CrowdStrike Falcon MCP. Contain devices and investigate threats instantly.

Q: How do I use the listdetections tool with CrowdStrike Falcon?

You tell your agent to run listdetections and provide the FQL filter syntax you need (e.g., 'critical severity last 24 hours'). The agent returns detection details mapped to MITRE ATT&CK.

Q: Can I check all endpoints with searchhosts?

Yes. The agent runs searchhosts and returns a full inventory, allowing you to filter the results by OS, department, or sensor version.

Q: What is the scope of the searchhosts tool for device inventory?

The searchhosts tool returns the full device inventory details for the scope configured in your CrowdStrike tenant. This includes OS information, sensor versions, and other deep-dive telemetry for every endpoint.

Q: Can I listiocs to check the metadata of existing IOCs?

Yes, listiocs includes the type, value, action, and metadata for every custom IOC. This lets you check who created it, when it was added, and what action it's currently set to.

Claude

ChatGPT

Cursor

Gemini

Windsurf

VS Code

JetBrains

Vercel

See Vinkius in Action

Works with every AI agent you already use

…and any MCP-compatible client

Just plug in your AI agents and start using Vinkius.

CrowdStrike Falcon MCP Server connects your AI agent directly to the Falcon platform. Use it to query detection alerts, list security incidents, and search endpoint details instantly.

You can contain a device, create custom Indicators of Compromise (IOCs), and get real-time vulnerability data across your entire managed fleet.

What your AI agents can do

Contain device

Isolates a specific endpoint from the network or lifts its containment status.

Create ioc

Adds a custom Indicator of Compromise (IOC) using a provided hash, domain, or IP address.

List detections

Queries all detection alerts across the fleet, allowing filtering by severity and technique.

+ 5 more capabilities included

Search and profile endpoint hardware

Use search_hosts to get a full inventory of every managed device, including OS details and sensor status.

Triage and update security alerts

Query list_detections to find specific alerts (by severity or technique) and use update_detection to add triage notes directly to the record.

Isolate compromised devices

Execute contain_device to immediately isolate a host, preventing lateral movement without manual console work.

Build threat intelligence context

Run create_ioc to add new Indicators of Compromise (like a malicious hash or domain) to your threat intelligence database.

Investigate incident timelines

Use list_incidents to pull a timeline of security events, filtered by date or assigned analyst.

Identify asset weaknesses

Query list_vulnerabilities to find which endpoints are exposed to specific CVEs or severity levels.

Ask AI about this MCP

Ask ChatGPT

Ask Claude

Ask Perplexity

Supported MCP Clients

Claude

ChatGPT

Cursor

Gemini

Windsurf

VS Code

JetBrains

Vercel

+ other MCP clients

Free for Subscribers

Waiting for input…

AI Agent

contain019d757f

contain device

Isolates a specific endpoint from the network or lifts its containment status.

create019d757f

create ioc

Adds a custom Indicator of Compromise (IOC) using a provided hash, domain, or IP address.

list019d757f

list detections

Queries all detection alerts across the fleet, allowing filtering by severity and technique.

list019d757f

list incidents

Retrieves a list of active security incidents, which you can filter by date or severity.

list019d757f

list iocs

Shows all custom Indicators of Compromise currently stored in the platform.

list019d757f

list vulnerabilities

Queries vulnerability data for managed endpoints, filtering by CVE or severity.

search019d757f

search hosts

Searches the entire endpoint inventory to return detailed device information.

update019d757f

update detection

Changes the status of a detection alert and allows you to add a triage comment.

Choose How to Get Started

Build a custom MCP for your own tools, or connect a ready-made integration from our catalog.

Build Your Own

Turn any API into an MCP. Import a spec, define Agent Skills, or deploy with MCPFusion.

Import from OpenAPI, Swagger, or YAML specs
Create Agent Skills with progressive disclosure
Deploy to edge with MCPFusion framework
Built in DLP, auth, and compliance on every call
Real time usage dashboard and cost metering
Publish to catalog or keep private

Start building

Make Your AI Do More

Start with CrowdStrike Falcon, then connect any of our 4,700+ other servers whenever your AI needs more. One click, no limits.

Use this MCP plus 4,700+ others, all in one place
Add new capabilities to your AI anytime you want
Every connection is secured and compliant automatically
Track usage and costs across all your servers
Works with Claude, ChatGPT, Cursor, and more
New servers added to the catalog every week

What you can do with this MCP connector

CrowdStrike Falcon MCP Server hooks your AI agent right into the Falcon platform. You'll use it to query detection alerts, list security incidents, and search endpoint details instantly. You can contain a device, create custom Indicators of Compromise (IOCs), and get real-time vulnerability data across your whole fleet.

Use search_hosts to pull a full inventory of every managed device, including OS details and sensor status. You can query list_detections to find specific alerts, filtering by severity or technique, and then use update_detection to add triage notes right to the record. You'll use list_incidents to pull a timeline of security events, filtering by date or assigned analyst.

