Skip to content

[Feature Request]: Add Policies module #400

Open
Open
[Feature Request]: Add Policies module#400
@carlosmmatos

Description

@carlosmmatos
carlosmmatos
opened on May 20, 2026

Add a unified policies module to falcon-mcp covering all 6 Falcon policy types (prevention, sensor_update, firewall, device_control, response, content_update) through a policy_type discriminator parameter.

Tools (8)

  • falcon_search_policies — search policies by type + FQL filter
  • falcon_get_policy_details — get policy by ID(s)
  • falcon_search_policy_members — list hosts assigned to a policy
  • falcon_create_policy — create a new policy
  • falcon_update_policy — update policy settings/name
  • falcon_delete_policies — delete policies by ID
  • falcon_perform_policy_action — enable/disable/add-host-group
  • falcon_set_policy_precedence — set policy priority order

Resources (1)

  • FQL guide resource for policy search filters

FQL Filter Fields

name, platform_name, enabled, created_by, created_timestamp, modified_by, modified_timestamp, precedence

Scopes

  • Prevention Policies:read/write
  • Sensor Update Policies:read/write
  • Firewall Policies:read/write
  • Device Control Policies:read/write
  • Response Policies:read/write
  • Content Update Policy:read/write

Design Decisions

  • Unified module (not distributed to domain modules) — all 6 types share identical API patterns, FQL filter fields, and response structures
  • One tool with a policy_type param is simpler for LLMs than 6 differently-named tools
  • Existing firewall module covers rules/rule_groups (what's inside policies). This module covers policies themselves (host assignment, precedence, enabled/disabled) — different abstraction layer, no overlap
  • Policy dispatcher pattern: one tool → 6 service classes routed via dict mapping

Risk Areas

  • reveal_uninstall_token (SensorUpdatePolicy) must NOT be exposed without explicit ask
  • FQL filter fields inferred from SDK sort enums — validate against live API during integration testing
  • FalconPy SDK fully covers all endpoints including ContentUpdatePolicies

Dependencies

Split from #395.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions