transport
docker run --rm -p 8000:8000 --env-file /path/to/.env \
quay.io/crowdstrike/falcon-mcp:latest --transport sse --host 0.0.0.0
# Run with .env file and streamable-http transport
docker run --rm -p 8000:8000 --env-file /path/to/.env \
quay.io/crowdstrike/falcon-mcp:latest --transport streamable-http --host 0.0.0.0
# Run with .env file and custom port
docker run --rm -p 8080:8080 --env-file /path/to/.env \
quay.io/crowdstrike/falcon-mcp:latest --transport streamable-http --host 0.0.0.0 --port 8080
# Run with .env file and specific modules
docker run --rm --env-file /path/to/.env \
quay.io/crowdstrike/falcon-mcp:latest --modules detections,incidents,spotlight,idp
# Use a specific version instead of latest
docker run --rm --env-file /path/to/.env \
quay.io/crowdstrike/falcon-mcp:1.2.3
# Alternative: Individual environment variables
docker run --rm -e FALCON_CLIENT_ID=your_client_id -e FALCON_CLIENT_SECRET=your_secret \
quay.io/crowdstrike/falcon-mcp:latestFor development or customization purposes, you can build the image locally:
# Build the Docker image
docker build -t falcon-mcp .
# Run the locally built image
docker run --rm -e FALCON_CLIENT_ID=your_client_id -e FALCON_CLIENT_SECRET=your_secret falcon-mcpNote: When using HTTP transports in Docker, always set --host 0.0.0.0 to allow external connections to the container.
You can integrate the Falcon MCP server with your editor or AI assistant in a few ways:
{
"servers": [
{
"name": "falcon-stdio",
"transport": {
"type": "stdio",
"command": "python -m falcon_mcp.server"
}
},
{
"name": "falcon-stdio-docker",
"transport": {
"type": "stdio",
"command": "docker",
"args": [
"run",
"-i",
"--rm",
"--env-file",
"/full/path/to/.env",
"quay.io/crowdstrike/falcon-mcp:latest"
]
}
},
{
"name": "falcon-sse",
"transport": {
"type": "sse",
"url": "https://127.0.0.1:8000/sse"
}
},
{
"name": "falcon-streamable-http",
"transport": {
"type": "streamable-http",
"url": "https://127.0.0.1:8000/mcp"
}
}
]
}To deploy the MCP Server as a tool in Amazon Bedrock AgentCore, please refer to the following document.
-
Clone the repository:
git clone https://github.com/CrowdStrike/falcon-mcp.git cd falcon-mcp -
Install in development mode:
# Install dependencies and create .venv uv sync # Activate the venv source .venv/bin/activate # Install development dependencies uv pip install -e ".[dev]"
Important
This project uses Conventional Commits for automated releases and semantic versioning. Please follow the commit message format outlined in our Contributing Guide when submitting changes.
# Run all tests
pytest
# Run end-to-end tests
pytest --run-e2e tests/e2e/
# Run end-to-end tests with verbose output (note: -s is required to see output)
pytest --run-e2e -v -s tests/e2e/Note: The
-sflag is required to see detailed output from E2E tests.
- Module Development Guide: Instructions for implementing new modules
- Resource Development Guide: Instructions for implementing resources
- End-to-End Testing Guide: Guide for running and understanding E2E tests
This project is licensed under the MIT License - see the LICENSE file for details.
This is a community-driven, open source project. While it is not an official CrowdStroke product, it is actively maintained by CrowdStrike and supported in collaboration with the open source developer community.
For more information, please see our SUPPORT file.
