Skip to content
CrowdStrike Developer Center

Module Overview

The Falcon MCP Server provides the following modules. Each module requires specific CrowdStrike API scopes.

ModuleAPI ScopesDescription
Case ManagementCase Templates: READ, Cases: READ, Cases: WRITEManaging CrowdStrike cases, including searching, creating, updating, and managing evidence and tags
Cloud SecurityCloud Security API Assets: READ, Cloud Security API Detections: READ, Cloud Security Policies: READ, Falcon Container Image: READ, Cloud Security Policies: WRITEAccessing and analyzing CrowdStrike Falcon cloud resources like Kubernetes & Containers Inventory, Images Vulnerabilities, Cloud Assets
Correlation RulesCorrelation Rules: READ, Correlation Rules: WRITECorrelation Rules module for CrowdStrike Falcon.
Custom IOACustom IOA Rules: READ, Custom IOA Rules: WRITESearching, creating, updating, and deleting Custom IOA (Indicators of Attack) behavioral rules and rule groups using Falcon Custom IOA Service Collection endpoints
Data ProtectionData Protection: READProvides read-only access to Data Protection configuration data — classifications, policies, and content patterns — so an LLM can reason about why a Data Protection detection fired
DetectionsAlerts: READ, Alerts: WRITEAccessing and analyzing CrowdStrike Falcon detections
DiscoverAssets: READAccessing and managing CrowdStrike Falcon Discover applications and unmanaged assets
ExclusionsIOA Exclusions: READ, Machine Learning Exclusions: READ, Sensor Visibility Exclusions: READ, IOA Exclusions: WRITE, Machine Learning Exclusions: WRITE, Sensor Visibility Exclusions: WRITEThis module provides a unified set of tools for managing CrowdStrike exclusions across four types — IOA, Machine Learning, Sensor Visibility, and Certificate-Based — behind a single exclusion_type discriminator
Firewall ManagementFirewall Management: READ, Firewall Management: WRITESearching and managing firewall rules and rule groups
Host GroupsHost Groups: READ, Host Groups: WRITESearching, creating, updating, and deleting CrowdStrike Falcon host groups, as well as managing group membership
HostsHosts: READAccessing and managing CrowdStrike Falcon hosts/devices
Identity ProtectionIdentity Protection Assessment: READ, Identity Protection Detections: READ, Identity Protection Entities: READ, Identity Protection Timeline: READ, Identity Protection GraphQL: WRITEAccessing and managing CrowdStrike Falcon Identity Protection capabilities
IntelActors (Falcon Intelligence): READ, Indicators (Falcon Intelligence): READ, Reports (Falcon Intelligence): READAccessing and analyzing CrowdStrike Falcon intelligence data
IOCIOC Management: READ, IOC Management: WRITESearching, creating, and deleting custom IOCs using Falcon IOC Service Collection endpoints
NGSIEMNGSIEM: READ, NGSIEM: WRITERunning search queries against CrowdStrike’s Next-Gen SIEM via the asynchronous job-based search API
PoliciesContent Update Policies: READ, Device Control Policies: READ, Firewall Management: READ, Prevention Policies: READ, Response Policies: READ, Sensor Update Policies: READ, Content Update Policies: WRITE, Device Control Policies: WRITE, Firewall Management: WRITE, Prevention Policies: WRITE, Response Policies: WRITE, Sensor Update Policies: WRITEThis module provides a unified set of tools for managing CrowdStrike host-based policies across all six policy types — prevention, sensor_update, firewall, device_control, response, and content_update — behind a single policy_type discriminator
QuarantineQuarantined Files: READ, Quarantined Files: WRITEInvestigating quarantined files and applying quarantine actions during triage and remediation workflows
Real Time ResponseReal time response: READ, real-time-response-audit: READ, Real time response: WRITEInitiating and inspecting RTR sessions and for executing read-only RTR commands during host investigations
Scheduled ReportsScheduled Reports: READAccessing and managing CrowdStrike Falcon scheduled reports and scheduled searches
Sensor UsageSensor Usage: READAccessing CrowdStrike Falcon sensor usage data
ServerlessFalcon Container Image: READAccessing and managing CrowdStrike Falcon Serverless Vulnerabilities
ShieldSaaS Security: READ, SaaS Security: WRITEShield module for CrowdStrike Falcon.
SpotlightVulnerabilities: READAccessing and managing CrowdStrike Falcon Spotlight vulnerabilities
© 2026 CrowdStrike, Inc. All rights reserved. Privacy Notice Cookie Notice Terms of Use