[Feature Request]: Data Protection module (Endpoint Data Discovery scan runs, hosts, findings, events)

[fxlequere]

Summary

Add support for the Falcon Data Protection module in falcon-mcp, covering Endpoint Data Discovery (EDD) scans and Data Protection events/findings.

Context

As of v0.10.0 (released 2026-05-18), falcon-mcp exposes modules for detections, incidents, hosts, spotlight, intel, idp, ngsiem, ioc, firewall, custom-ioa, flight-control, cspm, case-management, and falcon-shield. The Data Protection module is currently not exposed.

This makes any automation use case around Falcon Data Protection (DLP, EDD) impossible via the MCP, while it is the natural place for such use cases (sensitive data discovery, content classification, browser-based egress monitoring).

Use case

The MCP would be the natural integration point to:

• Query scan runs status and progress
• Retrieve EDD findings (classified files at rest) and pivot to host context
• Inspect Data Protection events (data-in-motion: uploads, pastes, web egress) and correlate them with EDR detections already exposed by the MCP
• Automate evidence collection during investigations
• Feed data into external SIEMs and detection-as-code pipelines

Today, this can only be done manually via the Falcon console UI.

Suggested scope

A new data-protection module exposing at least:

• falcon_search_scan_runs (with FQL filters)
• falcon_get_scan_run_details (by ID, including counts: targeted/completed/in_progress/pending/partial/failed hosts, classified files)
• falcon_search_scan_hosts (filter by scan_run_id, status, hostname)
• falcon_get_scan_host_details (by ID, including classified_files, scanned_files, failed_files, status_details)
• falcon_search_data_protection_events (data-in-motion events with policy/classification context)
• falcon_get_data_protection_finding_details (by ID)
• falcon_search_classifications and falcon_get_classification_details
• falcon_search_policies (data-protection type) and falcon_get_policy_details

API gap

At the time of writing, the official public Data Protection APIs (documented under /data-protection/entities/...) only cover configuration management (policies, classifications, content patterns, labels, applications). No public endpoints are documented for scan runs, scan hosts, findings or Data Protection events.

Related

• Official Data Protection APIs doc (configuration only)

Thank you!

[carlosmmatos]

Thanks for the detailed write-up. We spent some time researching the API landscape here and wanted to share what we found before building anything.

DLP detections already work today

Data-in-motion events (USB copies, web uploads, clipboard egress) flow through the unified Alerts API. The existing falcon_search_detections tool picks these up when you filter with product:'data-protection' — full detection records come back with destination context, matched classifications, user info, response actions, and MITRE mappings. So that part of the request is actually covered already.

EDD scan results live in NGSIEM

This one surprised us. Classified file results from EDD scans are queryable via CQL through our search_ngsiem tool. The event type is Event_DataProtectionClassifiedFileEvent and it includes scan run IDs, profile names, file paths, matched classifications, content patterns, and sensitivity labels. Not a dedicated REST endpoint, but the data is there and queryable.

Configuration APIs are solid

FalconPy's DataProtectionConfiguration class has query + get operations for classifications, policies, content patterns, cloud apps, sensitivity labels, web locations, and enterprise accounts.

The actual gap

No dedicated REST API exists for querying EDD scan runs, scan hosts, or classified file findings outside of NGSIEM. The ODS (On-Demand Scan) APIs handle malware scanning, not data classification — those are different products despite the similar scan run/host structure.

Here's what we're thinking

A data-protection module with three read-only tools:

• falcon_search_classifications — search/retrieve classification configs
• falcon_search_data_protection_policies — search/retrieve policy configs (per platform)
• falcon_search_content_patterns — search/retrieve content pattern definitions

The value here is giving the LLM context about what DLP rules exist, so it can make sense of detections it's already seeing through falcon_search_detections and NGSIEM queries.

We're checking with the Data Protection team on whether there are plans to expose EDD scan data via REST API or if NGSIEM is the intended programmatic path. Will update this issue as we hear back.

[carlosmmatos]

Got an answer from the Data Protection engineering team and it lines up with what we found.

The team confirmed the public API surface is just Policy Config and Alerts/Detections. For raw event export, the supported path is FDR. There's no API for data-at-rest at the moment, and the NGSIEM event list we shared is the complete set of publicly available events — DataProtectionClassifiedFileEvent is the one for EDD scan results.

So the plan we sketched out earlier holds:

• DLP detections — already work today via falcon_search_detections with product:'data-protection'
• EDD scan results — NGSIEM through search_ngsiem, no REST API on the roadmap
• Configuration — that's the gap, and that's where we'll add tools

Going to build a data-protection module with three read-only tools: falcon_search_classifications, falcon_search_data_protection_policies, falcon_search_content_patterns. The idea is to give the LLM a way to see what DLP rules exist so it can make sense of the detections it's already pulling. PR to follow.