Skip to main content

CrowdStrike Falcon Discover MCP Server

Create a powerful Model Context Protocol (MCP) server for CrowdStrike Falcon Discover in minutes with our AI Gateway. This guide walks you through setting up seamless IT asset discovery integration with enterprise-grade security and instant OAuth authentication.

About CrowdStrike Falcon Discover API

CrowdStrike Falcon Discover provides comprehensive IT hygiene with complete visibility into managed and unmanaged assets across your environment. It automatically discovers applications, accounts, and assets to reduce attack surface and improve security posture.

Key Capabilities

  • Asset Discovery: Complete IT inventory
  • Application Inventory: Installed software tracking
  • Account Discovery: User and service accounts
  • Cloud Asset Visibility: Multi-cloud discovery
  • IoT Device Detection: Connected device inventory
  • Network Mapping: Asset relationships
  • Compliance Monitoring: License and EOL tracking
  • Risk Assessment: Asset risk scoring

API Features

  • Assets API: Device and asset management
  • Applications API: Software inventory
  • Accounts API: User account discovery
  • OAuth 2.0: Secure authentication
  • IoT API: IoT device management
  • Cloud API: Cloud resource discovery
  • Export API: Data extraction
  • Analytics API: Asset insights

What You Can Do with CrowdStrike Falcon Discover MCP Server

The MCP server transforms Falcon Discover API into a natural language interface, enabling AI agents to:

Asset Discovery

  • Device Inventory

    • "Show all unmanaged devices"
    • "Find Windows servers without agents"
    • "List devices by department"
    • "Track new assets this week"

  • Asset Classification

    • "Categorize IT assets"
    • "Identify critical systems"
    • "Tag production servers"
    • "Mark EOL equipment"

  • Network Discovery

    • "Map network topology"
    • "Find rogue devices"
    • "Discover subnets"
    • "Track DHCP clients"

Application Management

  • Software Inventory

    • "List all installed applications"
    • "Find unauthorized software"
    • "Track software versions"
    • "Identify vulnerable apps"

  • License Compliance

    • "Check license compliance"
    • "Find unlicensed software"
    • "Track license usage"
    • "Monitor expiration dates"

  • EOL Tracking

    • "Find EOL software"
    • "List unsupported OS"
    • "Track support dates"
    • "Plan upgrades"

Account Discovery

  • User Accounts

    • "Find all user accounts"
    • "Identify orphaned accounts"
    • "Track privileged users"
    • "Monitor account creation"

  • Service Accounts

    • "Discover service accounts"
    • "Map account usage"
    • "Find stale accounts"
    • "Track permissions"

  • Cloud Accounts

    • "List cloud identities"
    • "Find shadow IT accounts"
    • "Track OAuth apps"
    • "Monitor API keys"

Cloud Asset Discovery

  • Multi-Cloud Inventory

    • "Discover AWS resources"
    • "Find Azure assets"
    • "List GCP instances"
    • "Track cloud spend"

  • Container Discovery

    • "Find Kubernetes clusters"
    • "List Docker containers"
    • "Track container images"
    • "Monitor registries"

  • Serverless Functions

    • "Discover Lambda functions"
    • "Find Azure Functions"
    • "Track Cloud Functions"
    • "Monitor API gateways"

IoT Device Management

  • Device Discovery

    • "Find IoT devices"
    • "Identify smart devices"
    • "Track OT systems"
    • "Monitor cameras"

  • Risk Assessment

    • "Assess IoT risks"
    • "Find vulnerable devices"
    • "Check default passwords"
    • "Monitor connections"

  • Network Segmentation

    • "Map IoT networks"
    • "Check segmentation"
    • "Find policy violations"
    • "Track communications"

Analytics & Insights

  • Asset Analytics

    • "Show asset growth trends"
    • "Calculate TCO"
    • "Measure utilization"
    • "Track depreciation"

  • Risk Scoring

    • "Calculate asset risk"
    • "Identify vulnerabilities"
    • "Assess exposure"
    • "Prioritize remediation"

  • Compliance Reporting

    • "Generate asset reports"
    • "Check compliance status"
    • "Track audit findings"
    • "Monitor controls"

