CrowdStrike Falcon MCP Server

Create a powerful Model Context Protocol (MCP) server for CrowdStrike Falcon in minutes with our AI Gateway. This guide walks you through setting up seamless endpoint security integration with enterprise-grade security and instant OAuth authentication.

About CrowdStrike Falcon API

CrowdStrike Falcon is a cloud-native endpoint protection platform that delivers next-generation antivirus, endpoint detection and response (EDR), and 24/7 threat hunting. The API provides comprehensive access to security events, threat intelligence, device management, and incident response capabilities.

Key Capabilities

• Endpoint Detection & Response: Real-time threat detection
• Device Management: Endpoint inventory and control
• Threat Intelligence: IOC management and analysis
• Incident Response: Automated containment and remediation
• Vulnerability Management: Security posture assessment
• Threat Hunting: Advanced search and investigation
• Real-time Response: Live endpoint interaction
• Prevention Policies: Security configuration management

API Features

• REST API: Comprehensive security operations
• OAuth 2.0: Secure authentication
• Streaming API: Real-time event streaming
• GraphQL API: Flexible data queries
• Batch Operations: Bulk device management
• Custom IOCs: Threat indicator management
• SIEM Integration: Event forwarding
• Rate Limiting: 5000 requests/minute

What You Can Do with CrowdStrike Falcon MCP Server

The MCP server transforms CrowdStrike Falcon API into a natural language interface, enabling AI agents to:

Threat Detection & Response

• Detection Management

  • "Show critical detections from last 24 hours"
  • "Find detections related to ransomware"
  • "List unresolved security incidents"
  • "Track detection patterns"

• Incident Response

  • "Contain infected endpoint"
  • "Isolate device from network"
  • "Kill malicious process"
  • "Quarantine suspicious files"

• Threat Analysis

  • "Analyze detection behavior"
  • "Show process tree for incident"
  • "Track lateral movement"
  • "Identify attack techniques"

Device Management

• Endpoint Inventory

  • "List all Windows servers"
  • "Show unprotected devices"
  • "Find devices by IP range"
  • "Track offline endpoints"

• Device Control

  • "Deploy sensor to endpoint"
  • "Update prevention policies"
  • "Restart endpoint sensor"
  • "Configure device groups"

• Compliance Monitoring

  • "Show non-compliant devices"
  • "Track sensor versions"
  • "Monitor policy violations"
  • "Audit device configurations"

Threat Hunting

• Advanced Search

  • "Hunt for PowerShell activity"
  • "Find suspicious network connections"
  • "Search for specific file hashes"
  • "Track user behavior anomalies"

• IOC Management

  • "Upload custom IOCs"
  • "Search for IOC matches"
  • "Track IOC detections"
  • "Manage threat indicators"

• Behavioral Analysis

  • "Identify process injection"
  • "Detect privilege escalation"
  • "Find persistence mechanisms"
  • "Track command execution"

Security Analytics

• Detection Metrics

  • "Show detection trends"
  • "Calculate MTTR metrics"
  • "Track false positive rates"
  • "Measure threat coverage"

• Device Health

  • "Monitor sensor health"
  • "Track protection gaps"
  • "Measure uptime statistics"
  • "Analyze performance impact"

• Threat Intelligence

  • "Show threat actor activity"
  • "Track campaign indicators"
  • "Monitor emerging threats"
  • "Analyze attack patterns"

Real-time Response

• Live Response

  • "Connect to endpoint shell"
  • "Run forensic commands"
  • "Collect memory dumps"
  • "Extract artifacts"

• File Operations

  • "Retrieve suspicious files"
  • "Delete malicious files"
  • "Upload analysis tools"
  • "Collect evidence"

• Registry Analysis

  • "Query registry keys"
  • "Monitor registry changes"
  • "Remove persistence"
  • "Audit configurations"

Prevention Policies

• Policy Management

  • "Create prevention policy"
  • "Update detection settings"
  • "Configure exclusions"
  • "Set sensitivity levels"

• Policy Assignment

  • "Apply policy to group"
  • "Override device policies"
  • "Schedule policy updates"
  • "Test policy changes"

• Configuration Control

  • "Enable next-gen AV"
  • "Configure firewall rules"
  • "Set USB controls"
  • "Manage script blocking"

Vulnerability Management

• Vulnerability Discovery

  • "Scan for CVEs"
  • "Identify missing patches"
  • "Find exposed services"
  • "Track zero-days"

• Risk Assessment

  • "Calculate risk scores"
  • "Prioritize remediation"
  • "Track exposure trends"
  • "Measure patch compliance"

• Remediation Tracking

  • "Monitor patching progress"
  • "Verify fixes"
  • "Track exceptions"
  • "Report compliance"

Integration & Automation

• SIEM Integration

  • "Stream events to SIEM"
  • "Configure event filters"
  • "Map detection data"
  • "Enable correlation"

• Workflow Automation

  • "Trigger incident response"
  • "Automate containment"
  • "Create playbooks"
  • "Chain responses"

