- Home
- MCP servers
- Falcon
Falcon
- python
108
GitHub Stars
python
Language
6 months ago
First Indexed
2 months ago
Catalog Refreshed
Documentation & install
Readme and setup notes from the catalogue, plus a client-ready config you can copy for your MCP host.
Installation
Add the following to your MCP client configuration file.
Configuration
View docs{
"mcpServers": {
"crowdstrike-falcon-mcp": {
"command": "falcon-mcp",
"args": [],
"env": {
"FALCON_BASE_URL": "https://api.crowdstrike.com",
"FALCON_MCP_HOST": "127.0.0.1",
"FALCON_MCP_PORT": "8000",
"FALCON_CLIENT_ID": "your-client-id",
"FALCON_MCP_DEBUG": "false",
"FALCON_MCP_API_KEY": "your-api-key",
"FALCON_MCP_MODULES": "detections,incidents,intel",
"FALCON_CLIENT_SECRET": "your-client-secret",
"FALCON_MCP_TRANSPORT": "stdio",
"FALCON_MCP_STATELESS_HTTP": "false"
}
}
}
}Falcon MCP Server connects AI agents to the CrowdStrike Falcon platform, enabling programmatic access to detections, incidents, and behaviors so you can automate security workflows and perform rapid analysis within agentic systems.
How to use
You will run the Falcon MCP Server as a local process and connect your MCP client (such as uvx or another integration) to it. Start the server using the stdio transport for a quick, self-contained setup, then switch transports or enable remote HTTP access as your deployment needs evolve. Use the available modules to tailor capabilities like detections, incidents, intel, and more to your environment.
How to install
Prerequisites: ensure you have Python 3.11 or higher and either uv or pip installed on your system.
Install the Falcon MCP Server using the recommended tool for your environment.
# Install using uv (recommended for development and quick start)
uv tool install falcon-mcp
# Or install using pip (production-friendly with Python)
pip install falcon-mcp
Additional sections
API credentials and scopes are required to access CrowdStrike Falcon resources. You create a CrowdStrike API client, assign the necessary scopes for the modules you plan to use, and then configure those credentials in the server environment or a .env file. The Falcon MCP Server supports a range of modules such as Cloud Security, Detections, Discover, Hosts, Incidents, Intel, and more. You enable modules at startup with the --modules flag or via the FALCON_MCP_MODULES environment variable. For HTTP-style transports, consider enabling an API key for the transport to improve security.
Configuration of credentials can be done via a .env file or environment variables. Example contents include Client ID, Client Secret, and the base API URL for CrowdStrike. Optional settings include the modules you want to enable, the transport type (stdio, sse, or streamable-http), and transport-level options like host, port, and stateless HTTP mode. The CrowdStrike API regions provide different base URLs depending on your region.
Running a local server with the default, stdio transport is the simplest way to start. If you need remote access or scalable deployment, you can run with SSE or streamable HTTP and adjust host/port and stateless settings as needed. When using HTTP transports, protect the endpoint with an API key by passing it through --api-key or FALCON_MCP_API_KEY.
Examples and notes
Start with the default stdio transport (no arguments): the command is falcon-mcp.
Start with the SSE transport: falcon-mcp --transport sse.
Start with streamable-http transport: falcon-mcp --transport streamable-http --host 0.0.0.0 --port 8080.
Enable stateless HTTP mode for scalable deployments: falcon-mcp --transport streamable-http --stateless-http.
Protect HTTP transports with an API key: falcon-mcp --transport streamable-http --api-key your-secret-key.
Running examples
You can run example scripts or integrate with your editor/assistant. For example, you might run a basic usage script or an integration test to validate connectivity and module availability.
Available tools
falcon_check_connectivity
Check connectivity to the Falcon API to verify you can reach the service with your credentials.
falcon_list_enabled_modules
List the modules currently enabled in the Falcon MCP Server based on startup configuration.
falcon_list_modules
List all available modules that the server can enable.
falcon_search_detections
Search for detections and analyze potentially malicious activity.
falcon_get_detection_details
Retrieve detailed information for specific detections by ID.
falcon_search_incidents
Find and analyze security incidents to understand coordinated activity.
falcon_show_crowd_score
View CrowdScore and security posture metrics for your environment.
search_ngsiem
Execute a CQL query against CrowdStrike Next-Gen SIEM repositories.
falcon_search_actors
Research threat actors and adversary groups from Falcon Intelligence.
falcon_search_indicators
Search for indicators of compromise from Falcon Intelligence.
falcon_search_reports
Access intelligence publications and threat reports.
falcon_get_mitre_report
Generate MITRE ATT&CK reports for threat actors.
falcon_search_sensor_usage
Search weekly sensor usage data.
falcon_search_scheduled_reports
Search for scheduled reports and searches.
falcon_launch_scheduled_report
Launch a scheduled report on demand.
falcon_download_report_execution
Download generated scheduled report files.
falcon_search_serverless_vulnerabilities
Search for vulnerabilities in serverless functions.
falcon_search_vulnerabilities
Search for vulnerabilities in the Falcon environment.