CrowdStrike Falcon MCP Server

CrowdStrike Falcon MCP Server

Connects AI agents with the CrowdStrike Falcon platform to enable intelligent security analysis, providing programmatic access to detections, incidents, threat intelligence, vulnerabilities, and other security capabilities for advanced security operations and automation.

Category
访问服务器

README

CrowdStrike Falcon

falcon-mcp

PyPI version PyPI - Python Version License: MIT

falcon-mcp is a Model Context Protocol (MCP) server that connects AI agents with the CrowdStrike Falcon platform, powering intelligent security analysis in your agentic workflows. It delivers programmatic access to essential security capabilities—including detections, incidents, and behaviors—establishing the foundation for advanced security operations and automation.

[!IMPORTANT] 🚧 Public Preview: This project is currently in public preview and under active development. Features and functionality may change before the stable 1.0 release. While we encourage exploration and testing, please avoid production deployments. We welcome your feedback through GitHub Issues to help shape the final release.

Table of Contents

API Credentials & Required Scopes

Setting Up CrowdStrike API Credentials

Before using the Falcon MCP Server, you need to create API credentials in your CrowdStrike console:

  1. Log into your CrowdStrike console
  2. Navigate to Support > API Clients and Keys
  3. Click "Add new API client"
  4. Configure your API client:
    • Client Name: Choose a descriptive name (e.g., "Falcon MCP Server")
    • Description: Optional description for your records
    • API Scopes: Select the scopes based on which modules you plan to use (see below)

Required API Scopes by Module

The Falcon MCP Server supports different modules, each requiring specific API scopes:

Module Required API Scopes Purpose
Cloud Security Falcon Container Image:read Find and analyze kubernetes containers inventory and container imges vulnerabilities
Core No additional scopes Basic connectivity and system information
Detections Alerts:read Find and analyze detections to understand malicious activity
Discover Assets:read Search and analyze application inventory across your environment
Hosts Hosts:read Manage and query host/device information
Identity Protection Identity Protection Entities:read<br>Identity Protection Timeline:read<br>Identity Protection Detections:read <br> Identity Protection Assessment:read Comprehensive entity investigation and identity protection analysis
Incidents Incidents:read Analyze security incidents and coordinated activities
Intel Actors (Falcon Intelligence):read<br>Indicators (Falcon Intelligence):read<br>Reports (Falcon Intelligence):read Research threat actors, IOCs, and intelligence reports
Sensor Usage Sensor Usage:read Access and analyze sensor usage data
Serverless Falcon Container Image:read Search for vulnerabilities in serverless functions across cloud service providers
Spotlight Vulnerabilities:read Manage and analyze vulnerability data and security assessments

Available Modules, Tools & Resources

[!IMPORTANT] ⚠️ Important Note on FQL Guide Resources: Several modules include FQL (Falcon Query Language) guide resources that provide comprehensive query documentation and examples. While these resources are designed to assist AI assistants and users with query construction, FQL has nuanced syntax requirements and field-specific behaviors that may not be immediately apparent. AI-generated FQL filters should be tested and validated before use in production environments. We recommend starting with simple queries and gradually building complexity while verifying results in a test environment first.

About Tools & Resources: This server provides both tools (actions you can perform) and resources (documentation and context). Tools execute operations like searching for detections or analyzing threats, while resources provide comprehensive documentation like FQL query guides that AI assistants can reference for context without requiring tool calls.

Cloud Security Module

API Scopes Required:

  • Falcon Container Image:read

Provides tools for accessing and analyzing CrowdStrike Cloud Security resources:

  • falcon_search_kubernetes_containers: Search for containers from CrowdStrike Kubernetes & Containers inventory
  • falcon_count_kubernetes_containers: Count for containers by filter criteria from CrowdStrike Kubernetes & Containers inventory
  • falcon_search_images_vulnerabilities: Search for images vulnerabilities from CrowdStrike Image Assessments

Resources:

  • falcon://cloud/kubernetes-containers/fql-guide: Comprehensive FQL documentation and examples for kubernetes containers searches
  • falcon://cloud/images-vulnerabilities/fql-guide: Comprehensive FQL documentation and examples for images vulnerabilities searches

Use Cases: Manage kubernetes containers inventory, container images vulnerabilities analysis

Core Functionality (Built into Server)

API Scopes: None required beyond basic API access

The server provides core tools for interacting with the Falcon API:

  • falcon_check_connectivity: Check connectivity to the Falcon API
  • falcon_list_enabled_modules: Lists enabled modules in the falcon-mcp server

    These modules are determined by the --modules flag when starting the server. If no modules are specified, all available modules are enabled.

