> ## Documentation Index
> Fetch the complete documentation index at: https://www.truefoundry.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Set up CrowdStrike Falcon MCP Server

> Run the Falcon MCP server in TrueFoundry with Falcon API client credentials and least-privilege modules.

The CrowdStrike Falcon MCP server lets agents query detections, incidents, threat intelligence, hosts, vulnerabilities, and other Falcon modules. It is commonly run as a hosted stdio server with Falcon credentials injected through environment variables.

## Prerequisites

* A TrueFoundry account with permission to add MCP servers.
* A CrowdStrike Falcon subscription with API access.
* Falcon API client credentials for each user or a shared service account.

## Create Falcon API Credentials

In Falcon, go to **Support** > **API Clients and Keys**, click **Add new API client**, and select only the API scopes needed by your enabled modules.

| Module     | Required scopes                                              |
| ---------- | ------------------------------------------------------------ |
| Detections | `Alerts:read`                                                |
| Incidents  | `Incidents:read`                                             |
| Hosts      | `Hosts:read`                                                 |
| Intel      | Falcon Intelligence actor, indicator, and report read scopes |
| Spotlight  | `Vulnerabilities:read`                                       |
| NGSIEM     | `NGSIEM:read`, optional `NGSIEM:write`                       |

Copy the Client ID and Client Secret immediately.

## Register in TrueFoundry

Create a **Hosted Stdio-based MCP Server** with:

| Field                     | Value                                                                                        |
| ------------------------- | -------------------------------------------------------------------------------------------- |
| **Command**               | `uvx`                                                                                        |
| **Arguments**             | `falcon-mcp`                                                                                 |
| **Environment variables** | `FALCON_BASE_URL`, `FALCON_CLIENT_ID`, `FALCON_CLIENT_SECRET`, optional `FALCON_MCP_MODULES` |

Use `https://api.crowdstrike.com` for US-1, `https://api.us-2.crowdstrike.com` for US-2, `https://api.eu-1.crowdstrike.com` for EU-1, and `https://api.laggar.gcw.crowdstrike.com` for US-GOV.

For per-user credentials, set `FALCON_CLIENT_ID` and `FALCON_CLIENT_SECRET` as templated env vars and have users add Auth Overrides.

## Security Notes

Grant only the Falcon scopes required by the modules you expose. CrowdStrike notes that this MCP server is preview software, so validate it carefully before production use.
