// MCP TOOL REFERENCE

CROWDSTRIKE FALCON TOOLS

33 tools from the CrowdStrike Falcon MCP Server, categorised by risk level.

View the CrowdStrike Falcon policy →
// ALL 33 CROWDSTRIKE FALCON TOOLS
READ 29 tools
Read falcon_check_connectivity Check connectivity to the Falcon API Read falcon_count_kubernetes_containers Count Kubernetes containers by filter Read falcon_download_report_execution Download generated report files Read falcon_get_behavior_details Get detailed behaviour information Read falcon_get_detection_details Get comprehensive detection details by ID Read falcon_get_host_details Retrieve detailed host information by ID Read falcon_get_incident_details Get comprehensive incident details Read falcon_get_mitre_report Generate MITRE ATT&CK reports for actors Read falcon_list_enabled_modules List enabled Falcon MCP server modules Read falcon_list_modules List all available Falcon MCP modules Read falcon_search_actors Research threat actors Read falcon_search_applications Search applications in the environment Read falcon_search_behaviors Find and analyse suspicious behaviours Read falcon_search_detections Find detections for malicious activity Read falcon_search_hosts Search hosts in CrowdStrike environment Read falcon_search_images_vulnerabilities Search container image vulnerabilities Read falcon_search_incidents Find and analyse security incidents Read falcon_search_indicators Search threat indicators and IOCs Read falcon_search_iocs Search custom IOCs using FQL Read falcon_search_kubernetes_containers Search Kubernetes container inventory Read falcon_search_report_executions Search for report executions Read falcon_search_reports Access intelligence publications and reports Read falcon_search_scheduled_reports Search for scheduled reports Read falcon_search_sensor_usage Search weekly sensor usage data Read falcon_search_serverless_vulnerabilities Search serverless function vulnerabilities Read falcon_search_unmanaged_assets Search for assets without Falcon sensor Read falcon_search_vulnerabilities Search vulnerabilities in the environment Read falcon_show_crowd_score View CrowdScores and security metrics Read idp_investigate_entity Investigate entities for identity protection
WRITE 1 tools
Write falcon_add_ioc Create one or multiple IOCs
DESTRUCTIVE 1 tools
Destructive falcon_remove_iocs Remove IOCs by IDs or FQL filter
EXECUTE 2 tools
Execute falcon_launch_scheduled_report Launch a scheduled report on demand Execute search_ngsiem Execute a CQL query against Next-Gen SIEM
// RUNNING THIS SERVER

The managed route: connect CrowdStrike Falcon through the PolicyLayer gateway — every tool call above is checked against your policy before it runs, with a full audit log.

DIRECT INSTALL (UNMANAGED) npx -y @falcon-mcp

Route CrowdStrike Falcon through PolicyLayer and every one of its 33 tools is checked against your policy before it runs.

CHECK YOUR STACK →

See every tool, the dangerous ones, and the token cost across your stack.

// FAQ
How many tools does the CrowdStrike Falcon MCP server have? +

The CrowdStrike Falcon MCP server exposes 33 tools across 4 categories: Read, Write, Destructive, Execute.

How do I enforce policies on CrowdStrike Falcon tools? +

Route the CrowdStrike Falcon server through the PolicyLayer gateway. Define allow, deny, or approval rules per tool in the dashboard; they are enforced on every call before it reaches the server.

What risk categories do CrowdStrike Falcon tools fall into? +

CrowdStrike Falcon tools are categorised as Read (29), Write (1), Destructive (1), Execute (2). Each category has a recommended default policy.

Enforce policy on every CrowdStrike Falcon tool call.

Start from CrowdStrike Falcon, add the rest of your stack, and see everything your agents can call. Then put policy on all of it.

CHECK YOUR STACK →

Free to start. No card required.

43,000+ MCP servers and 220,000+ tools scanned and risk-classified.

// GET IN TOUCH

Have a question or want to learn more? Send us a message.

Message sent.

We'll get back to you soon.