falcon-mcp - AI Agents | SkillsLLM

falcon-mcp

Pending

Connect AI agents to CrowdStrike Falcon for automated security analysis and threat hunting

136stars

37forks

Python

Added 2/6/2026

View on GitHub Download ZIP

AI Agentsaicrowdstrikefalconmcpmcp-server

Installation

# Add to your Claude Code skills
git clone https://github.com/CrowdStrike/falcon-mcp

README.md

falcon-mcp

falcon-mcp is a Model Context Protocol (MCP) server that connects AI agents with the CrowdStrike Falcon platform, powering intelligent security analysis in your agentic workflows. It delivers programmatic access to essential security capabilities—including detections, incidents, and behaviors—establishing the foundation for advanced security operations and automation.

[!IMPORTANT] 🚧 Public Preview: This project is currently in public preview and under active development. Features and functionality may change before the stable 1.0 release. While we encourage exploration and testing, please avoid production deployments. We welcome your feedback through GitHub Issues to help shape the final release.

Table of Contents

API Credentials & Required Scopes
- Setting Up CrowdStrike API Credentials
- Required API Scopes by Module
Available Modules, Tools & Resources

Agentic System Design

Design real-world AI agents - architectures, frameworks, and proven patterns

sponsoredEducative12 hoursIntermediate

Comments (0)

to leave a comment.

No comments yet. Be the first to share your thoughts!

Related Skills

Fair-code workflow automation platform with native AI capabilities. Combine visual building with custom code, self-host or cloud, 400+ integrations.

183,625

| Module | Required API Scopes | Purpose | | - | - | - | | Cloud Security | Falcon Container Image:readCloud Security API Assets:Read | Find and analyze kubernetes containers inventory, container images vulnerabilities, and CSPM cloud asset inventory | | Core | No additional scopes | Basic connectivity and system information | | Custom IOA | Custom IOA Rules:readCustom IOA Rules:write | Create and manage Custom IOA behavioral detection rules and rule groups | | Detections | Alerts:read | Find and analyze detections to understand malicious activity | | Discover | Assets:read | Search and analyze application inventory across your environment | | Hosts | Hosts:read | Manage and query host/device information | | Identity Protection | Identity Protection Entities:readIdentity Protection Timeline:readIdentity Protection Detections:readIdentity Protection Assessment:readIdentity Protection GraphQL:write | Comprehensive entity investigation and identity protection analysis | | Incidents | Incidents:read | Analyze security incidents and coordinated activities | | Real Time Response | Real time response:readReal time response:write | Initialize RTR sessions, execute read-only triage commands, inspect command output, and review RTR session artifacts | | NGSIEM | NGSIEM:readNGSIEM:write | Execute CQL queries against Next-Gen SIEM | | Intel | Actors (Falcon Intelligence):readIndicators (Falcon Intelligence):readReports (Falcon Intelligence):read | Research threat actors, IOCs, and intelligence reports | | IOC | IOC Management:readIOC Management:write | Search, create, and remove custom IOCs using IOC Service Collection endpoints | | Firewall Management | Firewall Management:readFirewall Management:write | Search and manage firewall rules and rule groups | | Scheduled Reports | Scheduled Reports:read | Get details about scheduled reports and searches, run reports on demand, and download report files | | Sensor Usage | Sensor Usage:read | Access and analyze sensor usage data | | Serverless | Falcon Container Image:read | Search for vulnerabilities in serverless functions across cloud service providers | | Spotlight | Vulnerabilities:read | Manage and analyze vulnerability data and security assessments |