CrowdStrike Falcon MCP server
Triage detections, contain hosts, and query Falcon intel across CrowdStrike's EDR and XDR modules.
About
Connect Tracecat to CrowdStrike Falcon to triage detections and contain hosts from agents working alongside SOC analysts and incident responders. You can pick up a Falcon detection, pivot to the affected host, and run Real Time Response commands the same way an analyst would in the console. From there, agents can look up the related threat actor in CrowdStrike intel, query NGSIEM with CQL, and pull Spotlight or Identity Protection signals so a single connection covers endpoint, cloud, and identity investigations.
Setup
- 1
Create an API key
The Falcon MCP server authenticates with a Falcon API client ID and secret. Credentials are issued from the Falcon console under API Clients and Keys and scoped to the specific Falcon modules the agent needs.
- 2
Select the
CrowdStrike Falcontile in the Tracecat MCP catalogOpen the
MCP catalogin your workspace, select theCrowdStrike Falcontile, and paste your API key. - 3
Enable
CrowdStrike Falconin your agentIn your
ai.agentaction orAgents→toolstab, selectCrowdStrike Falconfrom theMCP integrationsdropdown.
Tools
detections | List, search, and update Falcon detections to drive alert triage. |
hosts | Query host inventory, look up host details, and run containment actions. |
real_time_response | Execute Real Time Response commands on Falcon-managed endpoints. |
intel | Look up threat actors, indicators, and CrowdStrike intel reports. |
spotlight | Retrieve Spotlight vulnerability findings and remediation status for assets. |
ioc | Create, update, and remove custom indicators of compromise. |
ngsiem | Run CQL queries against CrowdStrike NGSIEM data. |
identity_protection | Investigate identity entities and risk signals from Falcon Identity Protection. |
cloud_security | Pull CSPM findings, image vulnerabilities, and Kubernetes posture data. |
custom_ioa | Manage behavioral Indicators of Attack rules across Falcon prevention policies. |