Gap Analysis

  • Coverage Gaps

    • "Find unprotected assets"
    • "Identify blind spots"
    • "Track sensor coverage"
    • "Monitor protection gaps"

  • Security Gaps

    • "Find missing patches"
    • "Identify weak configs"
    • "Track security tools"
    • "Assess controls"

  • Process Gaps

    • "Find unmanaged changes"
    • "Track shadow IT"
    • "Identify process breaks"
    • "Monitor exceptions"

Integration & Automation

  • CMDB Sync

    • "Sync with ServiceNow"
    • "Update asset database"
    • "Reconcile differences"
    • "Maintain accuracy"

  • Ticketing Integration

    • "Create remediation tickets"
    • "Track issue resolution"
    • "Automate workflows"
    • "Monitor progress"

  • Reporting

    • "Generate executive reports"
    • "Create dashboards"
    • "Export inventories"
    • "Schedule updates"

Prerequisites

  • Access to Cequence AI Gateway
  • CrowdStrike Falcon Discover subscription
  • API client credentials
  • Appropriate API scopes

Step 1: Create CrowdStrike API Client

1.1 Access Falcon Console

  1. Log in to CrowdStrike Falcon
  2. Navigate to Support > API Clients and Keys
  3. Click Create API Client

1.2 Configure API Client

  1. Fill in details:
    • Client Name: "AI Gateway Discover MCP"
    • Description: "IT asset discovery and hygiene"
    • API Scopes: Select Discover scopes

1.3 Select API Scopes

Required scopes:

  • Discover: Read/Write
  • Hosts: Read
  • Applications: Read
  • Accounts: Read
  • IoT: Read

1.4 Save Credentials

  1. Click Create
  2. Copy Client ID
  3. Copy Client Secret
  4. Note your Base URL

Step 2-4: Standard Setup

Follow standard steps to access AI Gateway, find CrowdStrike Falcon Discover API, and create MCP server.

Step 5: Configure API Endpoints

  1. Base URL: https://api.crowdstrike.com
  2. Select endpoints:
    • Discover endpoints
    • Assets endpoints
    • Applications endpoints
    • Accounts endpoints
  3. Click Next

Step 6: MCP Server Configuration

  1. Name: "CrowdStrike Falcon Discover"
  2. Description: "IT asset discovery and hygiene"
  3. Configure production mode
  4. Click Next

Step 7: Configure Authentication

  1. Authentication Type: OAuth 2.0 (Client Credentials)
  2. Token URL: 
    https://api.crowdstrike.com/oauth2/token
  3. Grant Type: client_credentials
  4. Enter Client ID and Secret

Available CrowdStrike Discover API Scopes

Asset Discovery

  • Discover

    • discover:read - View discovered assets
    • discover:write - Manage asset data

  • Hosts

    • hosts:read - View host information

Application & Account Discovery

  • Applications

    • applications:read - View applications

  • Accounts

    • accounts:read - View accounts

IoT & Cloud

  • IoT

    • iot:read - View IoT devices

  • Cloud Assets

    • cloud-assets:read - View cloud resources

For IT Asset Management:

discover:read
hosts:read
applications:read
accounts:read

For Security Operations:

discover:read
discover:write
hosts:read
applications:read
accounts:read
iot:read
cloud-assets:read

Step 8-10: Complete Setup

Configure security, choose deployment, and deploy.

Using Your CrowdStrike Falcon Discover MCP Server

With Claude Desktop

{
  "servers": {
    "crowdstrike-discover": {
      "url": "your-mcp-server-url",
      "auth": {
        "type": "oauth2",
        "client_id": "your-client-id",
        "grant_type": "client_credentials"
      }
    }
  }
}

Natural Language Commands

  • "Show all unmanaged devices discovered this week"
  • "Find applications reaching end of life"
  • "List cloud assets without security agents"
  • "Identify IoT devices with default passwords"
  • "Generate IT asset inventory report"

