The CrowdStrike Falcon MCP server lets agents query detections, incidents, threat intelligence, hosts, vulnerabilities, and other Falcon modules. It is commonly run as a hosted stdio server with Falcon credentials injected through environment variables.Documentation Index
Fetch the complete documentation index at: https://www.truefoundry.com/llms.txt
Use this file to discover all available pages before exploring further.
Prerequisites
- A TrueFoundry account with permission to add MCP servers.
- A CrowdStrike Falcon subscription with API access.
- Falcon API client credentials for each user or a shared service account.
Create Falcon API Credentials
In Falcon, go to Support > API Clients and Keys, click Add new API client, and select only the API scopes needed by your enabled modules.| Module | Required scopes |
|---|---|
| Detections | Alerts:read |
| Incidents | Incidents:read |
| Hosts | Hosts:read |
| Intel | Falcon Intelligence actor, indicator, and report read scopes |
| Spotlight | Vulnerabilities:read |
| NGSIEM | NGSIEM:read, optional NGSIEM:write |
Register in TrueFoundry
Create a Hosted Stdio-based MCP Server with:| Field | Value |
|---|---|
| Command | uvx |
| Arguments | falcon-mcp |
| Environment variables | FALCON_BASE_URL, FALCON_CLIENT_ID, FALCON_CLIENT_SECRET, optional FALCON_MCP_MODULES |
https://api.crowdstrike.com for US-1, https://api.us-2.crowdstrike.com for US-2, https://api.eu-1.crowdstrike.com for EU-1, and https://api.laggar.gcw.crowdstrike.com for US-GOV.
For per-user credentials, set FALCON_CLIENT_ID and FALCON_CLIENT_SECRET as templated env vars and have users add Auth Overrides.