CrowdStrike Threat Graph MCP Server
Create a powerful Model Context Protocol (MCP) server for CrowdStrike Threat Graph in minutes with our AI Gateway. This guide walks you through setting up seamless threat intelligence integration with enterprise-grade security and instant OAuth authentication.
About CrowdStrike Threat Graph API
CrowdStrike Threat Graph is a cloud-native graph database that captures and analyzes trillions of security events daily. It provides AI-powered threat intelligence, behavioral analytics, and advanced hunting capabilities to identify sophisticated threats and attack patterns across your environment.
Key Capabilities
- Threat Intelligence: Real-time threat actor tracking
- Behavioral Analytics: AI-powered anomaly detection
- Attack Pattern Recognition: MITRE ATT&CK mapping
- Threat Hunting: Advanced query capabilities
- Indicator Enrichment: Contextual threat data
- Adversary Intelligence: Threat actor profiles
- Kill Chain Analysis: Attack progression tracking
- Predictive Analytics: Threat forecasting
API Features
- GraphQL API: Flexible threat queries
- REST API: Standard operations
- OAuth 2.0: Secure authentication
- Real-time Updates: Streaming intelligence
- Batch Queries: Bulk analysis
- ML Models: AI-powered insights
- Custom Queries: Advanced hunting
- Data Export: Intelligence sharing
What You Can Do with CrowdStrike Threat Graph MCP Server
The MCP server transforms CrowdStrike Threat Graph API into a natural language interface, enabling AI agents to:
Threat Intelligence
-
Actor Intelligence
- "Show activity from APT groups"
- "Track Lazarus Group campaigns"
- "Find ransomware operators"
- "Monitor nation-state actors"
-
Campaign Analysis
- "Identify active campaigns"
- "Track campaign evolution"
- "Link related attacks"
- "Predict next targets"
-
TTPs Mapping
- "Map to MITRE ATT&CK"
- "Show common techniques"
- "Track tactic changes"
- "Identify new procedures"
Advanced Hunting
-
Behavioral Queries
- "Find process injection patterns"
- "Hunt for living-off-the-land"
- "Detect lateral movement"
- "Search for data exfiltration"
-
Anomaly Detection
- "Identify unusual behaviors"
- "Find outlier processes"
- "Detect rare connections"
- "Track privilege escalation"
-
Correlation Analysis
- "Link related events"
- "Build attack timelines"
- "Connect indicators"
- "Map relationships"
Graph Analytics
-
Entity Relationships
- "Show process lineage"
- "Map network connections"
- "Track file relationships"
- "Analyze user behavior"
-
Pattern Recognition
- "Identify attack patterns"
- "Find similar threats"
- "Detect recurring behaviors"
- "Cluster related activity"
-
Temporal Analysis
- "Build attack timelines"
- "Track threat evolution"
- "Analyze dwell time"
- "Measure attack velocity"
Indicator Analysis
-
IOC Enrichment
- "Enrich file hashes"
- "Analyze IP reputation"
- "Check domain intelligence"
- "Verify email addresses"
-
Threat Context
- "Show related campaigns"
- "Link to threat actors"
- "Provide kill chain context"
- "Display confidence scores"
-
Historical Analysis
- "Track indicator history"
- "Show first seen dates"
- "Analyze prevalence"
- "Monitor trends"
AI-Powered Insights
-
Predictive Analytics
- "Forecast attack likelihood"
- "Predict next targets"
- "Assess risk levels"
- "Estimate impact"
-
Behavioral Modeling
- "Model normal behavior"
- "Detect deviations"
- "Score anomalies"
- "Classify threats"
-
Automated Analysis
- "Auto-classify threats"
- "Generate hypotheses"
- "Suggest investigations"
- "Recommend responses"
Global Threat Landscape
-
Geographic Analysis
- "Show threats by region"
- "Track global campaigns"
- "Monitor hotspots"
- "Analyze targeting"
-
Industry Targeting
- "Track sector threats"
- "Identify targeted industries"
- "Monitor vertical-specific attacks"
- "Assess industry risk"
-
Threat Trending
- "Show emerging threats"
- "Track threat velocity"
- "Monitor technique adoption"
- "Predict future trends"
Attack Chain Analysis
-
Kill Chain Mapping
- "Map full attack chain"
- "Identify entry points"
- "Track lateral movement"
- "Show exfiltration paths"
-
Impact Assessment
- "Calculate blast radius"
- "Identify affected systems"
- "Assess data exposure"
- "Estimate damage"
-
Attribution Analysis
- "Link to known actors"
- "Compare techniques"
- "Analyze infrastructure"
- "Build attribution confidence"
Integration & Enrichment
-
SIEM Enrichment
- "Enhance SIEM alerts"
- "Provide threat context"
- "Add intelligence data"
- "Improve detection accuracy"
-
Threat Feeds
- "Export custom feeds"
- "Generate STIX/TAXII"
- "Create blocklists"
- "Share intelligence"
-
API Integration
- "Query via GraphQL"
- "Stream updates"
- "Batch operations"
- "Custom webhooks"
Prerequisites
- Access to Cequence AI Gateway
- CrowdStrike Threat Graph access
- API client credentials
- Appropriate API scopes
Step 1: Create CrowdStrike API Client
1.1 Access Falcon Console
- Log in to CrowdStrike Falcon
- Navigate to Support > API Clients and Keys
- Click Create API Client
1.2 Configure API Client
- Fill in details:
- Client Name: "AI Gateway Threat Graph MCP"
- Description: "Threat intelligence and hunting"
- API Scopes: Select Threat Graph scopes
1.3 Select API Scopes
Required scopes:
- Threat Graph: Read
- Intel: Read
- Indicators: Read
- Actors: Read
- Reports: Read
1.4 Save Credentials
- Click Create
- Copy Client ID
- Copy Client Secret
- Note your Base URL
Step 2-4: Standard Setup
Follow standard steps to access AI Gateway, find CrowdStrike Threat Graph API, and create MCP server.
