Module Overview

The Falcon MCP Server provides the following modules. Each module requires specific CrowdStrike API scopes.

Module	API Scopes	Description
Cloud Security	Cloud Security API Assets:read, Falcon Container Image:read	Accessing and analyzing CrowdStrike Falcon cloud resources like Kubernetes & Containers Inventory, Images Vulnerabilities, Cloud Assets
Custom IOA	Custom IOA Rules:read, Custom IOA Rules:write	Searching, creating, updating, and deleting Custom IOA (Indicators of Attack) behavioral rules and rule groups using Falcon Custom IOA Service Collection endpoints
Detections	Alerts:read	Accessing and analyzing CrowdStrike Falcon detections
Discover	Assets:read	Accessing and managing CrowdStrike Falcon Discover applications and unmanaged assets
Firewall Management	Firewall Management:read, Firewall Management:write	Searching and managing firewall rules and rule groups
Hosts	Hosts:read	Accessing and managing CrowdStrike Falcon hosts/devices
Identity Protection	Identity Protection Assessment:read, Identity Protection Detections:read, Identity Protection Entities:read, Identity Protection Timeline:read, Identity Protection GraphQL:write	Accessing and managing CrowdStrike Falcon Identity Protection capabilities
Incidents	Incidents:read	Accessing and analyzing CrowdStrike Falcon incidents
Intel	Actors (Falcon Intelligence):read, Indicators (Falcon Intelligence):read, Reports (Falcon Intelligence):read	Accessing and analyzing CrowdStrike Falcon intelligence data
IOC	IOC Management:read, IOC Management:write	Searching, creating, and deleting custom IOCs using Falcon IOC Service Collection endpoints
NGSIEM	NGSIEM:read, NGSIEM:write	Running search queries against CrowdStrike’s Next-Gen SIEM via the asynchronous job-based search API
Real Time Response	Real time response:read, Real time response:write	Initiating and inspecting RTR sessions and for executing read-only RTR commands during host investigations
Scheduled Reports	Scheduled Reports:read	Accessing and managing CrowdStrike Falcon scheduled reports and scheduled searches
Sensor Usage	Sensor Usage:read	Accessing CrowdStrike Falcon sensor usage data
Serverless	Falcon Container Image:read	Accessing and managing CrowdStrike Falcon Serverless Vulnerabilities
Spotlight	Vulnerabilities:read	Accessing and managing CrowdStrike Falcon Spotlight vulnerabilities