  • falcon_list_modules: Lists all available modules in the falcon-mcp server

Detections Module

API Scopes Required: Alerts:read

Provides tools for accessing and analyzing CrowdStrike Falcon detections:

  • falcon_search_detections: Find and analyze detections to understand malicious activity in your environment
  • falcon_get_detection_details: Get comprehensive detection details for specific detection IDs to understand security threats

Resources:

  • falcon://detections/search/fql-guide: Comprehensive FQL documentation and examples for detection searches

Use Cases: Threat hunting, security analysis, incident response, malware investigation

Discover Module

API Scopes Required: Assets:read

Provides tools for accessing and managing CrowdStrike Falcon Discover applications:

  • falcon_search_applications: Search for applications in your CrowdStrike environment

Resources:

  • falcon://discover/applications/fql-guide: Comprehensive FQL documentation and examples for application searches

Use Cases: Application inventory management, software asset management, license compliance, vulnerability assessment

Hosts Module

API Scopes Required: Hosts:read

Provides tools for accessing and managing CrowdStrike Falcon hosts/devices:

  • falcon_search_hosts: Search for hosts in your CrowdStrike environment
  • falcon_get_host_details: Retrieve detailed information for specified host device IDs

Resources:

  • falcon://hosts/search/fql-guide: Comprehensive FQL documentation and examples for host searches

Use Cases: Asset management, device inventory, host monitoring, compliance reporting

Identity Protection Module

API Scopes Required: Identity Protection GraphQL:write

Provides tools for accessing and managing CrowdStrike Falcon Identity Protection capabilities:

  • idp_investigate_entity: Entity investigation tool for analyzing users, endpoints, and other entities with support for timeline analysis, relationship mapping, and risk assessment

Use Cases: Entity investigation, identity protection analysis, user behavior analysis, endpoint security assessment, relationship mapping, risk assessment

Incidents Module

API Scopes Required: Incidents:read

Provides tools for accessing and analyzing CrowdStrike Falcon incidents:

  • falcon_show_crowd_score: View calculated CrowdScores and security posture metrics for your environment
  • falcon_search_incidents: Find and analyze security incidents to understand coordinated activity in your environment
  • falcon_get_incident_details: Get comprehensive incident details to understand attack patterns and coordinated activities
  • falcon_search_behaviors: Find and analyze behaviors to understand suspicious activity in your environment
  • falcon_get_behavior_details: Get detailed behavior information to understand attack techniques and tactics

Resources:

  • falcon://incidents/crowd-score/fql-guide: Comprehensive FQL documentation for CrowdScore queries
  • falcon://incidents/search/fql-guide: Comprehensive FQL documentation and examples for incident searches
  • falcon://incidents/behaviors/fql-guide: Comprehensive FQL documentation and examples for behavior searches

Use Cases: Incident management, threat assessment, attack pattern analysis, security posture monitoring

Intel Module

API Scopes Required:

  • Actors (Falcon Intelligence):read
  • Indicators (Falcon Intelligence):read
  • Reports (Falcon Intelligence):read

Provides tools for accessing and analyzing CrowdStrike Intelligence:

  • falcon_search_actors: Research threat actors and adversary groups tracked by CrowdStrike intelligence
  • falcon_search_indicators: Search for threat indicators and indicators of compromise (IOCs) from CrowdStrike intelligence
  • falcon_search_reports: Access CrowdStrike intelligence publications and threat reports

Resources:

  • falcon://intel/actors/fql-guide: Comprehensive FQL documentation and examples for threat actor searches
  • falcon://intel/indicators/fql-guide: Comprehensive FQL documentation and examples for indicator searches
  • falcon://intel/reports/fql-guide: Comprehensive FQL documentation and examples for intelligence report searches

Use Cases: Threat intelligence research, adversary tracking, IOC analysis, threat landscape assessment

Sensor Usage Module

API Scopes Required: Sensor Usage:read

Provides tools for accessing and analyzing CrowdStrike Falcon sensor usage data:

  • falcon_search_sensor_usage: Search for weekly sensor usage data in your CrowdStrike environment

Resources:

  • falcon://sensor-usage/weekly/fql-guide: Comprehensive FQL documentation and examples for sensor usage searches

Use Cases: Sensor deployment monitoring, license utilization analysis, sensor health tracking

Serverless Module

API Scopes Required: Falcon Container Image:read

Provides tools for accessing and managing CrowdStrike Falcon Serverless Vulnerabilities:

  • falcon_search_serverless_vulnerabilities: Search for vulnerabilities in your serverless functions across all cloud service providers

Resources:

  • falcon://serverless/vulnerabilities/fql-guide: Comprehensive FQL documentation and examples for serverless vulnerabilities searches

Use Cases: Serverless security assessment, vulnerability management, cloud security monitoring

Spotlight Module

API Scopes Required: Vulnerabilities:read

Provides tools for accessing and managing CrowdStrike Spotlight vulnerabilities:

  • falcon_search_vulnerabilities: Search for vulnerabilities in your CrowdStrike environment

Resources:

  • falcon://spotlight/vulnerabilities/fql-guide: Comprehensive FQL documentation and examples for vulnerability searches

Use Cases: Vulnerability management, security assessments, compliance reporting, risk analysis, patch prioritization

Installation & Setup

Prerequisites

  • Python 3.11 or higher
  • uv or pip
  • CrowdStrike Falcon API credentials (see above)

Environment Configuration

Copy the example environment file and configure your credentials:

cp .env.example .env

Then edit .env with your CrowdStrike API credentials:

Required Configuration:

  • FALCON_CLIENT_ID: Your CrowdStrike API client ID
  • FALCON_CLIENT_SECRET: Your CrowdStrike API client secret
  • FALCON_BASE_URL: Your CrowdStrike API region URL (see options in .env.example)

Optional Configuration:

  • FALCON_MCP_MODULES: Comma-separated list of modules to enable (default: all modules)
  • FALCON_MCP_TRANSPORT: Transport method - stdio, sse, or streamable-http (default: stdio)
  • FALCON_MCP_DEBUG: Enable debug logging - true or false (default: false)
  • FALCON_MCP_HOST: Host for HTTP transports (default: 127.0.0.1)
  • FALCON_MCP_PORT: Port for HTTP transports (default: 8000)

Alternatively, you can set these as environment variables instead of using a .env file.

Important: Ensure your API client has the necessary scopes for the modules you plan to use. You can always update scopes later in the CrowdStrike console.

Installation

Install using uv

uv tool install falcon-mcp

Install using pip

pip install falcon-mcp

[!TIP] If falcon-mcp isn't found, update your shell PATH.

For installation via code editors/assistants, see the Editor/Assitant section below

Usage

Command Line

Run the server with default settings (stdio transport):

falcon-mcp

Run with SSE transport:

falcon-mcp --transport sse

Run with streamable-http transport:

falcon-mcp --transport streamable-http

Run with streamable-http transport on custom port:

falcon-mcp --transport streamable-http --host 0.0.0.0 --port 8080

Module Configuration

The Falcon MCP Server supports multiple ways to specify which modules to enable:

1. Command Line Arguments (highest priority)

Specify modules using comma-separated lists:

# Enable specific modules
falcon-mcp --modules detections,incidents,intel,spotlight,idp

# Enable only one module
falcon-mcp --modules detections

2. Environment Variable (fallback)

Set the FALCON_MCP_MODULES environment variable:

# Export environment variable
export FALCON_MCP_MODULES=detections,incidents,intel,spotlight,idp
falcon-mcp

# Or set inline
FALCON_MCP_MODULES=detections,incidents,intel,spotlight,idp falcon-mcp

3. Default Behavior (all modules)

If no modules are specified via command line or environment variable, all available modules are enabled by default.

Module Priority Order:

  1. Command line --modules argument (overrides all)
  2. FALCON_MCP_MODULES environment variable (fallback)
  3. All modules (default when none specified)

Additional Command Line Options

For all available options:

falcon-mcp --help

As a Library

from falcon_mcp.server import FalconMCPServer

# Create and run the server
server = FalconMCPServer(
    base_url="https://api.us-2.crowdstrike.com",  # Optional, defaults to env var
    debug=True,  # Optional, enable debug logging
    enabled_modules=["detections", "incidents", "spotlight", "idp"]  # Optional, defaults to all modules
)

# Run with stdio transport (default)
server.run()

# Or run with SSE transport
server.run("sse")

# Or run with streamable-http transport
server.run("streamable-http")

# Or run with streamable-http transport on custom host/port
server.run("streamable-http", host="0.0.0.0", port=8080)

Running Examples

# Run with stdio transport
python examples/basic_usage.py

# Run with SSE transport
python examples/sse_usage.py

# Run with streamable-http transport
python examples/streamable_http_usage.py

Container Usage

The Falcon MCP Server is available as a pre-built container image for easy deployment:

Using Pre-built Image (Recommended)

# Pull the latest pre-built image
docker pull quay.io/crowdstrike/falcon-mcp:latest

# Run with .env file (recommended)
docker run --rm --env-file /path/to/.env quay.io/crowdstrike/falcon-mcp:latest

# Run with .env file and SSE transport
docker run --rm -p 8000:8000 --env-file /path/to/.env \
  quay.io/crowdstrike/falcon-mcp:latest --transport sse --host 0.0.0.0

# Run with .env file and streamable-http transport
docker run --rm -p 8000:8000 --env-file /path/to/.env \
  quay.io/crowdstrike/falcon-mcp:latest --transport streamable-http --host 0.0.0.0

# Run with .env file and custom port
docker run --rm -p 8080:8080 --env-file /path/to/.env \
  quay.io/crowdstrike/falcon-mcp:latest --transport streamable-http --host 0.0.0.0 --port 8080

# Run with .env file and specific modules
docker run --rm --env-file /path/to/.env \
  quay.io/crowdstrike/falcon-mcp:latest --modules detections,incidents,spotlight,idp

# Use a specific version instead of latest
docker run --rm --env-file /path/to/.env \
  quay.io/crowdstrike/falcon-mcp:1.2.3

# Alternative: Individual environment variables
docker run --rm -e FALCON_CLIENT_ID=your_client_id -e FALCON_CLIENT_SECRET=your_secret \
  quay.io/crowdstrike/falcon-mcp:latest

Building Locally (Development)

For development or customization purposes, you can build the image locally:

# Build the Docker image
docker build -t falcon-mcp .

# Run the locally built image
docker run --rm -e FALCON_CLIENT_ID=your_client_id -e FALCON_CLIENT_SECRET=your_secret falcon-mcp

Note: When using HTTP transports in Docker, always set --host 0.0.0.0 to allow external connections to the container.

Editor/Assistant Integration

You can integrate the Falcon MCP server with your editor or AI assistant. Here are configuration examples for popular MCP clients:

Using uvx (recommended)

{
  "mcpServers": {
    "falcon-mcp": {
      "command": "uvx",
      "args": ["--env-file", "/path/to/.env", "falcon-mcp"]
    }
  }
}

With Module Selection

{
  "mcpServers": {
    "falcon-mcp": {
      "command": "uvx",
      "args": [
        "--env-file",
        "/path/to/.env",
        "falcon-mcp",
        "--modules",
        "detections,incidents,intel"
      ]
    }
  }
}