API Integration Example

// Initialize MCP client
const mcpClient = new MCPClient({
  serverUrl: 'your-mcp-server-url',
  auth: {
    type: 'oauth2',
    clientId: 'your-client-id',
    clientSecret: 'your-client-secret',
    grantType: 'client_credentials'
  }
});

// Discover unmanaged assets
const unmanagedAssets = await mcpClient.crowdstrike.discover.getAssets({
  filter: "agent_installed:false",
  sort: "first_seen|desc",
  limit: 100
});

console.log(`Found ${unmanagedAssets.meta.pagination.total} unmanaged assets`);
for (const asset of unmanagedAssets.resources) {
  console.log(`\nAsset: ${asset.hostname || asset.id}`);
  console.log(`Type: ${asset.asset_type}`);
  console.log(`OS: ${asset.os_version}`);
  console.log(`First Seen: ${asset.first_seen}`);
  console.log(`Network: ${asset.network_interfaces[0]?.ipv4_address}`);
}

// Application inventory
const applications = await mcpClient.crowdstrike.discover.getApplications({
  filter: "is_normalized:true",
  facet: ["name", "vendor", "version"],
  sort: "installation_count|desc"
});

// Find vulnerable applications
const vulnerableApps = await mcpClient.crowdstrike.discover.getVulnerableApplications({
  filter: "cve_count:>0+eol_date:<now",
  include: ["cves", "remediation"]
});

for (const app of vulnerableApps.resources) {
  console.log(`\nApplication: ${app.name} ${app.version}`);
  console.log(`Vendor: ${app.vendor}`);
  console.log(`CVEs: ${app.cve_count}`);
  console.log(`Severity: ${app.max_severity}`);
  console.log(`EOL Date: ${app.eol_date}`);
  console.log(`Installations: ${app.installation_count}`);
  console.log(`Remediation: ${app.remediation.action}`);
}

// Account discovery
const accounts = await mcpClient.crowdstrike.discover.getAccounts({
  filter: "account_type:['service','user']",
  facet: ["account_type", "domain", "admin_privileges"]
});

// Find orphaned accounts
const orphanedAccounts = await mcpClient.crowdstrike.discover.getOrphanedAccounts({
  filter: "last_login_days:>90+enabled:true",
  include: ["permissions", "group_membership"]
});

// Cloud asset discovery
const cloudAssets = await mcpClient.crowdstrike.discover.getCloudAssets({
  cloud_provider: ["aws", "azure", "gcp"],
  asset_type: ["instance", "storage", "database", "function"],
  include_tags: true
});

console.log("\nCloud Asset Summary:");
for (const provider of ['aws', 'azure', 'gcp']) {
  const providerAssets = cloudAssets.resources.filter(a => a.cloud_provider === provider);
  console.log(`${provider.toUpperCase()}: ${providerAssets.length} assets`);
  
  const assetsByType = {};
  providerAssets.forEach(asset => {
    assetsByType[asset.asset_type] = (assetsByType[asset.asset_type] || 0) + 1;
  });
  
  Object.entries(assetsByType).forEach(([type, count]) => {
    console.log(`  - ${type}: ${count}`);
  });
}

// IoT device discovery
const iotDevices = await mcpClient.crowdstrike.discover.getIoTDevices({
  filter: "device_type:['camera','printer','smart_tv','voip_phone']",
  include_network_info: true
});

// Check IoT security
for (const device of iotDevices.resources) {
  const riskScore = await mcpClient.crowdstrike.discover.assessIoTRisk({
    device_id: device.id
  });
  
  if (riskScore.risk_level === 'high' || riskScore.risk_level === 'critical') {
    console.log(`\nHigh Risk IoT Device: ${device.hostname}`);
    console.log(`Type: ${device.device_type}`);
    console.log(`Vendor: ${device.vendor}`);
    console.log(`Risk Factors: ${riskScore.risk_factors.join(', ')}`);
    console.log(`Recommendations: ${riskScore.recommendations.join(', ')}`);
  }
}

