README.md
Interact with the CrowdStrike Falcon API for managing hosts and detections.
CrowdStrike Falcon MCP Server
A Model Context Protocol (MCP) server for interacting with the CrowdStrike Falcon API. This server provides both STDIO (for MCP-aware clients) and HTTP/REST (for broader interoperability) transport modes.
Features
- Dual Transport Support: Supports both STDIO (MCP protocol) and HTTP/REST simultaneously
- Secure Credential Handling: Credentials can be passed as function parameters or via environment variables
- Multi-tenant Support: Optional tenant ID support for multi-tenant scenarios
- Comprehensive API Coverage: Tools for hosts, detections, IOCs, policies, and more
- Production Ready: Docker support with health checks and GitHub Actions CI/CD
Architecture
┌─────────────────┐ ┌──────────────┐ ┌─────────────────┐
│ MCP Client │─────▶│ STDIO Port │─────▶│ MCP Core │
│ (Claude/Cursor) │ │ (8080) │ │ (FastMCP) │
└─────────────────┘ └──────────────┘ └─────────────────┘
│
┌─────────────────┐ ┌──────────────┐ │
│ REST Client │─────▶│ HTTP Gateway │─────────────┘
│ (curl/Python) │ │ (Port 80) │
└─────────────────┘ └──────────────┘
Installation
Docker (Recommended)
docker pull <your-registry>/crowdstrike-falcon-mcp:latest
docker run -d \
--name crowdstrike-falcon-mcp \
--publish 8080:8080 \
--publish 80:80 \
-e TRANSPORT_MODE=dual \
-e FALCON_API_KEY=your_api_key_here \
<your-registry>/crowdstrike-falcon-mcp:latest
Configuration
Environment Variables
FALCON_API_KEY(orCROWDSTRIKE_API_KEY): Your CrowdStrike API keyFALCON_TENANT_ID(orCROWDSTRIKE_TENANT_ID): Optional tenant ID for multi-tenant scenariosFALCON_API_BASE_URL: API base URL (default:https://api.crowdstrike.com)TRANSPORT_MODE: Transport mode -stdio,http, ordual(default:dual)HTTP_PORT: HTTP server port (default:80)STDIO_PORT: STDIO port (default:8080)
Credential Handling
Security Note: Credentials are never stored. They can be provided in two ways:
- Function Parameters: Pass
api_keyand optionaltenant_idto each tool call - Environment Variables: Set
FALCON_API_KEYand optionallyFALCON_TENANT_ID
Connection Methods
1. STDIO (MCP Protocol)
For MCP-aware clients like Claude Desktop, Cursor, or MCP Toolkit.
Claude Desktop
Add to your Claude Desktop configuration (~/Library/Application Support/Claude/claude_desktop_config.json on macOS):
{
"mcpServers": {
"crowdstrike-falcon": {
"command": "docker",
"args": [
"run",
"-i",
"--rm",
"<your-registry>/crowdstrike-falcon-mcp:latest",
"python",
"-m",
"src.mcp_server"
],
"env": {
"TRANSPORT_MODE": "stdio"
}
}
}
}
Cursor
Similar configuration in Cursor's MCP settings.
MCP Toolkit
The mcp-toolkit.yml file enables automatic discovery. Place it in your MCP Toolkit configuration directory.
2. HTTP/REST API
For REST clients, curl, Python requests, Node.js fetch, etc.
Health Check
curl http://localhost:80/healthz
List Available Tools
curl http://localhost:80/tools
Call a Tool
curl -X POST http://localhost:80/tools/query_hosts \
-H "Content-Type: application/json" \
-H "X-API-Key: your_api_key_here" \
-d '{
"filter": "hostname:\"example.com\"",
"limit": 10
}'
Python Example
import requests
# Using header for API key
response = requests.post(
"http://localhost:80/tools/query_hosts",
headers={"X-API-Key": "your_api_key_here"},
json={"filter": "hostname:\"example.com\"", "limit": 10}
)
print(response.json())
# Or using body
response = requests.post(
"http://localhost:80/tools/query_hosts",
json={
"api_key": "your_api_key_here",
"filter": "hostname:\"example.com\"",
"limit": 10
}
)
print(response.json())
Node.js Example
const fetch = require('node-fetch');
async function queryHosts() {
const response = await fetch('http://localhost:80/tools/query_hosts', {
method: 'POST',
headers: {
'Content-Type': 'application/json',
'X-API-Key': 'your_api_key_here'
},
body: JSON.stringify({
filter: 'hostname:"example.com"',
limit: 10
})
});
const data = await response.json();
console.log(data);
}
queryHosts();
Available Tools
Host/Device Management
query_hosts: Query hosts/devices with filtersget_host_details: Get detailed information about specific hosts
Detection Management
query_detections: Query detections with filtersget_detection_details: Get detailed information about specific detectionsupdate_detection_status: Update detection status
IOC Management
query_iocs: Query In
Tools (6)
query_hostsQuery hosts/devices with filtersget_host_detailsGet detailed information about specific hostsquery_detectionsQuery detections with filtersget_detection_detailsGet detailed information about specific detectionsupdate_detection_statusUpdate detection statusquery_iocsQuery Indicators of Compromise (IOCs)Environment Variables
FALCON_API_KEYrequiredYour CrowdStrike API keyFALCON_TENANT_IDOptional tenant ID for multi-tenant scenariosFALCON_API_BASE_URLAPI base URL (default: https://api.api.crowdstrike.com)TRANSPORT_MODETransport mode - stdio, http, or dualConfiguration
claude_desktop_config.json
{"mcpServers": {"crowdstrike-falcon": {"command": "docker", "args": ["run", "-i", "--rm", "<your-registry>/crowdstrike-falcon-mcp:latest", "python", "-m", "src.mcp_server"], "env": {"TRANSPORT_MODE": "stdio", "FALCON_API_KEY": "your_api_key_here"}}}}Try it
→Search for all CrowdStrike hosts where the hostname matches 'workstation-01'.
→List the most recent security detections and show me the details for the top one.
→Update the status of detection ID 'det-123' to 'closed' with the comment 'False positive verified'.
→Query the Falcon API for any IOCs related to a specific malicious IP address.