• API Webhooks

  • "Configure detection alerts"
  • "Set up notifications"
  • "Enable integrations"
  • "Monitor API events"

Prerequisites

• Access to Cequence AI Gateway
• CrowdStrike Falcon subscription
• API client credentials
• Appropriate API scopes

Step 1: Create CrowdStrike API Client

1.1 Access Falcon Console

1. Log in to CrowdStrike Falcon console
2. Navigate to Support > API Clients and Keys
3. Click Create API Client

1.2 Configure API Client

1. Fill in client details:
   • Client Name: "AI Gateway Falcon MCP"
   • Description: "MCP server for security operations"
   • API Scopes: Select required scopes (see below)

1.3 Select API Scopes

Choose scopes based on use case:

• Detections: Read/Write
• Hosts: Read/Write
• Prevention Policies: Read/Write
• Real Time Response: Read/Write/Admin
• IOCs: Read/Write
• Incidents: Read/Write

1.4 Save Credentials

1. Click Create
2. Copy Client ID
3. Copy Client Secret
4. Note your Base URL (e.g., api.crowdstrike.com)

Step 2-4: Standard Setup

Follow standard steps to access AI Gateway, find CrowdStrike Falcon API, and create MCP server.

Step 5: Configure API Endpoints

1. Base URL: https://api.crowdstrike.com
2. Select endpoints:
   • Detections endpoints
   • Hosts endpoints
   • Incidents endpoints
   • RTR endpoints
3. Click Next

Step 6: MCP Server Configuration

1. Name: "CrowdStrike Falcon"
2. Description: "Endpoint security and threat detection"
3. Configure production mode
4. Click Next

Step 7: Configure Authentication

1. Authentication Type: OAuth 2.0 (Client Credentials)
2. Token URL:

   https://api.crowdstrike.com/oauth2/token

3. Grant Type: client_credentials
4. Enter Client ID and Secret
5. Configure token refresh

Available CrowdStrike Falcon API Scopes

Detection & Response

• Detections

  • detections:read - View detections
  • detections:write - Update detection status

• Incidents

  • incidents:read - View incidents
  • incidents:write - Manage incidents

Device Management

• Hosts

  • hosts:read - View host information
  • hosts:write - Manage hosts

• Host Groups

  • host-groups:read - View groups
  • host-groups:write - Manage groups

Prevention & Policies

• Prevention Policies

  • prevention-policies:read - View policies
  • prevention-policies:write - Manage policies

• Sensor Update Policies

  • sensor-update-policies:read - View policies
  • sensor-update-policies:write - Manage policies

Response Capabilities

• Real Time Response
  • real-time-response:read - View RTR sessions
  • real-time-response:write - Execute RTR commands
  • real-time-response-admin:write - Admin RTR commands

Threat Intelligence

• IOCs

  • iocs:read - View custom IOCs
  • iocs:write - Manage custom IOCs

• Intel

  • intel:read - Access threat intelligence

Recommended Scope Combinations

For SOC Analysts:

detections:read
detections:write
hosts:read
incidents:read
incidents:write
intel:read

For Incident Response:

detections:read
detections:write
hosts:read
hosts:write
real-time-response:write
real-time-response-admin:write
iocs:read
iocs:write

Step 8-10: Complete Setup

Configure security, choose deployment, and deploy.

Using Your CrowdStrike Falcon MCP Server

With Claude Desktop

{
  "servers": {
    "crowdstrike-falcon": {
      "url": "your-mcp-server-url",
      "auth": {
        "type": "oauth2",
        "client_id": "your-client-id",
        "grant_type": "client_credentials"
      }
    }
  }
}

Natural Language Commands

• "Show all critical detections from the last hour"
• "Contain device with hostname DESKTOP-ABC123"
• "Search for PowerShell encoded command executions"
• "List devices missing sensor updates"
• "Analyze detection for incident ID 12345"

API Integration Example

// Initialize MCP client
const mcpClient = new MCPClient({
  serverUrl: 'your-mcp-server-url',
  auth: {
    type: 'oauth2',
    clientId: 'your-client-id',
    clientSecret: 'your-client-secret',
    grantType: 'client_credentials'
  }
});

// Search for detections
const detections = await mcpClient.crowdstrike.detections.query({
  filter: "status:'new'+severity:['critical','high']",
  sort: "max_severity|desc",
  limit: 100
});

// Get detection details
for (const detectionId of detections.resources) {
  const detail = await mcpClient.crowdstrike.detections.getDetails({
    ids: [detectionId]
  });
  
  const detection = detail.resources[0];
  console.log(`Detection: ${detection.detection_id}`);
  console.log(`Severity: ${detection.max_severity}`);
  console.log(`Technique: ${detection.behaviors[0].technique}`);
  console.log(`Device: ${detection.device.hostname}`);
}

// Contain a device
const containment = await mcpClient.crowdstrike.devices.contain({
  action_name: "contain",
  ids: ["device-id-123"]
});