To build threat intelligence context, you can run create_ioc to add new Indicators of Compromise, like a malicious hash or domain, to your threat intelligence database. You can use list_iocs to see all custom IOCs stored in the platform. You'll query list_vulnerabilities to find which endpoints are exposed to specific CVEs or severity levels.

If you find a bad actor, you can execute contain_device to immediately isolate a host, preventing lateral movement without jumping to a manual console. To start, you can use list_detections to see all detection alerts across the fleet, filtering by severity and technique.

How CrowdStrike Falcon MCP Works

1 Start by giving your agent a high-level goal: 'Find all critical systems communicating with X.'
2 The agent executes a sequence of tools, first running list_detections to pinpoint the alert, then list_vulnerabilities to check the asset's risk score, and finally search_hosts to get the device owner's details.
3 The agent compiles the output—the alert details, the vulnerability data, and the host owner—into one cohesive summary that you can act on.

The bottom line is, your agent runs complex, multi-step security playbooks using the tools, so you don't have to.

Who Is CrowdStrike Falcon MCP For?

This is for the SOC Analyst who has to click through five different dashboards just to understand one alert. It's for the Security Engineer who needs to automate IOC management and threat hunting. If your job involves translating raw security data into immediate, actionable containment steps, this is for you.

SOC Analyst

Triages alerts by running list_detections and list_incidents, then uses update_detection to document findings without leaving the chat window.

Security Engineer

Automates the threat intelligence lifecycle by using create_ioc and list_iocs to rapidly add and manage IOCs found during an investigation.

IT Operations Manager

Checks fleet compliance by running search_hosts to verify sensor coverage and list_vulnerabilities to report on outdated systems.

What Changes When You Connect

Faster Triage: Instead of opening 10 tabs to check alerts, your agent runs list_detections and list_incidents to pull all necessary data into a single chat response. You get the context immediately.
Proactive Defense: Use create_ioc to immediately ingest a newly found malicious hash or domain. This action pushes the threat data across your whole fleet without needing manual console updates.
Instant Mitigation: If an alert points to a suspicious machine, you don't waste time. You run contain_device to isolate it, stopping the threat before it moves laterally.
Full Asset Visibility: Need to know if a host is compliant? search_hosts provides full device inventory details, so you can quickly check sensor versions and OS info across the board.
Risk Scoring: When investigating an alert, run list_vulnerabilities to cross-reference the affected host. This shows you if the incident is related to a known, unpatched weakness.
Streamlined Documentation: Found an alert, investigated it, and now you need to tell your manager what you did? Use update_detection to log the findings and triage notes right against the original alert.

Real-World Use Cases

Contain a suspected breach point.

A machine shows a critical detection alert for credential dumping. You ask the agent to investigate. It runs list_detections to confirm the alert, then runs search_hosts to confirm the device owner, and finally executes contain_device on the host. The threat is contained in minutes, not hours.

Audit endpoint compliance across departments.

IT Ops needs to know which group of employees is running outdated sensors. They prompt the agent to check the fleet health. The agent uses list_vulnerabilities and search_hosts to generate a report detailing non-compliant devices and their owners.

Investigate a complex ransomware campaign.

An analyst finds a suspicious IP address. They instruct the agent to check all related threat intelligence. The agent runs list_iocs to see if it's known, then runs create_ioc to add the new IP. Finally, it checks list_detections to see if any other alerts mention that IP, building a full kill chain.

Prepare for a compliance audit.

The CISO needs a summary of the top 10 highest-risk assets. They ask the agent to compile a list. The agent uses list_incidents for historical context and list_vulnerabilities to prioritize assets that have both high-severity vulnerabilities and recent activity.

The Tradeoffs

Manual Dashboard Jumping

An analyst sees an alert, clicks to the host details page, copies the IP, goes to the IOC list, checks the status, then opens a separate vulnerability report. This process wastes time and requires copy-pasting across five different tools.

→ Instead, tell your agent to 'Investigate detection X.' It runs list_detections and automatically correlates the host data via search_hosts and checks for known bad IPs using list_iocs. Everything is done in a single conversational flow.

Forgetting the Context

Running a simple list_detections query gives you 50 alerts. You see 5 critical ones, but you don't know which ones are connected to your most sensitive assets. The alerts are raw data, not prioritized action items.

→ Ask the agent to 'List critical detections on the financial servers.' The agent uses list_detections and filters the output by asset group, immediately prioritizing the alerts that matter most to the business.

Over-relying on Manual Containment

When a breach happens, an analyst logs into the console, finds the IP, and manually runs the containment script. This process is slow, prone to human error, and slows down the response time significantly.

→ Direct your agent to 'Contain the host at IP X.' The agent executes the contain_device tool instantly, handling the necessary API calls and state changes immediately.