// Asset lifecycle management
const eolAssets = await mcpClient.crowdstrike.discover.getEOLAssets({
  eol_date_range: {
    start: 'now',
    end: '6months'
  },
  asset_types: ['hardware', 'software', 'os']
});

console.log("\nAssets Reaching EOL:");
for (const asset of eolAssets.resources) {
  console.log(`- ${asset.name}: EOL on ${asset.eol_date}`);
  console.log(`  Affected Count: ${asset.affected_count}`);
  console.log(`  Replacement: ${asset.recommended_replacement}`);
}

// Coverage gap analysis
const coverageGaps = await mcpClient.crowdstrike.discover.analyzeCoverage({
  coverage_types: ['endpoint_protection', 'vulnerability_scanning', 'patch_management'],
  group_by: ['os_type', 'asset_criticality']
});

console.log("\nSecurity Coverage Gaps:");
for (const gap of coverageGaps.gaps) {
  console.log(`${gap.asset_group}: ${gap.uncovered_count} assets without ${gap.coverage_type}`);
  console.log(`  Risk Impact: ${gap.risk_impact}`);
  console.log(`  Recommended Action: ${gap.remediation}`);
}

// Generate asset report
const report = await mcpClient.crowdstrike.discover.generateReport({
  report_type: 'executive_summary',
  sections: [
    'asset_inventory',
    'unmanaged_devices',
    'vulnerable_applications',
    'cloud_assets',
    'iot_devices',
    'coverage_gaps',
    'recommendations'
  ],
  format: 'pdf',
  period: 'last_30_days'
});

// CMDB synchronization
const cmdbSync = await mcpClient.crowdstrike.discover.syncToCMDB({
  target_system: 'servicenow',
  sync_options: {
    create_missing: true,
    update_existing: true,
    archive_removed: true,
    field_mapping: {
      'hostname': 'name',
      'os_version': 'os',
      'asset_type': 'sys_class_name',
      'first_seen': 'discovery_date'
    }
  },
  filter: "last_seen:>24h" // Only sync recently seen assets
});

console.log(`\nCMDB Sync Results:`);
console.log(`Created: ${cmdbSync.created_count}`);
console.log(`Updated: ${cmdbSync.updated_count}`);
console.log(`Archived: ${cmdbSync.archived_count}`);
console.log(`Errors: ${cmdbSync.error_count}`);

// Real-time asset monitoring
const assetStream = await mcpClient.crowdstrike.discover.streamAssetChanges({
  change_types: ['new_asset', 'asset_offline', 'config_change', 'new_vulnerability'],
  asset_filters: {
    criticality: ['high', 'critical'],
    environment: ['production']
  }
});

assetStream.on('change', (event) => {
  console.log(`Asset Change: ${event.type}`);
  console.log(`Asset: ${event.asset.hostname}`);
  console.log(`Details: ${event.description}`);
  
  if (event.type === 'new_vulnerability' && event.severity === 'critical') {
    // Auto-create remediation ticket
    createRemediationTicket(event);
  }
});

Common Use Cases

IT Asset Management

  • Complete asset inventory
  • Software license compliance
  • Hardware lifecycle management
  • EOL planning

Security Hygiene

  • Unmanaged device discovery
  • Vulnerable application tracking
  • Account sprawl management
  • Coverage gap analysis

Cloud Asset Management

  • Multi-cloud visibility
  • Shadow IT discovery
  • Cost optimization
  • Security posture

Compliance & Audit

  • Asset documentation
  • License compliance
  • Security control validation
  • Audit preparation

Security Best Practices

  1. Discovery Security:

    • Limit discovery scope
    • Secure API credentials
    • Monitor discovery activity
    • Validate discovered assets

  2. Data Protection:

    • Classify asset data
    • Implement access controls
    • Audit data access
    • Secure asset database

  3. Integration Safety:

    • Validate CMDB mappings
    • Test sync operations
    • Monitor data flows
    • Implement rollback

Troubleshooting

Common Issues

  1. Discovery Problems

    • Check network access
    • Verify credentials
    • Review discovery scope
    • Monitor agent deployment

  2. Data Quality

    • Validate asset data
    • Check normalization
    • Review duplicates
    • Verify relationships

  3. Integration Issues

    • Test API connectivity
    • Verify field mappings
    • Check sync schedules
    • Review error logs

Getting Help