Flight Control (MSSP)
The Falcon MCP Server supports CrowdStrike Flight Control for MSSP (Managed Security Service Provider) environments. Use parent CID API credentials with the --member-cid flag or FALCON_MEMBER_CID environment variable to target a specific child CID.
Configuration
Section titled “Configuration”Environment variable:
export FALCON_MEMBER_CID="abc123-child-cid-xyz"falcon-mcpCommand-line flag:
falcon-mcp --member-cid "abc123-child-cid-xyz"In .env file:
# Parent CID credentials (required)FALCON_CLIENT_ID=parent-client-idFALCON_CLIENT_SECRET=parent-client-secret
# Child CID to target (optional)FALCON_MEMBER_CID=abc123-child-cid-xyzRequirements
Section titled “Requirements”- Parent CID API credentials (
FALCON_CLIENT_IDandFALCON_CLIENT_SECRETfrom the parent tenant) - Flight Control enabled on the parent tenant
- Valid child CID identifier
- Parent API client must have appropriate scopes for operations on the child CID
Behavior
Section titled “Behavior”- Session-level: All tools in the server instance target the specified child CID
- Cannot switch mid-session: The
member_cidis set during authentication and persists for the server’s lifetime - Multiple child CIDs: To query multiple child CIDs, run separate server instances on different ports
Multi-Tenant Workflow
Section titled “Multi-Tenant Workflow”To work with multiple child CIDs simultaneously, run separate server instances:
# Parent CID (default)falcon-mcp --transport streamable-http --port 8000# Child CID 1falcon-mcp --member-cid "child-cid-1" --transport streamable-http --port 8001# Child CID 2falcon-mcp --member-cid "child-cid-2" --transport streamable-http --port 8002Each instance maintains its own authentication context and can be accessed independently by your MCP client.