CrowdStrike Threat Graph MCP server
CrowdStrike Threat Graph is a cloud-native graph database capturing and analyzing trillions of security events daily. This MCP server enables AI agents to hunt for threats, analyze attack patterns, enrich indicators with context, and correlate behaviors across your entire environment to identify sophisticated attacks.
Setting up an MCP server
This article covers the standard steps for creating an MCP server in AI Gateway and connecting it to an AI client. The steps are the same for every integration — application-specific details (API credentials, OAuth endpoints, and scopes) are covered in the individual application pages.
Before you begin
You'll need:
- Access to AI Gateway with permission to create MCP servers
- API credentials for the application you're connecting (see the relevant application page for what to collect)
Create an MCP server
Find the API in the catalog
- Sign in to AI Gateway and select MCP Servers from the left navigation.
- Select New MCP Server.
- Search for the application you want to connect, then select it from the catalog.
Configure the server
- Enter a Name for your server — something descriptive that identifies both the application and its purpose (for example, "Zendesk Support — Prod").
- Enter a Description so your team knows what the server is for.
- Set the Timeout value. 30 seconds works for most APIs; increase to 60 seconds for APIs that return large payloads.
- Toggle Production mode on if this server will be used in a live workflow.
- Select Next.
Configure authentication
Enter the authentication details for the application. This varies by service — see the Authentication section of the relevant application page for the specific credentials, OAuth URLs, and scopes to use.
Configure security
- Set any Rate limits appropriate for your use case and the API's own limits.
- Enable Logging if you want AI Gateway to record requests and responses for auditing.
- Select Next.
Deploy
Review the summary, then select Deploy. AI Gateway provisions the server and provides a server URL you'll use when configuring your AI client.
Connect to an AI client
Once your server is deployed, you'll need to add it to the AI client your team uses. Select your client for setup instructions:
Tips
- You can create multiple MCP servers for the same application — for example, a read-only server for reporting agents and a read-write server for automation workflows.
- If you're unsure which OAuth scopes to request, start with the minimum read-only set and add write scopes only when needed. Most application pages include scope recommendations.
- You can edit a server's name, description, timeout, and security settings after deployment without redeploying.
Authentication
CrowdStrike Threat Graph uses OAuth 2.0 client credentials authentication. Create an API client in Falcon Console at Support > API Clients and Keys and save your Client ID and Client Secret. The token URL is https://api.crowdstrike.com/oauth2/token. Request the threat-graph:read scope for querying threat data, threat-graph:write for uploading custom intelligence, intel:read for accessing threat intelligence, indicators:read for IOC queries, actors:read for threat actor profiles, hunt:read for executing threat hunts, hunt:write for saving hunt queries, analytics:read for accessing analytics, and ml-models:read for using machine learning models.
Available tools
These tools enable threat intelligence enrichment, advanced hunting, behavioral analysis, and attack pattern recognition across your endpoint telemetry.
Threat Intelligence Queries
| Tool | Description |
|---|---|
| Search indicators | Query threat intelligence for malicious IPs, domains, hashes, or emails |
| Get indicator enrichment | Retrieve context including related campaigns, threat actors, and TTPs |
| Find threat actors | Search APT profiles, capabilities, and targeting patterns |
| Query IOC relationships | Analyze relationships between indicators and threat campaigns |
Advanced Threat Hunting
| Tool | Description |
|---|---|
| Execute hunt query | Run complex queries to find suspicious behaviors or patterns |
| Find process injection | Hunt for process injection, shellcode execution, or code caves |
| Detect living-off-the-land | Find abuse of legitimate tools (PowerShell, WMI, command-line) |
| Search lateral movement | Query credential usage and authentication anomalies |
Behavioral Analysis
| Tool | Description |
|---|---|
| Analyze process lineage | Query parent-child process relationships and execution chains |
| Query network connections | Search for suspicious network activity and DNS resolutions |
| Track registry changes | Hunt for persistence mechanisms and configuration tampering |
| Find file operations | Query suspicious file creation, modification, or deletion patterns |
Graph Analytics
| Tool | Description |
|---|---|
| Build attack timeline | Reconstruct attack sequence and progression |
| Analyze entity relationships | Visualize connections between processes, files, users, and network entities |
| Cluster similar activity | Group related events to identify attack patterns or campaigns |
| Map kill chain | Link indicators to MITRE ATT&CK tactics and techniques |
Threat Context & Enrichment
| Tool | Description |
|---|---|
| Enrich file hash | Get reputation, relationships, and threat actor associations |
| Score anomalies | Calculate behavior scores to assess threat severity |
| Predict attack likelihood | Use ML models to estimate exploitation probability |
| Link to campaigns | Connect indicators and behaviors to known threat campaigns |
Tips
Use GraphQL queries for complex multi-hop searches across the threat graph rather than chaining simple REST calls.
Cache threat intelligence for common queries to reduce API load and latency during time-sensitive investigations.
Start hunt queries with specific time ranges to bound the dataset scanned.
Avoid broader queries that consume more resources than necessary.
Combine multiple data sources — process execution, network connections, and file operations — to build high-confidence threat hypotheses.
Classify and restrict access to threat intelligence data appropriately; sensitive information like zero-days or custom IOCs should be limited to authorized analysts.
Cequence AI Gateway