// Create custom IOC
const ioc = await mcpClient.crowdstrike.iocs.create({
  indicators: [
    {
      type: "sha256",
      value: "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
      policy: "detect",
      description: "Malicious file hash",
      severity: "high",
      tags: ["malware", "ransomware"],
      expiration: "2025-12-31T23:59:59Z"
    },
    {
      type: "domain",
      value: "malicious-domain.com",
      policy: "block",
      description: "C2 domain",
      severity: "critical"
    }
  ]
});

// Start Real-Time Response session
const rtrSession = await mcpClient.crowdstrike.rtr.createSession({
  device_id: "device-id-123",
  queue_offline: false
});

// Execute RTR command
const command = await mcpClient.crowdstrike.rtr.executeCommand({
  session_id: rtrSession.session_id,
  base_command: "ps",
  command_string: "ps"
});

// Get command results
const result = await mcpClient.crowdstrike.rtr.getCommandResult({
  cloud_request_id: command.cloud_request_id,
  sequence_id: command.sequence_id
});

// Search for specific threats
const threatHunt = await mcpClient.crowdstrike.spotlight.queryVulnerabilities({
  filter: "cve.severity:'CRITICAL'+last_seen_within:'7d'",
  facet: ["cve.severity", "cve.exploit_status"],
  sort: "cve.score.desc"
});

// Update prevention policy
const policy = await mcpClient.crowdstrike.preventionPolicies.update({
  id: "policy-id-123",
  name: "Enhanced Protection Policy",
  prevention_settings: [
    {
      id: "CloudAntiMalware",
      value: {
        detection: "EXTRA_AGGRESSIVE",
        prevention: "EXTRA_AGGRESSIVE"
      }
    },
    {
      id: "BehaviorAnalysis",
      value: {
        detection: "EXTRA_AGGRESSIVE",
        prevention: "AGGRESSIVE"
      }
    }
  ]
});

// Stream detection events
const eventStream = await mcpClient.crowdstrike.streaming.connect({
  appId: "detection-monitor",
  eventTypes: ["DetectionSummaryEvent", "IncidentSummaryEvent"]
});

eventStream.on('event', (event) => {
  if (event.metadata.eventType === 'DetectionSummaryEvent') {
    console.log(`New detection: ${event.event.DetectName}`);
    console.log(`Severity: ${event.event.Severity}`);
    console.log(`Device: ${event.event.ComputerName}`);
    
    // Auto-respond to critical threats
    if (event.event.Severity >= 4) {
      handleCriticalDetection(event);
    }
  }
});

// Incident investigation
const incident = await mcpClient.crowdstrike.incidents.getDetails({
  ids: ["inc:12345"]
});

// Get incident behaviors
const behaviors = await mcpClient.crowdstrike.incidents.getBehaviors({
  filter: `incident_id:'${incident.resources[0].incident_id}'`
});

// Perform batch host action
const batchAction = await mcpClient.crowdstrike.hosts.performAction({
  action_name: "hide_host",
  ids: ["host1", "host2", "host3"],
  action_parameters: [
    {
      name: "reason",
      value: "Decommissioned devices"
    }
  ]
});

// Query host details with filters
const hosts = await mcpClient.crowdstrike.hosts.query({
  filter: "platform_name:'Windows'+last_seen:>'2025-01-01'",
  sort: "last_seen.desc",
  limit: 100
});

// Get detailed host information
const hostDetails = await mcpClient.crowdstrike.hosts.getDetails({
  ids: hosts.resources
});

Common Use Cases

Threat Detection

• Real-time threat monitoring
• Behavioral analysis
• IOC matching
• Attack pattern recognition

Incident Response

• Automated containment
• Evidence collection
• Threat remediation
• Forensic analysis

Vulnerability Management

• CVE scanning
• Patch compliance
• Risk assessment
• Remediation tracking

Compliance & Reporting

• Security posture assessment
• Compliance monitoring
• Audit reporting
• Executive dashboards

Security Best Practices

1. API Security:

   • Use minimal required scopes
   • Rotate API credentials regularly
   • Implement IP allowlisting
   • Monitor API usage

2. Response Actions:

   • Implement approval workflows
   • Log all containment actions
   • Test in non-production first
   • Have rollback procedures

3. Data Protection:

   • Encrypt sensitive data
   • Implement data retention
   • Audit access logs
   • Follow compliance requirements

Troubleshooting

Common Issues

1. Authentication Errors

   • Verify API credentials
   • Check token expiration
   • Validate OAuth flow
   • Review scope permissions

2. Rate Limiting

   • Monitor request rates
   • Implement backoff logic
   • Use batch operations
   • Cache responses

3. Detection Issues

   • Verify sensor connectivity
   • Check prevention policies
   • Review exclusions
   • Validate IOC format

Getting Help

• Documentation: AI Gateway Docs
• Support: support@cequence.ai
• CrowdStrike API: falcon.crowdstrike.com/documentation/

---