// MCP TOOL REFERENCE

CROWDSTRIKE FALCON TOOLS

33 tools from the CrowdStrike Falcon MCP Server, categorised by risk level.

View the CrowdStrike Falcon policy →
// ALL 33 CROWDSTRIKE FALCON TOOLS
READ 30 tools
Read falcon_check_connectivity Check connectivity to the Falcon API Read falcon_count_kubernetes_containers Count Kubernetes containers by filter Read falcon_download_report_execution Download generated report files Read falcon_get_behavior_details Get detailed behaviour information Read falcon_get_detection_details Get comprehensive detection details by ID Read falcon_get_host_details Retrieve detailed host information by ID Read falcon_get_incident_details Get comprehensive incident details Read falcon_get_mitre_report Generate MITRE ATT&CK reports for actors Read falcon_list_enabled_modules List enabled Falcon MCP server modules Read falcon_list_modules List all available Falcon MCP modules Read falcon_search_actors Research threat actors Read falcon_search_applications Search applications in the environment Read falcon_search_behaviors Find and analyse suspicious behaviours Read falcon_search_detections Find detections for malicious activity Read falcon_search_hosts Search hosts in CrowdStrike environment Read falcon_search_images_vulnerabilities Search container image vulnerabilities Read falcon_search_incidents Find and analyse security incidents Read falcon_search_indicators Search threat indicators and IOCs Read falcon_search_iocs Search custom IOCs using FQL Read falcon_search_kubernetes_containers Search Kubernetes container inventory Read falcon_search_report_executions Search for report executions Read falcon_search_reports Access intelligence publications and reports Read falcon_search_scheduled_reports Search for scheduled reports Read falcon_search_sensor_usage Search weekly sensor usage data Read falcon_search_serverless_vulnerabilities Search serverless function vulnerabilities Read falcon_search_unmanaged_assets Search for assets without Falcon sensor Read falcon_search_vulnerabilities Search vulnerabilities in the environment Read falcon_show_crowd_score View CrowdScores and security metrics Read idp_investigate_entity Investigate entities for identity protection Read search_ngsiem Execute a CQL query against Next-Gen SIEM
WRITE 1 tools
Write falcon_add_ioc Create one or multiple IOCs
DESTRUCTIVE 1 tools
Destructive falcon_remove_iocs Remove IOCs by IDs or FQL filter
EXECUTE 1 tools
Execute falcon_launch_scheduled_report Launch a scheduled report on demand
// RUNNING THIS SERVER

The managed route: connect CrowdStrike Falcon through the PolicyLayer gateway — every tool call above is checked against your policy before it runs, with a full audit log.

DIRECT INSTALL (UNMANAGED) npx -y @falcon-mcp
// FAQ
How many tools does the CrowdStrike Falcon MCP server have? +

The CrowdStrike Falcon MCP server exposes 33 tools across 4 categories: Read, Write, Destructive, Execute.

How do I enforce policies on CrowdStrike Falcon tools? +

Route the CrowdStrike Falcon server through the PolicyLayer gateway. Define allow, deny, or approval rules per tool in the dashboard — they are enforced on every call before it reaches the server.

What risk categories do CrowdStrike Falcon tools fall into? +

CrowdStrike Falcon tools are categorised as Read (30), Write (1), Destructive (1), Execute (1). Each category has a recommended default policy.

Let agents act without letting them run wild.

Route your MCP servers through PolicyLayer and every tool call is checked against your policy before it runs — allow, deny, or require approval. Per-identity grants. Full audit log. Live in minutes.

SECURE YOUR MCP →

Free to start. No card required.

4,600+ MCP servers and 31,000+ tools scanned and risk-classified.

// GET IN TOUCH

Have a question or want to learn more? Send us a message.

Message sent.

We'll get back to you soon.