// MCP TOOL REFERENCE

CROWDSTRIKE FALCON TOOLS

33 tools from the CrowdStrike Falcon MCP Server, categorised by risk level.

View the CrowdStrike Falcon policy →

READ TOOLS

30
falcon_check_connectivity Check connectivity to the Falcon API 2/5 falcon_count_kubernetes_containers Count Kubernetes containers by filter 2/5 falcon_download_report_execution Download generated report files 2/5 falcon_get_behavior_details Get detailed behaviour information 3/5 falcon_get_detection_details Get comprehensive detection details by ID 3/5 falcon_get_host_details Retrieve detailed host information by ID 3/5 falcon_get_incident_details Get comprehensive incident details 3/5 falcon_get_mitre_report Generate MITRE ATT&CK reports for actors 2/5 falcon_list_enabled_modules List enabled Falcon MCP server modules 2/5 falcon_list_modules List all available Falcon MCP modules 2/5 falcon_search_actors Research threat actors 2/5 falcon_search_applications Search applications in the environment 2/5 falcon_search_behaviors Find and analyse suspicious behaviours 3/5 falcon_search_detections Find detections for malicious activity 3/5 falcon_search_hosts Search hosts in CrowdStrike environment 2/5 falcon_search_images_vulnerabilities Search container image vulnerabilities 3/5 falcon_search_incidents Find and analyse security incidents 3/5 falcon_search_indicators Search threat indicators and IOCs 3/5 falcon_search_iocs Search custom IOCs using FQL 3/5 falcon_search_kubernetes_containers Search Kubernetes container inventory 2/5 falcon_search_report_executions Search for report executions 2/5 falcon_search_reports Access intelligence publications and reports 2/5 falcon_search_scheduled_reports Search for scheduled reports 2/5 falcon_search_sensor_usage Search weekly sensor usage data 2/5 falcon_search_serverless_vulnerabilities Search serverless function vulnerabilities 3/5 falcon_search_unmanaged_assets Search for assets without Falcon sensor 3/5 falcon_search_vulnerabilities Search vulnerabilities in the environment 3/5 falcon_show_crowd_score View CrowdScores and security metrics 2/5 idp_investigate_entity Investigate entities for identity protection 3/5 search_ngsiem Execute a CQL query against Next-Gen SIEM 3/5

WRITE TOOLS

1
falcon_add_ioc Create one or multiple IOCs 4/5

DESTRUCTIVE TOOLS

1
falcon_remove_iocs Remove IOCs by IDs or FQL filter 5/5

EXECUTE TOOLS

1
falcon_launch_scheduled_report Launch a scheduled report on demand 3/5
// FAQ
How many tools does the CrowdStrike Falcon MCP server have? +

The CrowdStrike Falcon MCP server exposes 33 tools across 4 categories: Read, Write, Destructive, Execute.

How do I enforce policies on CrowdStrike Falcon tools? +

Use Intercept, the open-source MCP proxy. Write YAML rules for each tool — rate limits, argument validation, or deny rules — then run Intercept in front of the CrowdStrike Falcon server.

What risk categories do CrowdStrike Falcon tools fall into? +

CrowdStrike Falcon tools are categorised as Read (30), Write (1), Destructive (1), Execute (1). Each category has a recommended default policy.

Enforce policies on CrowdStrike Falcon

Open source. One binary. Zero dependencies.

npx -y @policylayer/intercept
github.com/policylayer/intercept →
// GET IN TOUCH

Have a question or want to learn more? Send us a message.

Message sent.

We'll get back to you soon.