Set up the CrowdStrike Falcon MCP server
The CrowdStrike Falcon MCP server connects AI agents to the Falcon platform for security operations — querying detections, incidents, threat intelligence, host inventory, vulnerabilities, and more. This guide covers creating a Falcon API client with the right scopes and adding it to MintMCP using the Advanced hosted connector setup with per-user credentials.
Prerequisites
- A MintMCP admin account
- A CrowdStrike Falcon subscription with API access
Create a Falcon API client
Because FALCON_CLIENT_ID and FALCON_CLIENT_SECRET are per-user credentials, each team member needs to create their own Falcon API client. Share these steps with your team.
-
Go to falcon.crowdstrike.com and sign in.
-
Navigate to Support > API Clients and Keys.
-
Click Add new API client.
-
Enter a name (e.g., "MintMCP Falcon") and an optional description.
-
Select scopes under API scopes based on the modules you want to enable. The table below maps each module to its required scopes.
| Module | Required API scopes |
|---|---|
| Detections | Alerts:read |
| Incidents | Incidents:read |
| Hosts | Hosts:read |
| Intel | Actors (Falcon Intelligence):read, Indicators (Falcon Intelligence):read, Reports (Falcon Intelligence):read |
| Spotlight | Vulnerabilities:read |
| Custom IOA | Custom IOA Rules:read, Custom IOA Rules:write |
| Identity Protection | Identity Protection Entities:read, Identity Protection Timeline:read, Identity Protection Detections:read, Identity Protection Assessment:read, Identity Protection GraphQL:write |
| Firewall Management | Firewall Management:read, Firewall Management:write |
| NGSIEM | NGSIEM:read, NGSIEM:write |
| Cloud Security | Falcon Container Image:read |
| Discover | Assets:read |
| IOC | IOC Management:read, IOC Management:write |
| Scheduled Reports | Scheduled Reports:read |
| Sensor Usage | Sensor Usage:read |
| Serverless | Falcon Container Image:read |
-
Click Add.
-
Copy the Client ID and Client Secret. The secret is shown only once — store it in a secrets manager before closing.
Add CrowdStrike Falcon to MintMCP
- In MintMCP, go to MCP store > Manage store.
- Click + Add an MCP to your registry → Host an open source or custom MCP.
- Click Advanced.
- Enter
uvx falcon-mcpin the Command field. - Under Global Environment Variables, add
FALCON_BASE_URL→https://api.crowdstrike.com. - Under User Specific Environment Variables, add
FALCON_CLIENT_IDandFALCON_CLIENT_SECRET. - Click Create.
If your Falcon environment is not in US-1, set FALCON_BASE_URL to the appropriate regional URL:
| Region | Base URL |
|---|---|
| US-1 (default) | https://api.crowdstrike.com |
| US-2 | https://api.us-2.crowdstrike.com |
| EU-1 | https://api.eu-1.crowdstrike.com |
| US-GOV | https://api.laggar.gcw.crowdstrike.com |
To limit which modules are active, add FALCON_MCP_MODULES as a Global Environment Variable with a comma-separated list of module names (e.g., detections,incidents,intel). If omitted, all modules are enabled.
Security considerations
- The client secret is shown only once at creation — store it immediately in a secrets manager.
- Grant only the API scopes your use case requires. Each module maps to specific scopes in the table above.
- Each user's Falcon API client is scoped to their own account — actions are tied to the individual's identity and permissions.
- This server is in public preview and CrowdStrike advises against production deployments until the stable 1.0 release.
Next steps
- Tool customization — Limit which Falcon tools are available to AI agents
- Add a hosted connector — Reference documentation for hosting open-source MCP servers