Step 5: Configure API Endpoints
- Base URL:
https://api.crowdstrike.com - GraphQL Endpoint:
/graphql - Select endpoints:
- Threat Graph endpoints
- Intel endpoints
- Indicators endpoints
- Click Next
Step 6: MCP Server Configuration
- Name: "CrowdStrike Threat Graph"
- Description: "Threat intelligence and analytics"
- Configure production mode
- Click Next
Step 7: Configure Authentication
- Authentication Type: OAuth 2.0 (Client Credentials)
- Token URL:
https://api.crowdstrike.com/oauth2/token - Grant Type:
client_credentials - Enter Client ID and Secret
Available CrowdStrike Threat Graph API Scopes
Threat Intelligence
-
Threat Graph
threat-graph:read- Query threat datathreat-graph:write- Update custom intel
-
Intelligence
intel:read- Access threat intelligenceactors:read- View threat actorsindicators:read- Access indicators
Analytics & Hunting
-
Hunting
hunt:read- Execute hunt querieshunt:write- Save hunt queries
-
Analytics
analytics:read- Access analyticsml-models:read- Use ML models
Recommended Scope Combinations
For Threat Analysts:
threat-graph:read
intel:read
actors:read
indicators:read
hunt:read
For Threat Hunters:
threat-graph:read
threat-graph:write
hunt:read
hunt:write
analytics:read
ml-models:read
Step 8-10: Complete Setup
Configure security, choose deployment, and deploy.
Using Your CrowdStrike Threat Graph MCP Server
With Claude Desktop
{
"servers": {
"crowdstrike-threat-graph": {
"url": "your-mcp-server-url",
"auth": {
"type": "oauth2",
"client_id": "your-client-id",
"grant_type": "client_credentials"
}
}
}
}
Natural Language Commands
- "Show recent APT28 activity patterns"
- "Hunt for PowerShell Empire indicators"
- "Analyze relationships for hash abc123"
- "Find similar attacks to incident 54321"
- "Track Cobalt Strike beacon patterns"
API Integration Example
// Initialize MCP client
const mcpClient = new MCPClient({
serverUrl: 'your-mcp-server-url',
auth: {
type: 'oauth2',
clientId: 'your-client-id',
clientSecret: 'your-client-secret',
grantType: 'client_credentials'
}
});
// Execute GraphQL threat hunt
const huntQuery = `
query ThreatHunt($filter: String!, $limit: Int) {
events(filter: $filter, limit: $limit) {
nodes {
id
timestamp
process {
name
commandLine
sha256
parent {
name
commandLine
}
}
network {
remoteAddress
remotePort
protocol
}
indicators {
type
value
confidence
actor {
name
aliases
}
}
}
}
}
`;
const huntResults = await mcpClient.crowdstrike.threatGraph.query({
query: huntQuery,
variables: {
filter: "process.name:powershell.exe AND network.remotePort:443",
limit: 100
}
});
// Analyze threat actor
const actorIntel = await mcpClient.crowdstrike.intel.getActor({
slug: "lazarus-group"
});
console.log(`Actor: ${actorIntel.name}`);
console.log(`Aliases: ${actorIntel.aliases.join(', ')}`);
console.log(`First Active: ${actorIntel.first_activity_date}`);
console.log(`Target Industries: ${actorIntel.target_industries.join(', ')}`);
console.log(`Target Countries: ${actorIntel.target_countries.join(', ')}`);
// Get actor TTPs
const ttps = await mcpClient.crowdstrike.intel.getActorTTPs({
actor: "lazarus-group",
framework: "mitre-attack"
});
// Enrich indicators
const indicators = [
{ type: "sha256", value: "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855" },
{ type: "domain", value: "malicious-c2.com" },
{ type: "ip", value: "192.168.1.100" }
];
const enrichment = await mcpClient.crowdstrike.threatGraph.enrichIndicators({
indicators: indicators
});
for (const result of enrichment.results) {
console.log(`\nIndicator: ${result.indicator.value}`);
console.log(`Type: ${result.indicator.type}`);
console.log(`Malicious Confidence: ${result.malicious_confidence}`);
console.log(`First Seen: ${result.first_seen}`);
console.log(`Last Seen: ${result.last_seen}`);
console.log(`Related Actors: ${result.actors.map(a => a.name).join(', ')}`);
console.log(`Kill Chain: ${result.kill_chain_phases.join(' -> ')}`);
}
// Behavioral analytics query
const behaviorQuery = `
