CrowdStrike Falcon Advanced MCP server
CrowdStrike Falcon Advanced provides sophisticated security capabilities including threat intelligence, malware sandboxing, cloud security, and identity protection. This MCP server enables AI agents to analyze malware, assess cloud configurations, hunt for threats, and detect identity-based attacks across your entire security infrastructure.
Setting up an MCP server
This article covers the standard steps for creating an MCP server in AI Gateway and connecting it to an AI client. The steps are the same for every integration — application-specific details (API credentials, OAuth endpoints, and scopes) are covered in the individual application pages.
Before you begin
You'll need:
- Access to AI Gateway with permission to create MCP servers
- API credentials for the application you're connecting (see the relevant application page for what to collect)
Create an MCP server
Find the API in the catalog
- Sign in to AI Gateway and select MCP Servers from the left navigation.
- Select New MCP Server.
- Search for the application you want to connect, then select it from the catalog.
Configure the server
- Enter a Name for your server — something descriptive that identifies both the application and its purpose (for example, "Zendesk Support — Prod").
- Enter a Description so your team knows what the server is for.
- Set the Timeout value. 30 seconds works for most APIs; increase to 60 seconds for APIs that return large payloads.
- Toggle Production mode on if this server will be used in a live workflow.
- Select Next.
Configure authentication
Enter the authentication details for the application. This varies by service — see the Authentication section of the relevant application page for the specific credentials, OAuth URLs, and scopes to use.
Configure security
- Set any Rate limits appropriate for your use case and the API's own limits.
- Enable Logging if you want AI Gateway to record requests and responses for auditing.
- Select Next.
Deploy
Review the summary, then select Deploy. AI Gateway provisions the server and provides a server URL you'll use when configuring your AI client.
Connect to an AI client
Once your server is deployed, you'll need to add it to the AI client your team uses. Select your client for setup instructions:
Tips
- You can create multiple MCP servers for the same application — for example, a read-only server for reporting agents and a read-write server for automation workflows.
- If you're unsure which OAuth scopes to request, start with the minimum read-only set and add write scopes only when needed. Most application pages include scope recommendations.
- You can edit a server's name, description, timeout, and security settings after deployment without redeploying.
Authentication
CrowdStrike Falcon Advanced uses OAuth 2.0 client credentials authentication. Create an API client in Falcon Console under Support > API Clients & Keys and note your Client ID and Client Secret. The token URL is https://api.crowdstrike.com/oauth2/token (adjust for your region if using US-2, EU-1, or government clouds). Request scopes based on your use case: threat intelligence modules use intel:read and iocs:read/write, sandbox analysis uses specific sandbox scopes, cloud security uses CSPM and container-related scopes, and identity protection uses identity and zero-trust assessment scopes. Not all scopes may be available depending on your Falcon subscription level.
Available tools
These tools enable threat intelligence enrichment, malware analysis, cloud security assessment, and identity threat detection across your enterprise environment.
Threat Intelligence
| Tool | Description |
|---|---|
| Search indicators | Query threat intelligence for malicious IPs, domains, file hashes, or email addresses |
| Get indicator details | Retrieve context including malware families, campaigns, and threat actors |
| Search threat actors | Find information on known APT groups, their tactics, and targeting |
| Get actor profile | Fetch detailed TTP, infrastructure, and campaign history for threat actors |
Falcon X Sandbox
| Tool | Description |
|---|---|
| Submit sample | Upload file or URL for behavioral malware analysis |
| Get analysis report | Retrieve sandbox execution results and detected behaviors |
| Query file hash | Check if hash has been analyzed previously in sandbox |
| Extract IOCs | Retrieve indicators discovered during malware analysis |
Cloud Security
| Tool | Description |
|---|---|
| Run assessment | Scan AWS, Azure, or GCP environment for misconfigurations |
| Get findings | Retrieve cloud security posture findings and risk scores |
| Check compliance | Verify alignment with CIS, PCI-DSS, or other frameworks |
| Scan container | Analyze container images for vulnerabilities and misconfigurations |
Identity Protection
| Tool | Description |
|---|---|
| Find identity risks | Detect privilege escalation, lateral movement, and credential attacks |
| Get user risk score | Calculate identity risk based on behavior and vulnerabilities |
| Check AD vulnerabilities | Assess Active Directory misconfigurations and security gaps |
| Find shadow admins | Identify hidden administrative privileges and escalation paths |
Tips
Implement rate limiting and caching for threat intelligence lookups, which may be called frequently during incident response.
Set appropriate timeouts and poll for results rather than blocking when sandbox submissions are in progress, as submissions can take time to complete.
Restrict cloud security scanning to off-peak hours to avoid impacting cloud workloads.
Combine multiple data sources — threat intelligence, sandbox results, and cloud findings — to build comprehensive threat profiles.
Use identity risk scores to prioritize which accounts to investigate or lock down first during incident response.
Cequence AI Gateway