CrowdStrike Falcon Identity Protection MCP server

CrowdStrike Falcon Identity Protection detects and prevents identity-based attacks, lateral movement, and privilege escalation in hybrid Active Directory environments. This MCP server enables AI agents to identify risky accounts, discover shadow admin privileges, detect credential attacks, and enforce zero trust security models.

Setting up an MCP server

This article covers the standard steps for creating an MCP server in AI Gateway and connecting it to an AI client. The steps are the same for every integration — application-specific details (API credentials, OAuth endpoints, and scopes) are covered in the individual application pages.

Before you begin

You'll need:

• Access to AI Gateway with permission to create MCP servers
• API credentials for the application you're connecting (see the relevant application page for what to collect)

Create an MCP server

Find the API in the catalog

1. Sign in to AI Gateway and select MCP Servers from the left navigation.
2. Select New MCP Server.
3. Search for the application you want to connect, then select it from the catalog.

Configure the server

1. Enter a Name for your server — something descriptive that identifies both the application and its purpose (for example, "Zendesk Support — Prod").
2. Enter a Description so your team knows what the server is for.
3. Set the Timeout value. 30 seconds works for most APIs; increase to 60 seconds for APIs that return large payloads.
4. Toggle Production mode on if this server will be used in a live workflow.
5. Select Next.

Configure authentication

Enter the authentication details for the application. This varies by service — see the Authentication section of the relevant application page for the specific credentials, OAuth URLs, and scopes to use.

Configure security

1. Set any Rate limits appropriate for your use case and the API's own limits.
2. Enable Logging if you want AI Gateway to record requests and responses for auditing.
3. Select Next.

Deploy

Review the summary, then select Deploy. AI Gateway provisions the server and provides a server URL you'll use when configuring your AI client.

---

Connect to an AI client

Once your server is deployed, you'll need to add it to the AI client your team uses. Select your client for setup instructions:

• Claude Desktop
• Claude Code
• Cursor
• VS Code
• Windsurf

Tips

• You can create multiple MCP servers for the same application — for example, a read-only server for reporting agents and a read-write server for automation workflows.
• If you're unsure which OAuth scopes to request, start with the minimum read-only set and add write scopes only when needed. Most application pages include scope recommendations.
• You can edit a server's name, description, timeout, and security settings after deployment without redeploying.

Authentication

CrowdStrike Falcon Identity Protection uses OAuth 2.0 client credentials authentication. Create an API client in Falcon Console at Support > API Clients and Keys and save your Client ID and Client Secret. The token URL is https://api.crowdstrike.com/oauth2/token. Request scopes based on your needs: identity-protection:read and identity-protection:write for identity management, user-management:read and user-management:write for user and group operations, zero-trust-assessment:read for risk scoring, risk-scoring:read for identity risk data, remediation:write for automated response, and audit:read for identity audit trails.

Available tools

These tools enable identity risk assessment, privilege analysis, threat detection, and remediation across your Active Directory and hybrid environments.

Identity & User Analysis

Tool	Description
List users	Query user accounts with filters for privilege level, risk, or status
Get user details	Fetch user profile, group memberships, and risk scoring
Find high-risk users	Identify accounts with excessive privileges or suspicious activity
List service accounts	Discover service and system accounts and their risk exposure

Authentication & Credential Monitoring

Tool	Description
Query authentication events	Search failed logins, Kerberos attacks, or MFA bypass attempts
Detect password spray	Identify widespread failed login attempts suggesting attack
Find compromised credentials	Query compromised account indicators and breach intel
Check MFA status	Retrieve MFA enrollment and authentication method details

Threat Detection

Tool	Description
Find lateral movement	Detect unusual credential usage or authentication paths
Detect privilege escalation	Query suspicious privilege changes or escalation patterns
Identify golden ticket usage	Find Kerberos ticket attacks and abnormal auth methods
Query anomalies	Search for unusual login locations, times, or behaviors

Privilege & Access Management

Tool	Description
Get privilege analysis	Calculate privilege usage patterns and identify over-provisioned accounts
Find domain admins	List domain administrator accounts and access paths
Detect shadow admins	Identify hidden administrative rights via group nesting or delegation
Map privilege paths	Visualize escalation paths and privilege inheritance chains

Zero Trust & Compliance

Tool	Description
Calculate identity risk score	Score user accounts based on behavior and vulnerability
Get zero trust assessment	Evaluate identity security posture against zero trust model
Check AD vulnerabilities	Identify misconfigurations, weak ACLs, or policy drift
Verify compliance	Check alignment with security policies and standards

Tips

Implement automated response for high-risk identities, such as requiring step-up authentication or enforcing MFA.

Focus on privileged accounts first — domain admins and service accounts carry the highest risk.

Use identity risk scores to prioritize which accounts to investigate or reset during incident response.

Coordinate with Active Directory teams before disabling or resetting accounts to avoid business disruption.

Schedule regular privilege reviews and shadow admin scans to identify privilege creep and drift from least-privilege principles.