query BehavioralAnalytics($timeRange: TimeRange!) {
anomalies(timeRange: $timeRange) {
nodes {
id
score
type
description
entity {
type
name
id
}
relatedEvents {
count
sample {
id
timestamp
description
}
}
mlModel {
name
version
confidence
}
}
}
}
`;
const anomalies = await mcpClient.crowdstrike.threatGraph.query({
query: behaviorQuery,
variables: {
timeRange: {
start: "2025-01-01T00:00:00Z",
end: "2025-01-31T23:59:59Z"
}
}
});
// Attack pattern analysis
const patternAnalysis = await mcpClient.crowdstrike.threatGraph.analyzePattern({
pattern: {
name: "Credential Dumping Pattern",
events: [
{
process: "lsass.exe",
action: "process_access",
access_mask: "0x1010"
},
{
process: "mimikatz.exe",
action: "process_create"
}
],
timeWindow: "5m"
}
});
// Campaign correlation
const campaign = await mcpClient.crowdstrike.intel.correlateActivity({
indicators: ["c2-domain.com", "malware-hash-123"],
timeRange: "30d",
minConfidence: 0.7
});
console.log(`Campaign Name: ${campaign.name}`);
console.log(`Attribution: ${campaign.attribution.actor} (${campaign.attribution.confidence}%)`);
console.log(`Target Sectors: ${campaign.targeted_sectors.join(', ')}`);
console.log(`Countries: ${campaign.affected_countries.join(', ')}`);
// Predictive threat analysis
const prediction = await mcpClient.crowdstrike.threatGraph.predictThreats({
entity: {
type: "organization",
industry: "financial_services",
geography: "north_america",
security_posture: {
patch_compliance: 0.85,
endpoint_coverage: 0.92,
user_training: 0.78
}
},
timeframe: "next_30_days"
});
console.log("\nThreat Predictions:");
for (const threat of prediction.likely_threats) {
console.log(`- ${threat.name}: ${threat.probability}% chance`);
console.log(` Recommended actions: ${threat.mitigations.join(', ')}`);
}
// Export threat intelligence
const threatFeed = await mcpClient.crowdstrike.threatGraph.exportFeed({
format: "stix2",
filters: {
confidence: { min: 80 },
severity: ["high", "critical"],
updated_after: "2025-01-01"
},
include: ["indicators", "actors", "campaigns", "ttps"]
});
// Graph traversal for investigation
const investigation = await mcpClient.crowdstrike.threatGraph.traverse({
startNode: {
type: "file",
id: "file-hash-xyz"
},
traversalSpec: {
maxDepth: 5,
relationships: ["created_by", "downloaded_from", "executed_by", "connected_to"],
nodeTypes: ["process", "network", "file", "user"]
}
});
// Visualize the graph
const graphViz = investigation.toGraphML();
console.log(`Found ${investigation.nodes.length} related entities`);
console.log(`Discovered ${investigation.edges.length} relationships`);
Common Use Cases
Threat Hunting
- Advanced persistent threat hunting
- Behavioral pattern detection
- Anomaly investigation
- Zero-day discovery
Intelligence Analysis
- Threat actor profiling
- Campaign attribution
- TTP analysis
- Strategic intelligence
Incident Investigation
- Root cause analysis
- Lateral movement tracking
- Impact assessment
- Evidence correlation
Predictive Security
- Risk forecasting
- Attack prediction
- Threat modeling
- Proactive defense
Security Best Practices
-
API Security:
- Limit scope access
- Rotate credentials
- Monitor query patterns
- Implement rate limiting
-
Data Handling:
- Classify intelligence data
- Implement need-to-know
- Audit data access
- Secure data storage
-
Query Safety:
- Validate query inputs
- Limit query complexity
- Monitor resource usage
- Implement timeouts
Troubleshooting
Common Issues
-
Query Performance
- Optimize GraphQL queries
- Use pagination
- Implement caching
- Monitor query complexity
-
Data Quality
- Verify indicator formats
- Check data freshness
- Validate enrichment results
- Review confidence scores
-
Integration Issues
- Test GraphQL endpoint
- Verify authentication
- Check rate limits
- Review error messages
Getting Help
- Documentation: AI Gateway Docs
- Support: support@cequence.ai
- CrowdStrike Support: supportportal.crowdstrike.com
Copyright © 2025 Cequence Security.