CrowdStrike Falcon

CrowdStrike Falcon

MCP server connecting AI agents to CrowdStrike Falcon for detections, incidents, and behaviors.

View on GitHub
77
Stars
21
Forks
3
Releases

Overview

falcon-mcp is a Model Context Protocol (MCP) server that connects AI agents with the CrowdStrike Falcon platform, powering intelligent security analysis in agent workflows. It provides programmatic access to essential security capabilities—including detections, incidents, behaviors, threat intelligence, hosts, vulnerabilities, and Identity Protection—enabling automated querying, investigation, and enrichment within AI-driven assistants and apps. The server is designed with a modular architecture; available modules include Cloud Security, Core Functionality (built into server), Detections, Discover, Hosts, Identity Protection, Incidents, Intel, Sensor Usage, Serverless, and Spotlight. Users can enable modules via CLI, environment variables, or library configuration, and each module requires appropriate CrowdStrike API scopes. falcon-mcp supports multiple transport mechanisms (stdio, SSE, and streamable-http), runs as a library or a standalone server, and can be deployed via a pre-built container image or built locally. The project is in public preview and under active development, so features may change before 1.0. It emphasizes documentation, examples, and contributor guidance to facilitate integration, testing, and contribution.

Details

Owner
CrowdStrike
Language
Python
License
MIT License
Updated
2025-12-07

Features

Core MCP server bridging AI agents with CrowdStrike Falcon

Provides a foundational MCP bridge that lets AI agents access Falcon platform capabilities programmatically (detections, incidents, behaviors, threat intelligence, hosts, vulnerabilities, identity protection).

Modular architecture with per-module scope control

Modules can be enabled/disabled via CLI or environment variables; each module has required API scopes to govern access.

Multiple transport options

Supports stdio, server-sent events (SSE), and streamable-http transports; configurable host/port for HTTP transports.

Library-friendly and programmable usage

Expose FalconMCPServer class for Python usage; configure base_url, debug, enabled_modules, and run via server.run() variants.

Containerized deployment and local build

Available as a pre-built container image with guidance; supports running via docker, env files, and local Docker builds.

Editor/Assistant integration

Supported patterns for editor/AI assistants using uvx and JSON configs to define MCP servers and module selections.

Extensive module toolset

Provides module-specific tools for detections, incidents, intel, Discover, Hosts, Identity Protection, Sensor Usage, Serverless, Spotlight, and Cloud Security.

Documentation & development resources

Includes FQL guides, module/resource development guides, end-to-end testing guides, and contribution practices (Conventional Commits).

Audience

AI developersIntegrate falcon-mcp into agent workflows to access detections, incidents, intel, and more.
Security analystsLeverage MCP to perform threat hunting, incident analysis, and risk assessment using module tools.
Platform integratorsEmbed Falcon MCP into apps or assistants to automate security workflows and enrichment.
DevOps teamsDeploy modular MCP services in containers and cloud environments for scalable security automation.

Tags

falcon-mcpCrowdStrikeMCP serverAI integrationsecurity automationdetectionsincidentsbehaviorsidentity protectionthreat intelligencehostsvulnerabilitiesDiscoverIntelsensor usageServerlessSpotlightcloud securityautomation

Similar Servers

Daytona
Daytona
Fast and secure execution of your AI generated code with Daytona sandboxes
GitHub
GitHub
GitHub's official MCP Server.
Browser MCP
Browser MCP
MCP-enabled multimodal AI agent kernel that mounts MCP servers to connect to real-world tools.
Chrome DevTools
Chrome DevTools
MCP server to control and inspect a live Chrome browser via DevTools.