falcon-mcp

What it does

This MCP server connects AI agents to CrowdStrike Falcon, exposing 23 modules spanning threat detection, case management, host intelligence, real-time response, and cloud security. It translates security operations workflows—querying detections, analyzing hosts, running behavioral detection rules, managing IOCs—into tools Claude can invoke. The server authenticates with CrowdStrike API credentials and relays requests to Falcon endpoints.

Who it's for

Security teams automating operations within their Falcon instance. Target personas: SOC analysts triaging detections, incident responders managing case workflows, threat hunters researching indicators, and security engineers building detection automation.

Common use cases

• Query detections and host timelines to understand active threats and lateral movement.
• Run Real Time Response (RTR) triage workflows to examine suspect hosts remotely.
• Search threat intelligence and custom IOCs to investigate threat actors and malware.
• Create and manage Custom IOA behavioral detection rules for custom threat patterns.
• Query Next-Gen SIEM with CQL to correlate detections and build attack timelines.

Setup pitfalls

• Requires valid CrowdStrike API credentials via FALCON_CLIENT_ID, FALCON_CLIENT_SECRET, and FALCON_BASE_URL environment variables.
• Reads and writes filesystem; enforce proper permissions and sandboxing if running in untrusted contexts.
• Makes direct network calls to CrowdStrike APIs; confirm firewall and VPN rules allow egress to api.crowdstrike.com.
• Project is in public preview—module availability, feature set, and API compatibility may change before v1.0 release.