Skip to main content

CrowdStrike Falcon MCP server

CrowdStrike Falcon is a cloud-native endpoint protection platform delivering next-generation antivirus, endpoint detection and response (EDR), and threat hunting. This MCP server enables AI agents to access detections, manage endpoints, execute incident response, and perform threat hunting directly from your AI Gateway.

Setting up an MCP server

This article covers the standard steps for creating an MCP server in AI Gateway and connecting it to an AI client. The steps are the same for every integration — application-specific details (API credentials, OAuth endpoints, and scopes) are covered in the individual application pages.

Before you begin

You'll need:

  • Access to AI Gateway with permission to create MCP servers
  • API credentials for the application you're connecting (see the relevant application page for what to collect)

Create an MCP server

Find the API in the catalog

  1. Sign in to AI Gateway and select MCP Servers from the left navigation.
  2. Select New MCP Server.
  3. Search for the application you want to connect, then select it from the catalog.

Configure the server

  1. Enter a Name for your server — something descriptive that identifies both the application and its purpose (for example, "Zendesk Support — Prod").
  2. Enter a Description so your team knows what the server is for.
  3. Set the Timeout value. 30 seconds works for most APIs; increase to 60 seconds for APIs that return large payloads.
  4. Toggle Production mode on if this server will be used in a live workflow.
  5. Select Next.

Configure authentication

Enter the authentication details for the application. This varies by service — see the Authentication section of the relevant application page for the specific credentials, OAuth URLs, and scopes to use.

Configure security

  1. Set any Rate limits appropriate for your use case and the API's own limits.
  2. Enable Logging if you want AI Gateway to record requests and responses for auditing.
  3. Select Next.

Deploy

Review the summary, then select Deploy. AI Gateway provisions the server and provides a server URL you'll use when configuring your AI client.

Connect to an AI client

Once your server is deployed, you'll need to add it to the AI client your team uses. Select your client for setup instructions:

Tips

  • You can create multiple MCP servers for the same application — for example, a read-only server for reporting agents and a read-write server for automation workflows.
  • If you're unsure which OAuth scopes to request, start with the minimum read-only set and add write scopes only when needed. Most application pages include scope recommendations.
  • You can edit a server's name, description, timeout, and security settings after deployment without redeploying.

Authentication

CrowdStrike Falcon uses OAuth 2.0 with client credentials grant type. You'll need a CrowdStrike API client with appropriate scopes. Create the client in the Falcon Console under Support > API Clients and Keys, then note your Client ID, Client Secret, and Base URL (typically https://api.crowdstrike.com, but varies by region). The OAuth token endpoint is https://api.crowdstrike.com/oauth2/token. Common scopes include detections:read, detections:write, hosts:read, hosts:write, real-time-response:write, incidents:read, incidents:write, iocs:read, and iocs:write.

Available tools

These tools enable threat detection and response, device management, threat hunting, and security analytics across your endpoints.

Detection & Response

ToolDescription
Query detectionsSearch and retrieve detections by severity, type, and time range
Get detection detailsRetrieve full context for a specific detection ID
Update detection statusMark detections as resolved, false positive, or in progress
List incidentsRetrieve security incidents with filtering and sorting
Get incident detailsFetch complete incident information including timeline

Device Management

ToolDescription
List hostsRetrieve endpoint inventory with filters by OS, status, and group
Get host detailsFetch device configuration, health, and sensor information
Contain endpointIsolate a host from network communications for containment
Lift containmentRemove network isolation after remediation
Create host groupOrganize endpoints into groups for policy management

Threat Hunting

ToolDescription
Search detections by queryExecute advanced searches across detection data
Query file hashCheck if a file hash has been detected in your environment
Query IP addressSearch for network connections to specific IPs
List IOCsRetrieve custom indicators of compromise
Create custom IOCUpload new file hashes, IPs, or domains for detection

Real-Time Response

ToolDescription
Initiate RTR sessionOpen interactive session with an endpoint
Run commandExecute read-only forensic commands on endpoint
Get session statusCheck active RTR session status and history
Upload fileTransfer analysis tools or scripts to endpoint
Download fileRetrieve files for forensic analysis

Prevention Policies

ToolDescription
List prevention policiesRetrieve configured endpoint protection policies
Get policy detailsFetch policy settings, exclusions, and assignments
Create prevention policyDefine new protection configuration
Update policy settingsModify detection sensitivity, exclusions, or controls
Assign policy to groupApply protection policy to host groups

Tips

Use minimal API scopes — only request the specific permissions your automation needs, such as detections:read for read-only threat hunting or real-time-response:write for incident response.

Cache frequently accessed data like device inventory to reduce API calls and rate limit exposure.

Test containment actions in non-production first, with documented rollback procedures in case you need to restore connectivity.

Monitor API usage to stay within the 5,000 requests/minute limit.

Implement exponential backoff for rate-limited responses.

Store API credentials securely in your MCP server configuration.

Rotate credentials regularly to maintain security and limit exposure window.