CrowdStrike Falcon LogScale MCP server
CrowdStrike Falcon LogScale (formerly Humio) is a modern log management platform providing real-time search and advanced analytics across petabytes of data without indexing delays. This MCP server enables AI agents to query security logs, create alerts, build dashboards, and investigate incidents at scale.
Setting up an MCP server
This article covers the standard steps for creating an MCP server in AI Gateway and connecting it to an AI client. The steps are the same for every integration — application-specific details (API credentials, OAuth endpoints, and scopes) are covered in the individual application pages.
Before you begin
You'll need:
- Access to AI Gateway with permission to create MCP servers
- API credentials for the application you're connecting (see the relevant application page for what to collect)
Create an MCP server
Find the API in the catalog
- Sign in to AI Gateway and select MCP Servers from the left navigation.
- Select New MCP Server.
- Search for the application you want to connect, then select it from the catalog.
Configure the server
- Enter a Name for your server — something descriptive that identifies both the application and its purpose (for example, "Zendesk Support — Prod").
- Enter a Description so your team knows what the server is for.
- Set the Timeout value. 30 seconds works for most APIs; increase to 60 seconds for APIs that return large payloads.
- Toggle Production mode on if this server will be used in a live workflow.
- Select Next.
Configure authentication
Enter the authentication details for the application. This varies by service — see the Authentication section of the relevant application page for the specific credentials, OAuth URLs, and scopes to use.
Configure security
- Set any Rate limits appropriate for your use case and the API's own limits.
- Enable Logging if you want AI Gateway to record requests and responses for auditing.
- Select Next.
Deploy
Review the summary, then select Deploy. AI Gateway provisions the server and provides a server URL you'll use when configuring your AI client.
Connect to an AI client
Once your server is deployed, you'll need to add it to the AI client your team uses. Select your client for setup instructions:
Tips
- You can create multiple MCP servers for the same application — for example, a read-only server for reporting agents and a read-write server for automation workflows.
- If you're unsure which OAuth scopes to request, start with the minimum read-only set and add write scopes only when needed. Most application pages include scope recommendations.
- You can edit a server's name, description, timeout, and security settings after deployment without redeploying.
Authentication
CrowdStrike Falcon LogScale uses bearer token authentication. Create an API token in LogScale under your repository settings at Settings > API Tokens. The token should have permissions for Search (to run queries), Ingest (to send data), Dashboard (to create views), Alert (to configure notifications), and Parser (to manage parsing rules). Include the token in all API requests with the header Authorization: Bearer <YOUR_TOKEN>. The base URL is typically https://cloud.humio.com or your self-hosted LogScale instance URL.
Available tools
These tools enable log search and analysis, real-time alerting, dashboard creation, and data management across your log analytics infrastructure.
Log Search & Query
| Tool | Description |
|---|---|
| Execute query | Search logs using LogScale query language with time range and filters |
| Get query results | Retrieve structured results with field extraction and aggregation |
| List saved searches | Query predefined searches for common security investigations |
| Export results | Download query results in CSV, JSON, or other formats |
Real-Time Monitoring
| Tool | Description |
|---|---|
| Stream live logs | Tail logs in real-time from specified repositories |
| Get live statistics | Monitor error rates, event counts, or custom metrics live |
| Create alert rule | Define threshold-based alerts with webhooks or notifications |
| Get alert status | Check alert configuration and recent trigger history |
Dashboard & Visualization
| Tool | Description |
|---|---|
| List dashboards | Query existing dashboards for security, ops, or executive views |
| Get dashboard data | Retrieve dashboard metrics and widget states |
| Create dashboard | Define new visualization for log data and metrics |
| Update widget | Modify dashboard widget queries or display options |
Data Management
| Tool | Description |
|---|---|
| List repositories | Query available log repositories and metadata |
| Get repository stats | Retrieve ingestion rate, retention, and storage usage |
| List parsers | Query configured parsing rules for log normalization |
| Create parser | Define custom parser for unstructured log formats |
Tips
Build focused queries with early time filters and specific field constraints to reduce data scanned and improve performance.
Use streaming queries sparingly since they consume resources; schedule critical queries as alerts instead.
Create role-based repositories to separate security, application, and infrastructure logs while maintaining performance.
Implement data retention policies aligned with compliance requirements (PCI, HIPAA, SOC 2) to manage storage costs.
Test query syntax and performance in the LogScale UI before automating via API.
Cequence AI Gateway