Overview

The Falcon MCP Server provides the following modules. Each module requires specific CrowdStrike API scopes.

Module	API Scopes	Description
Cloud Security	Cloud Security API Assets: READ, Falcon Container Image: READ	Find and analyze Kubernetes containers, container image vulnerabilities, and CSPM cloud asset inventory.
Custom IOA	Custom IOA Rules: READ, Custom IOA Rules: WRITE	Create and manage Custom IOA behavioral detection rules and rule groups.
Detections	Alerts: READ	Find and analyze detections to understand malicious activity in your environment.
Discover	Assets: READ	Search and analyze application inventory and unmanaged assets across your environment.
Firewall Management	Firewall Management: READ, Firewall Management: WRITE	Search and manage Falcon firewall rules and rule groups.
Hosts	Hosts: READ	Manage and query host/device information across your CrowdStrike environment.
Identity Protection	Identity Protection Assessment: READ, Identity Protection Detections: READ, Identity Protection Entities: READ, Identity Protection Timeline: READ, Identity Protection GraphQL: WRITE	Comprehensive entity investigation and identity protection analysis.
Incidents	Incidents: READ	Analyze security incidents, behaviors, and coordinated activities.
Intel	Actors (Falcon Intelligence): READ, Indicators (Falcon Intelligence): READ, Reports (Falcon Intelligence): READ	Research threat actors, IOCs, and intelligence reports.
IOC	IOC Management: READ, IOC Management: WRITE	Search, create, and remove custom indicators of compromise.
NGSIEM	NGSIEM: READ, NGSIEM: WRITE	Execute CQL queries against CrowdStrike Next-Gen SIEM.
Scheduled Reports	Scheduled Reports: READ	Manage scheduled reports and searches, run on demand, and download results.
Sensor Usage	Sensor Usage: READ	Access and analyze sensor usage data.
Serverless	Falcon Container Image: READ	Search for vulnerabilities in serverless functions across cloud providers.
Spotlight	Vulnerabilities: READ	Manage and analyze vulnerability data and security assessments.