falcon-mcp

Overview

falcon-mcp is a robust MCP server from CrowdStrike that provides programmatic access to the company's security platform through the Model Context Protocol. It offers extensive functionality across 16+ modules including threat intelligence, host management, detections, and more. The project is actively maintained with recent commits and features comprehensive documentation.

Try asking AI

After installing, here are 3 things you can ask your AI assistant:

• list_detections

  Find and analyze detections to understand malicious activity

  Try:Show me recent detections in my environmentTry:Find all detections related to a specific threat actor
• get_host_details

  Retrieve detailed information about a specific host

  Try:Get details for host with ID '12345'Try:Show me all information about server 'web-prod-01'
• search_threat_intel

  Research threat actors, IOCs, and intelligence reports

  Try:Search for information on threat actor APT28Try:Find IOCs related to malware family Emotet
• create_ioc

  Create a new indicator of compromise

  Try:Add a malicious IP address to my IOC listTry:Create an IOC for suspicious domain example.com
• query_ngsiem

  Execute CQL queries against Next-Gen SIEM

  Try:Run CQL query to find failed loginsTry:Show me all authentication events from last week
• manage_firewall_rules

  Search and manage firewall rules and rule groups

  Try:List all firewall rules blocking trafficTry:Create a new rule to allow SSH access
• investigate_identity

  Perform entity investigation for identity protection

  Try:Investigate user account 'admin@example.com'Try:Check suspicious activity on user ID '789'
• discover_assets

  Search application inventory and discover unmanaged assets

  Try:Find all unmanaged servers in my networkTry:List all applications running on Linux hosts
• execute_rtr_command

  Initialize RTR sessions and execute read-only triage commands

  Try:Run 'ls -la' on a specific hostTry:Collect system information from endpoint 12345
• create_custom_ioa

  Create and manage Custom IOA behavioral detection rules

  Try:Create a rule to detect suspicious PowerShell executionTry:Define a new IOA for unusual network connections
• get_vulnerability_data

  Access and analyze vulnerability data from security assessments

  Try:Show me critical vulnerabilities on my networkTry:List all vulnerabilities in Apache web servers
• get_sensor_usage

  Access and analyze sensor usage data across your environment

  Try:Show me sensor health status for all hostsTry:Find hosts with low sensor coverage

Note: Tool names were inferred from the module descriptions and the README's mention of 'available tools, and FQL resources' in each module. The actual tool names and signatures are documented in the full documentation available at the provided l

Comparable tools

Installation

# Using uv
uv tool install falcon-mcp

# Using pip
pip install falcon-mcp

export FALCON_CLIENT_ID="your-client-id"
export FALCON_CLIENT_SECRET="your-client-secret"
export FALCON_BASE_URL="https://api.crowdstrike.com"

falcon-mcp

{
  "mcpServers": {
    "falcon-mcp": {
      "command": "uvx",
      "args": [
        "--env-file",
        "/path/to/.env",
        "falcon-mcp"
      ]
    }
  }
}

Compare falcon-mcp with