Skip to main content

CrowdStrike Falcon MCP Server

Project description

CrowdStrike Logo (Light) CrowdStrike Logo (Dark)

falcon-mcp

PyPI version PyPI - Python Version License: MIT MCP Registry GitHub MCP Gemini CLI Extension

falcon-mcp is a Model Context Protocol (MCP) server that connects AI agents with the CrowdStrike Falcon platform, powering intelligent security analysis in your agentic workflows. It delivers programmatic access to essential security capabilities—including detections, threat intelligence, and host management—establishing the foundation for advanced security operations and automation.

[!IMPORTANT] 🚧 Public Preview: This project is currently in public preview and under active development. Features and functionality may change before the stable 1.0 release. While we encourage exploration and testing, please avoid production deployments. We welcome your feedback through GitHub Issues to help shape the final release.

Documentation

Full docs are available at developer.crowdstrike.com/falcon-mcp.

Modules

Module Description
Core Basic connectivity and system information
Case Management Case lifecycle management, evidence attachment, tagging, and templates
Cloud Security Kubernetes containers, image vulnerabilities, CSPM asset inventory, IOM findings, and suppression rules
Correlation Rules Search, create, update, and manage NG-SIEM correlation rules
Custom IOA Create and manage Custom IOA behavioral detection rules and rule groups
Data Protection Search Data Protection classifications, policies, and content patterns
Detections Find and analyze detections to understand malicious activity
Discover Search application inventory and discover unmanaged assets
Exclusions Search, create, update, and delete IOA, machine learning, sensor visibility, and certificate-based exclusions
Firewall Management Search and manage firewall rules and rule groups
Host Groups Search, create, update, and delete host groups; manage group membership
Hosts Manage and query host/device information
Identity Protection Entity investigation and identity protection analysis
Intel Research threat actors, IOCs, and intelligence reports
IOC Search, create, and remove custom indicators of compromise
NGSIEM Execute CQL queries against Next-Gen SIEM
Policies Search, create, update, and delete prevention, sensor update, firewall, device control, response, and content update policies; manage host-group assignment, enable/disable, and precedence
Quarantine Search quarantine records, preview action counts, and release, unrelease, or delete quarantined files
Real Time Response Audit, summarize, and run read-only RTR triage workflows
Recon Search Falcon Intelligence Recon notifications (recon alerts), monitoring rules, and exposed-data records for dark web, leaked credentials, and typosquatting
Scheduled Reports Manage scheduled reports and download report files
Sensor Usage Access and analyze sensor usage data
Serverless Search for vulnerabilities in serverless functions
Shield SaaS security posture, checks, alerts, and app inventory
Spotlight Manage and analyze vulnerability data and security assessments

See the Module Overview for required API scopes, available tools, and FQL resources.

Quick Start

Install

Using uv (recommended)

uv tool install falcon-mcp

Using pip

pip install falcon-mcp

Configure

Set the required environment variables (or use a .env file — see the Configuration Guide):

export FALCON_CLIENT_ID="your-client-id"
export FALCON_CLIENT_SECRET="your-client-secret"
export FALCON_BASE_URL="https://api.crowdstrike.com"

Run

falcon-mcp

See the Getting Started guide for full installation and configuration details.

Editor Integration

Using uvx (recommended)

{
  "mcpServers": {
    "falcon-mcp": {
      "command": "uvx",
      "args": [
        "--env-file",
        "/path/to/.env",
        "falcon-mcp"
      ]
    }
  }
}

With Module Selection

{
  "mcpServers": {
    "falcon-mcp": {
      "command": "uvx",
      "args": [
        "--env-file",
        "/path/to/.env",
        "falcon-mcp",
        "--modules",
        "detections,hosts,intel"
      ]
    }
  }
}

Docker

{
  "mcpServers": {
    "falcon-mcp-docker": {
      "command": "docker",
      "args": [
        "run",
        "-i",
        "--rm",
        "--env-file",
        "/full/path/to/.env",
        "quay.io/crowdstrike/falcon-mcp:latest"
      ]
    }
  }
}

See the Usage guide for all command line options, module configuration, and library usage.

Container Usage

# Pull the latest image
docker pull quay.io/crowdstrike/falcon-mcp:latest

# Run with .env file (stdio transport)
docker run -i --rm --env-file /path/to/.env quay.io/crowdstrike/falcon-mcp:latest

# Run with streamable-http transport
docker run --rm -p 8000:8000 --env-file /path/to/.env \
  quay.io/crowdstrike/falcon-mcp:latest --transport streamable-http --host 0.0.0.0

See the Docker Deployment guide for building locally, custom ports, and advanced configurations.

Dynamic Mode

Running many modules at once inflates the context window every AI client must hold. Dynamic mode replaces the full tool surface with three tools — falcon_list_enabled_modules to see which modules are loaded, falcon_search_tools to discover the right tool on demand, and falcon_execute_tool to run it — so agents only load the schemas they actually need.

falcon-mcp --dynamic
# or: FALCON_MCP_DYNAMIC=true

See the Dynamic Mode guide for the full discover → execute workflow and trade-offs.

Deployment Options

Contributing

# Clone and install
git clone https://github.com/CrowdStrike/falcon-mcp.git
cd falcon-mcp
uv sync --all-extras

# Run tests
uv run pytest

[!IMPORTANT] This project uses Conventional Commits for automated releases. Please follow the commit message format outlined in our Contributing Guide.

Developer Documentation

Registries

falcon-mcp is published to public MCP catalogs for discovery and one-click setup in compatible clients:

License

This project is licensed under the MIT License - see the LICENSE file for details.

Support

This is a community-driven, open source project. While it is not an official CrowdStrike product, it is actively maintained by CrowdStrike and supported in collaboration with the open source developer community.

For more information, please see our SUPPORT file.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

falcon_mcp-0.13.0.tar.gz (163.2 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

falcon_mcp-0.13.0-py3-none-any.whl (182.0 kB view details)

Uploaded Python 3

File details

Details for the file falcon_mcp-0.13.0.tar.gz.

File metadata

  • Download URL: falcon_mcp-0.13.0.tar.gz
  • Upload date:
  • Size: 163.2 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for falcon_mcp-0.13.0.tar.gz
Algorithm Hash digest
SHA256 d453777da073a45662ba7cb52689a14f7164daece45743083c4873833c1ed1ac
MD5 4316889718db62d8c43830aeb596e187
BLAKE2b-256 654939596ca278ff9d787221d4025920ce820602239e005d027933c67c9075bd

See more details on using hashes here.

Provenance

The following attestation bundles were made for falcon_mcp-0.13.0.tar.gz:

Publisher: release-please.yml on CrowdStrike/falcon-mcp

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file falcon_mcp-0.13.0-py3-none-any.whl.

File metadata

  • Download URL: falcon_mcp-0.13.0-py3-none-any.whl
  • Upload date:
  • Size: 182.0 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for falcon_mcp-0.13.0-py3-none-any.whl
Algorithm Hash digest
SHA256 3e7e7428972a8bec19b6caa9a453836bc6355f5440e00772ea9a923ed4f9433b
MD5 9bac31d3618b0d165fc48f607ce4e68c
BLAKE2b-256 69cf3eec530fcd2407bf6a9758201847b598f297c1d9e59a1e40327e6b90e1e8

See more details on using hashes here.

Provenance

The following attestation bundles were made for falcon_mcp-0.13.0-py3-none-any.whl:

Publisher: release-please.yml on CrowdStrike/falcon-mcp

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page