falcon
Connect AI agents to CrowdStrike Falcon for automated security analysis and threat hunting
claude mcp add --transport stdio crowdstrike-falcon-mcp python -m falcon_mcp \ --env CROWDSTRIKE_CLIENT_ID="<your CrowdStrike API client id>" \ --env CROWDSTRIKE_API_REGION="<region, e.g. us-1>" \ --env CROWDSTRIKE_API_BASE_URL="<optional custom API base URL if applicable>" \ --env CROWDSTRIKE_CLIENT_SECRET="<your CrowdStrike API client secret>"
How to use
falcon-mcp is a Python-based MCP server that bridges AI agents with CrowdStrike Falcon capabilities. It exposes modules for cloud security, detections, incidents, hosts, intel, IOC management, and more, enabling agents to request data, run queries, and orchestrate security workflows through the MCP interface. You can access tools such as search and retrieval for detections, incidents, hosts, and IoCs, as well as specialized modules like NGSIEM queries and Identity Protection investigations. To use it, configure your CrowdStrike API credentials and start the server; your agent runtimes can then invoke the available MCP tools via the standard MCP protocol, specifying the desired module and action. The server also provides documentation resources and query guides to assist with building effective prompts and queries for security analysis.
How to install
Prerequisites:
- Python 3.8+ and pip
- Access to CrowdStrike Falcon API credentials (Client ID and Client Secret)
Step 1: Create and activate a Python virtual environment (optional but recommended)
- python -m venv venv
- source venv/bin/activate (Linux/macOS) or venv\Scripts\activate (Windows)
Step 2: Install falcon-mcp from PyPI
- pip install falcon-mcp
Step 3: Prepare environment variables for CrowdStrike API access
- Set CROWDSTRIKE_CLIENT_ID to your API client id
- Set CROWDSTRIKE_CLIENT_SECRET to your API client secret
- Optionally set CROWDSTRIKE_API_REGION and CROWDSTRIKE_API_BASE_URL if needed by your environment
Step 4: Run the MCP server (example using the provided module)
- python -m falcon_mcp
Step 5: Verify the server is running and reachable by your MCP client or integration
- Ensure the configured environment variables are loaded in the runtime where the server executes
Additional notes
Tips and caveats:
- This server is in public preview; features may change before 1.0 release. Avoid production deployments until stable.
- Ensure the CrowdStrike API scopes align with the modules you plan to use; grant only the necessary scopes for security best practices.
- Use a virtual environment to isolate dependencies and simplify updates.
- If you encounter authentication errors, double-check that the API client has the required scopes and that the environment variables are correctly set in the runtime environment.
- For long-running tasks, consider configuring appropriate timeouts and rate limits in your MCP client to avoid throttling from CrowdStrike APIs.
Related MCP Servers
jupyter
🪐 🔧 Model Context Protocol (MCP) Server for Jupyter.
mcp -odoo
A Model Context Protocol (MCP) server that enables AI assistants to securely interact with Odoo ERP systems through standardized resources and tools for data retrieval and manipulation.
beemcp
BeeMCP: an unofficial Model Context Protocol (MCP) server that connects your Bee wearable lifelogger to AI via the Model Context Protocol
MCP-MultiServer-Interoperable-Agent2Agent-LangGraph-AI-System
This project demonstrates a decoupled real-time agent architecture that connects LangGraph agents to remote tools served by custom MCP (Modular Command Protocol) servers. The architecture enables a flexible and scalable multi-agent system where each tool can be hosted independently (via SSE or STDIO), offering modularity and cloud-deployable execut
BinAssistMCP
Binary Ninja plugin to provide MCP functionality.
Helios
An AI IDE secure coding MCP service
