CrowdStrike Falcon Discover MCP server
CrowdStrike Falcon Discover provides comprehensive visibility into managed and unmanaged assets across your environment. This MCP server enables AI agents to discover IT assets, track software inventory, identify cloud resources, and assess security coverage gaps without deploying additional sensors.
Setting up an MCP server
This article covers the standard steps for creating an MCP server in AI Gateway and connecting it to an AI client. The steps are the same for every integration — application-specific details (API credentials, OAuth endpoints, and scopes) are covered in the individual application pages.
Before you begin
You'll need:
- Access to AI Gateway with permission to create MCP servers
- API credentials for the application you're connecting (see the relevant application page for what to collect)
Create an MCP server
Find the API in the catalog
- Sign in to AI Gateway and select MCP Servers from the left navigation.
- Select New MCP Server.
- Search for the application you want to connect, then select it from the catalog.
Configure the server
- Enter a Name for your server — something descriptive that identifies both the application and its purpose (for example, "Zendesk Support — Prod").
- Enter a Description so your team knows what the server is for.
- Set the Timeout value. 30 seconds works for most APIs; increase to 60 seconds for APIs that return large payloads.
- Toggle Production mode on if this server will be used in a live workflow.
- Select Next.
Configure authentication
Enter the authentication details for the application. This varies by service — see the Authentication section of the relevant application page for the specific credentials, OAuth URLs, and scopes to use.
Configure security
- Set any Rate limits appropriate for your use case and the API's own limits.
- Enable Logging if you want AI Gateway to record requests and responses for auditing.
- Select Next.
Deploy
Review the summary, then select Deploy. AI Gateway provisions the server and provides a server URL you'll use when configuring your AI client.
Connect to an AI client
Once your server is deployed, you'll need to add it to the AI client your team uses. Select your client for setup instructions:
Tips
- You can create multiple MCP servers for the same application — for example, a read-only server for reporting agents and a read-write server for automation workflows.
- If you're unsure which OAuth scopes to request, start with the minimum read-only set and add write scopes only when needed. Most application pages include scope recommendations.
- You can edit a server's name, description, timeout, and security settings after deployment without redeploying.
Authentication
CrowdStrike Falcon Discover uses OAuth 2.0 client credentials flow. Create an API client in Falcon Console at Support > API Clients and Keys and save your Client ID and Client Secret. The OAuth token endpoint is https://api.crowdstrike.com/oauth2/token. Request the discover:read and discover:write scopes for asset discovery, hosts:read for host inventory, applications:read for software tracking, accounts:read for user discovery, and optionally cloud-assets:read for cloud resource visibility and iot:read for IoT device discovery.
Available tools
These tools enable IT asset discovery, software inventory management, cloud asset visibility, and coverage gap analysis across your entire organization.
Asset Discovery
| Tool | Description |
|---|---|
| List discovered assets | Query assets by type, status, discovered date, or location |
| Get asset details | Fetch device configuration, software, accounts, and risk profile |
| Find unmanaged devices | Identify endpoints without security agents installed |
| Search by attribute | Query assets by IP, MAC address, hostname, domain, or owner |
Application & Software Management
| Tool | Description |
|---|---|
| List installed applications | Retrieve software inventory across discovered endpoints |
| Query by software | Find all devices running a specific application or version |
| Check license compliance | Query applications to identify unlicensed or unlicensable software |
| Find EOL software | Identify unsupported or end-of-life applications and operating systems |
Account & Identity Discovery
| Tool | Description |
|---|---|
| List user accounts | Query local and domain user accounts across endpoints |
| Find service accounts | Identify system and service accounts for inventory |
| Detect stale accounts | Find unused or orphaned user accounts |
| Search cloud accounts | Discover cloud identities (AWS, Azure, GCP) and OAuth apps |
Cloud & IoT Resources
| Tool | Description |
|---|---|
| List cloud instances | Discover AWS, Azure, GCP, and Kubernetes resources |
| Find cloud storage | Identify exposed S3 buckets, Azure blobs, or GCS buckets |
| Detect IoT devices | Find connected IoT, OT, and smart devices on the network |
| Query containers | Retrieve Docker containers and Kubernetes cluster inventory |
Reporting & Analysis
| Tool | Description |
|---|---|
| Generate asset report | Create inventory reports filtered by criteria |
| Calculate coverage | Measure percentage of assets with security agents |
| Find coverage gaps | Identify unprotected assets and blind spots |
| Export inventory | Extract asset data for CMDB or ticketing system sync |
Tips
Regularly run discovery queries to maintain accurate asset inventory.
Schedule periodic full scans to catch shadow IT.
Focus discovery scopes to business-critical segments first to avoid overwhelming the inventory with test or abandoned systems.
Integrate asset discovery with CMDB (ServiceNow, Remedy) sync to keep IT and security teams aligned on what's actually deployed.
Use coverage gap analysis to justify security tool investments and measure program maturity.
Flag newly discovered assets for rapid onboarding to ensure security agents deploy quickly.
Cequence AI Gateway