When It Fits, When It Doesn't

Use this server if your primary job is translating raw security data into immediate, actionable commands. You need to correlate a detection alert (from list_detections) with asset information (search_hosts) and then potentially take an immediate action (contain_device). You're working in a high-stakes incident response environment where every minute counts.

Don't use this if you just need a general dashboard view or if you only want to export raw data into a spreadsheet. For simple data aggregation, a dedicated logging tool might suffice. You need the action layer. If your workflow is: 'Check data -> Analyze data -> Act on data,' this is your tool.

Independent Platform Disclaimer: Vinkius is an independent platform and is not affiliated with, endorsed by, sponsored by, verified by, or otherwise authorized by CrowdStrike Falcon. All third-party trademarks, logos, and brand names are the property of their respective owners. Their use on this website is strictly for informational purposes to identify service compatibility and interoperability.

VINKIUS INFRASTRUCTURE

Cloud Hosted

Managed infra

V8 Isolated

Sandboxed per request

Zero-Trust Proxy

No stored credentials

DLP Enforced

Policy on every call

GDPR Compliant

EU data residency

Token Compression

~60% cost reduction

How we secure it →

Works with Claude, ChatGPT, Cursor, and more

The Model Context Protocol standardizes how applications expose capabilities to LLMs. Instead of operating in isolation, your AI gains direct access to external platforms, live data, and real-world actions through secure, standardized connections.

This server provides 8 capabilities that interface natively with Claude, ChatGPT, Cursor, and any MCP client. No middleware. No custom integration required.

Available Capabilities

contain_device create_ioc list_detections list_incidents list_iocs list_vulnerabilities search_hosts update_detection

Security investigations shouldn't require jumping between five different consoles.

Today, when an alert pops up, you're forced to open the Falcon console, copy the asset name, switch to the Incident Management UI, manually filter by date, and then open the Vulnerability dashboard to see if that asset is patched. You copy-paste data across three different UIs, losing context and burning critical time.

With the CrowdStrike Falcon MCP Server, you talk to your agent. You tell it the alert, and it runs the necessary tools (`list_detections`, `list_vulnerabilities`, `search_hosts`) and gives you one single, contextualized summary. You get the full picture, no switching required.

CrowdStrike Falcon MCP Server: Contain devices and investigate threats instantly.

You don't have to manually remember which tool to run or what the API syntax is. You just tell the agent: 'Contain this host.' It handles the `contain_device` call, manages the necessary authentication, and reports the status. The process is executed via natural language, not a command line.

It moves the focus from 'how do I run this containment script?' to 'is this host safe?'

Common Questions About CrowdStrike Falcon MCP

How do I use the list_detections tool with CrowdStrike Falcon? +

You tell your agent to run list_detections and provide the FQL filter syntax you need (e.g., 'critical severity last 24 hours'). The agent returns detection details mapped to MITRE ATT&CK.

Can I use list_vulnerabilities to check a specific host? +

Yes. You can ask the agent to check vulnerabilities for a specific host. The agent uses list_vulnerabilities and filters the query by the target hostname, giving you a precise risk assessment.

What is the process for creating an IOC using create_ioc? +

Just tell your agent to create an IOC. You must specify the type (SHA256, domain, etc.) and the value. The agent executes create_ioc and confirms its addition to your threat intelligence records.

Does update_detection require manual steps? +

No. You just tell the agent to update the alert. You provide the comment and the detection ID, and the agent executes update_detection automatically.

Can I check all endpoints with search_hosts? +

Yes. The agent runs search_hosts and returns a full inventory, allowing you to filter the results by OS, department, or sensor version.

How do I use the list_incidents tool to filter by date range? +

You filter incidents using FQL syntax, allowing date range specification. You can narrow your focus by setting a start and end date in the query parameters, which is helpful for post-incident review or compliance checks.

What is the scope of the search_hosts tool for device inventory? +

The search_hosts tool returns the full device inventory details for the scope configured in your CrowdStrike tenant. This includes OS information, sensor versions, and other deep-dive telemetry for every endpoint.

Can I list_iocs to check the metadata of existing IOCs? +

Yes, list_iocs includes the type, value, action, and metadata for every custom IOC. This lets you check who created it, when it was added, and what action it's currently set to.

What authentication does CrowdStrike use? +

CrowdStrike uses OAuth 2.0 Client Credentials. You create an API Client in the Falcon Console under Support > API Clients and Keys. The server automatically obtains and caches Bearer tokens using your Client ID and Secret.

Which cloud regions are supported? +

All CrowdStrike commercial clouds: US-1 (api.crowdstrike.com), US-2 (api.us-2.crowdstrike.com), EU-1 (api.eu-1.crowdstrike.com), and US-GOV-1. Configure the Base URL credential to match your tenant region.

Can it triage detections automatically? +

Yes. The list_detections tool returns severity, tactic, technique, and device context. An AI agent can use this to auto-triage low/medium detections and escalate critical ones, reducing SOC analyst workload by 60-80%.

View all recipes →