Using Individual Environment Variables

{
  "mcpServers": {
    "falcon-mcp": {
      "command": "uvx",
      "args": ["falcon-mcp"],
      "env": {
        "FALCON_CLIENT_ID": "your-client-id",
        "FALCON_CLIENT_SECRET": "your-client-secret",
        "FALCON_BASE_URL": "https://api.crowdstrike.com"
      }
    }
  }
}

Docker Version

{
  "mcpServers": {
    "falcon-mcp-docker": {
      "command": "docker",
      "args": [
        "run",
        "-i",
        "--rm",
        "--env-file",
        "/full/path/to/.env",
        "quay.io/crowdstrike/falcon-mcp:latest"
      ]
    }
  }
}

Additional Deployment Options

Amazon Bedrock AgentCore

To deploy the MCP Server as a tool in Amazon Bedrock AgentCore, please refer to the following document.

Contributing

Getting Started for Contributors

  1. Clone the repository:

    git clone https://github.com/CrowdStrike/falcon-mcp.git
cd falcon-mcp

  2. Install in development mode:

    # Create .venv and install dependencies
uv sync --all-extras

# Activate the venv
source .venv/bin/activate

[!IMPORTANT] This project uses Conventional Commits for automated releases and semantic versioning. Please follow the commit message format outlined in our Contributing Guide when submitting changes.

Running Tests

# Run all tests
pytest

# Run end-to-end tests
pytest --run-e2e tests/e2e/

# Run end-to-end tests with verbose output (note: -s is required to see output)
pytest --run-e2e -v -s tests/e2e/

Note: The -s flag is required to see detailed output from E2E tests.

Developer Documentation

License

This project is licensed under the MIT License - see the LICENSE file for details.

Support

This is a community-driven, open source project. While it is not an official CrowdStroke product, it is actively maintained by CrowdStrike and supported in collaboration with the open source developer community.

For more information, please see our SUPPORT file.

推荐服务器

Baidu Map

Baidu Map

百度地图核心API现已全面兼容MCP协议,是国内首家兼容MCP协议的地图服务商。

官方
精选
JavaScript
Playwright MCP Server

Playwright MCP Server

一个模型上下文协议服务器,它使大型语言模型能够通过结构化的可访问性快照与网页进行交互,而无需视觉模型或屏幕截图。

官方
精选
TypeScript
Magic Component Platform (MCP)

Magic Component Platform (MCP)

一个由人工智能驱动的工具,可以从自然语言描述生成现代化的用户界面组件,并与流行的集成开发环境(IDE)集成,从而简化用户界面开发流程。

官方
精选
本地
TypeScript
Audiense Insights MCP Server

Audiense Insights MCP Server

通过模型上下文协议启用与 Audiense Insights 账户的交互,从而促进营销洞察和受众数据的提取和分析,包括人口统计信息、行为和影响者互动。

官方
精选
本地
TypeScript
VeyraX

VeyraX

一个单一的 MCP 工具,连接你所有喜爱的工具:Gmail、日历以及其他 40 多个工具。

官方
精选
本地
graphlit-mcp-server

graphlit-mcp-server

模型上下文协议 (MCP) 服务器实现了 MCP 客户端与 Graphlit 服务之间的集成。 除了网络爬取之外,还可以将任何内容(从 Slack 到 Gmail 再到播客订阅源)导入到 Graphlit 项目中,然后从 MCP 客户端检索相关内容。

官方
精选
TypeScript
Kagi MCP Server

Kagi MCP Server

一个 MCP 服务器,集成了 Kagi 搜索功能和 Claude AI,使 Claude 能够在回答需要最新信息的问题时执行实时网络搜索。

官方
精选
Python
e2b-mcp-server

e2b-mcp-server

使用 MCP 通过 e2b 运行代码。

官方
精选
Neon MCP Server

Neon MCP Server

用于与 Neon 管理 API 和数据库交互的 MCP 服务器

官方
精选
Exa MCP Server

Exa MCP Server

模型上下文协议(MCP)服务器允许像 Claude 这样的 AI 助手使用 Exa AI 搜索 API 进行网络搜索。这种设置允许 AI 模型以安全和受控的方式获取实时的网络信息。

官方
精选