Module Overview
The Falcon MCP Server provides the following modules. Each module requires specific CrowdStrike API scopes.
| Module | API Scopes | Description |
|---|---|---|
| Case Management | Case Templates: READ, Cases: READ, Cases: WRITE | Managing CrowdStrike cases, including searching, creating, updating, and managing evidence and tags |
| Cloud Security | Cloud Security API Assets: READ, Cloud Security API Detections: READ, Cloud Security Policies: READ, Falcon Container Image: READ, Cloud Security Policies: WRITE | Accessing and analyzing CrowdStrike Falcon cloud resources like Kubernetes & Containers Inventory, Images Vulnerabilities, Cloud Assets |
| Correlation Rules | Correlation Rules: READ, Correlation Rules: WRITE | Correlation Rules module for CrowdStrike Falcon. |
| Custom IOA | Custom IOA Rules: READ, Custom IOA Rules: WRITE | Searching, creating, updating, and deleting Custom IOA (Indicators of Attack) behavioral rules and rule groups using Falcon Custom IOA Service Collection endpoints |
| Detections | Alerts: READ | Accessing and analyzing CrowdStrike Falcon detections |
| Discover | Assets: READ | Accessing and managing CrowdStrike Falcon Discover applications and unmanaged assets |
| Firewall Management | Firewall Management: READ, Firewall Management: WRITE | Searching and managing firewall rules and rule groups |
| Hosts | Hosts: READ | Accessing and managing CrowdStrike Falcon hosts/devices |
| Identity Protection | Identity Protection Assessment: READ, Identity Protection Detections: READ, Identity Protection Entities: READ, Identity Protection Timeline: READ, Identity Protection GraphQL: WRITE | Accessing and managing CrowdStrike Falcon Identity Protection capabilities |
| Intel | Actors (Falcon Intelligence): READ, Indicators (Falcon Intelligence): READ, Reports (Falcon Intelligence): READ | Accessing and analyzing CrowdStrike Falcon intelligence data |
| IOC | IOC Management: READ, IOC Management: WRITE | Searching, creating, and deleting custom IOCs using Falcon IOC Service Collection endpoints |
| NGSIEM | NGSIEM: READ, NGSIEM: WRITE | Running search queries against CrowdStrike’s Next-Gen SIEM via the asynchronous job-based search API |
| Quarantine | Quarantined Files: READ, Quarantined Files: WRITE | Investigating quarantined files and applying quarantine actions during triage and remediation workflows |
| Real Time Response | Real time response: READ, real-time-response-audit: READ, Real time response: WRITE | Initiating and inspecting RTR sessions and for executing read-only RTR commands during host investigations |
| Scheduled Reports | Scheduled Reports: READ | Accessing and managing CrowdStrike Falcon scheduled reports and scheduled searches |
| Sensor Usage | Sensor Usage: READ | Accessing CrowdStrike Falcon sensor usage data |
| Serverless | Falcon Container Image: READ | Accessing and managing CrowdStrike Falcon Serverless Vulnerabilities |
| Shield | SaaS Security: READ, SaaS Security: WRITE | Shield module for CrowdStrike Falcon. |
| Spotlight | Vulnerabilities: READ | Accessing and managing CrowdStrike Falcon Spotlight vulnerabilities |