CrowdStrike Falcon Endpoint Protection MCP server

CrowdStrike Falcon Endpoint Protection is the industry-leading cloud-native platform for next-generation antivirus, endpoint detection and response (EDR), and managed threat hunting. This MCP server enables AI agents to detect threats, investigate incidents, manage device policies, and execute remediation across your endpoints.

Setting up an MCP server

This article covers the standard steps for creating an MCP server in AI Gateway and connecting it to an AI client. The steps are the same for every integration — application-specific details (API credentials, OAuth endpoints, and scopes) are covered in the individual application pages.

Before you begin

You'll need:

• Access to AI Gateway with permission to create MCP servers
• API credentials for the application you're connecting (see the relevant application page for what to collect)

Create an MCP server

Find the API in the catalog

1. Sign in to AI Gateway and select MCP Servers from the left navigation.
2. Select New MCP Server.
3. Search for the application you want to connect, then select it from the catalog.

Configure the server

1. Enter a Name for your server — something descriptive that identifies both the application and its purpose (for example, "Zendesk Support — Prod").
2. Enter a Description so your team knows what the server is for.
3. Set the Timeout value. 30 seconds works for most APIs; increase to 60 seconds for APIs that return large payloads.
4. Toggle Production mode on if this server will be used in a live workflow.
5. Select Next.

Configure authentication

Enter the authentication details for the application. This varies by service — see the Authentication section of the relevant application page for the specific credentials, OAuth URLs, and scopes to use.

Configure security

1. Set any Rate limits appropriate for your use case and the API's own limits.
2. Enable Logging if you want AI Gateway to record requests and responses for auditing.
3. Select Next.

Deploy

Review the summary, then select Deploy. AI Gateway provisions the server and provides a server URL you'll use when configuring your AI client.

---

Connect to an AI client

Once your server is deployed, you'll need to add it to the AI client your team uses. Select your client for setup instructions:

• Claude Desktop
• Claude Code
• Cursor
• VS Code
• Windsurf

Tips

• You can create multiple MCP servers for the same application — for example, a read-only server for reporting agents and a read-write server for automation workflows.
• If you're unsure which OAuth scopes to request, start with the minimum read-only set and add write scopes only when needed. Most application pages include scope recommendations.
• You can edit a server's name, description, timeout, and security settings after deployment without redeploying.

Authentication

CrowdStrike Falcon uses OAuth 2.0 with client credentials flow. Create an API client in the Falcon Console at Support > API Clients and Keys and save your Client ID and Client Secret. The token endpoint is https://api.crowdstrike.com/oauth2/token (or your region-specific URL such as https://api.us-2.crowdstrike.com for US-2 or https://api.eu-1.crowdstrike.com for EU-1). Request only the scopes you need: detections:read and detections:write for alert management, hosts:read and hosts:write for device control, real-time-response:read and real-time-response:write for interactive response, prevention-policies:read and prevention-policies:write for policy configuration, and incidents:read and incidents:write for incident tracking.

Available tools

These tools enable detection management, endpoint containment, threat investigation, policy enforcement, and compliance monitoring across your security infrastructure.

Detection & Threat Management

Tool	Description
Query detections	Search detections by severity, type, time range, or affected host
Get detection details	Retrieve full context including behavioral analysis and IOC data
Update detection	Mark detection as resolved, escalate, or flag as false positive
Search process execution	Hunt for specific processes like mimikatz or PowerShell abuse
Find network connections	Query network activity for suspicious IPs or domains

Endpoint Control & Containment

Tool	Description
List hosts	Retrieve inventory with filters for OS, status, policy, or group
Get host details	Fetch system information, security posture, and sensor health
Contain host	Isolate endpoint from network for incident response
Lift containment	Restore network access after remediation confirmed
Create host group	Organize endpoints for targeted policy deployment

Real-Time Response & Remediation

Tool	Description
Start RTR session	Establish interactive shell on endpoint for forensics
Execute command	Run read-only diagnostics (process listing, file inspection)
Kill process	Terminate malicious or suspicious process
Delete file	Remove malware or unwanted file from endpoint
Get command output	Retrieve results from remote commands

Policy & Compliance

Tool	Description
List prevention policies	View all configured endpoint protection policies
Get policy details	Fetch settings, exclusions, sensitivity levels, and assignments
Create policy	Define new prevention configuration from template
Update policy	Modify exclusions, detection sensitivity, or control settings
Assign policy	Apply policy to host groups or individual endpoints

Tips

Define clear incident response workflows before using containment actions.

Test with non-critical systems first when implementing new response procedures.

Implement approval workflows for irreversible actions like file deletion or process termination.

Start with read-only scopes (detections:read, hosts:read) to gather data.

Add write scopes only for specific response tasks once you've validated data access.

Monitor policy changes to prevent accidental over-permissive or overly restrictive configurations that impact user productivity.

Rotate API credentials every 90 days and use IP allowlisting to restrict where the MCP server can authenticate from.