CrowdStrike Falcon MCP server
Triage detections, contain hosts, and query Falcon intel across CrowdStrike's EDR and XDR modules.
About
Connect Tracecat to CrowdStrike Falcon to triage detections and contain hosts from agents working alongside SOC analysts and incident responders. You can pick up a Falcon detection, pivot to the affected host, and run Real Time Response commands the same way an analyst would in the console. From there, agents can look up the related threat actor in CrowdStrike intel, query NGSIEM with CQL, and pull Spotlight or Identity Protection signals so a single connection covers endpoint, cloud, and identity investigations.
Setup
- 1
Create an API key
The Falcon MCP server authenticates with a Falcon API client ID and secret. Credentials are issued from the Falcon console under API Clients and Keys and scoped to the specific Falcon modules the agent needs.
- 2
Select the
CrowdStrike Falcontile in the Tracecat MCP catalogOpen the
MCP catalogin your workspace, select theCrowdStrike Falcontile, and paste your API key. - 3
Enable
CrowdStrike Falconin your agentIn your
ai.agentaction orAgents→toolstab, selectCrowdStrike Falconfrom theMCP integrationsdropdown.
Tools
falcon_search_detectionsSearch Falcon detections for alert triage.
falcon_get_detection_detailsRetrieve details for specific Falcon detections.
falcon_search_hostsSearch Falcon host inventory.
falcon_get_host_detailsRetrieve host details for selected device IDs.
falcon_init_sessionStart a Real Time Response session.
falcon_execute_read_only_commandRun a read-only Real Time Response command.
falcon_check_command_statusCheck Real Time Response command status.
falcon_get_session_detailsRetrieve Real Time Response session details.
falcon_list_session_filesList files available in a Real Time Response session.
falcon_pulse_sessionKeep a Real Time Response session active.
falcon_search_sessionsSearch Real Time Response sessions.
falcon_delete_sessionDelete a Real Time Response session.
falcon_query_actor_entitiesRetrieve CrowdStrike intel actor entities.
falcon_query_indicator_entitiesRetrieve CrowdStrike intel indicator entities.
falcon_query_report_entitiesRetrieve CrowdStrike intel report entities.
falcon_get_mitre_reportRetrieve a MITRE report from CrowdStrike intel.
falcon_search_iocsSearch custom indicators of compromise.
falcon_add_iocAdd a custom indicator of compromise.
falcon_remove_iocsRemove custom indicators of compromise.
falcon_search_ngsiemRun searches against CrowdStrike NGSIEM.
falcon_search_vulnerabilitiesSearch Spotlight vulnerability findings.
falcon_investigate_entityInvestigate an Identity Protection entity.
falcon_search_cspm_assetsSearch Cloud Security Posture Management assets.
falcon_search_cspm_suppression_rulesSearch CSPM suppression rules.
falcon_create_cspm_suppression_ruleCreate a CSPM suppression rule.
falcon_delete_cspm_suppression_rulesDelete CSPM suppression rules.
falcon_search_images_vulnerabilitiesSearch container image vulnerabilities.
falcon_search_iom_findingsSearch Indicators of Misconfiguration findings.
falcon_search_kubernetes_containersSearch Kubernetes containers.
falcon_count_kubernetes_containersCount Kubernetes containers.
falcon_search_serverless_vulnerabilitiesSearch serverless vulnerability findings.
falcon_create_ioa_ruleCreate a custom IOA rule.
falcon_update_ioa_ruleUpdate a custom IOA rule.
falcon_delete_ioa_rulesDelete custom IOA rules.
falcon_create_ioa_rule_groupCreate a custom IOA rule group.
falcon_update_ioa_rule_groupUpdate a custom IOA rule group.
falcon_delete_ioa_rule_groupsDelete custom IOA rule groups.
falcon_search_ioa_rule_groupsSearch custom IOA rule groups.
falcon_get_ioa_platformsList supported custom IOA platforms.
falcon_get_ioa_rule_typesList supported custom IOA rule types.
falcon_search_applicationsSearch discovered applications.
falcon_search_unmanaged_assetsSearch unmanaged assets.
falcon_create_firewall_rule_groupCreate a firewall rule group.
falcon_delete_firewall_rule_groupsDelete firewall rule groups.
falcon_search_firewall_policy_rulesSearch firewall policy rules.
falcon_search_firewall_rule_groupsSearch firewall rule groups.
falcon_search_firewall_rulesSearch firewall rules.
falcon_create_caseCreate a Falcon case.
falcon_update_caseUpdate a Falcon case.
falcon_search_casesSearch Falcon cases.
falcon_get_casesRetrieve Falcon cases.
falcon_list_case_templatesList case templates.
falcon_manage_case_tagsManage case tags.
falcon_add_case_alert_evidenceAdd alert evidence to a case.
falcon_add_case_event_evidenceAdd event evidence to a case.
falcon_search_scheduled_reportsSearch scheduled reports.
falcon_search_report_executionsSearch report executions.
falcon_launch_scheduled_reportLaunch a scheduled report.
falcon_download_report_executionDownload a report execution.
falcon_search_sensor_usageSearch sensor usage records.
falcon_search_shield_alertsSearch Falcon Shield alerts.
falcon_search_shield_appsSearch Falcon Shield apps.
falcon_search_shield_checksSearch Falcon Shield checks.
falcon_search_shield_data_sharesSearch Falcon Shield data shares.
falcon_search_shield_devicesSearch Falcon Shield devices.
falcon_search_shield_usersSearch Falcon Shield users.
falcon_get_shield_activity_monitorRetrieve Falcon Shield activity monitor data.
falcon_get_shield_app_usersRetrieve Falcon Shield app users.
falcon_get_shield_check_affected_entitiesRetrieve affected entities for a Shield check.
falcon_get_shield_check_complianceRetrieve compliance data for a Shield check.
falcon_get_shield_integrationsRetrieve Falcon Shield integrations.
falcon_get_shield_posture_metricsRetrieve Falcon Shield posture metrics.
falcon_get_shield_supported_saasRetrieve supported SaaS apps for Falcon Shield.
falcon_get_shield_system_logsRetrieve Falcon Shield system logs.
falcon_get_shield_system_usersRetrieve Falcon Shield system users.
falcon_dismiss_shield_checkDismiss a Falcon Shield check.