Investigate CrowdStrike Falcon alerts and telemetry through falcon-mcp
Use falcon-mcp when an agent needs CrowdStrike Falcon detections, incidents, behaviors, threat intel, or read-only response context to triage a security event without leaving an MCP workflow.
What it does
Investigate CrowdStrike Falcon alerts and telemetry through falcon-mcp
Use falcon-mcp when an agent needs CrowdStrike Falcon detections, incidents, behaviors, threat intel, or read-only response context to triage a security event without leaving an MCP workflow.
Prerequisites
Python 3.10+ with uv or pip; CrowdStrike Falcon API credentials with the scopes required for the enabled modules; an MCP-compatible client such as Claude Code, Claude Desktop, Cursor, or OpenClaw.
Installation
Use the upstream install or setup path that matches your environment:
- uv tool install falcon-mcp
- pip install falcon-mcp
- docker pull quay.io/crowdstrike/falcon-mcp:latest
- docker run -i --rm --env-file /path/to/.env quay.io/crowdstrike/falcon-mcp:latest
Requirements and caveats from upstream:
-
Docker
- "falcon-mcp-docker": {
Basic usage or getting-started notes:
-
| Sensor Usage | Access and analyze sensor usage data |
-
Using uv (recommended)
-
bash
-
Extracted from upstream docs: https://raw.githubusercontent.com/CrowdStrike/falcon-mcp/HEAD/README.md
Documentation
Source
Capabilities
Install
Quality
deterministic score 0.45 from registry signals: · indexed on github topic:agent-skills · 8 github stars · SKILL.md body (1,539 chars)