# CrowdStrike Falcon MCP MCP

> CrowdStrike Falcon MCP gives your AI agent control over a leading endpoint detection and response platform. It lets you query threat alerts, investigate device status, manage security incidents, and create Indicators of Compromise (IOCs) from one conversation. Use it to contain threats across entire fleets or quickly spot vulnerable assets.

## Overview
- **Category:** fort-knox
- **Price:** Free
- **Tags:** endpoint-protection, threat-intelligence, edr, xdr, incident-response, cybersecurity

## Description

This connection allows your AI agent to run security operations at machine speed. Instead of opening ten different dashboards to triage a threat, you simply ask your client what's wrong and tell it to fix it. You can query for specific detections using filter syntax, search entire host inventories for OS details, or even list all active security incidents across the board. If an endpoint is compromised, you don't wait for human approval; the agent can use available tools like `contain_device` to isolate the threat immediately. Because sensitive credentials pass through a zero-trust proxy in Vinkius, your keys are only used during transit and never stored on any disk—that’s critical when dealing with high-stakes security data. This capability lets you build workflows that span detection, investigation, and active response without manual context switching.

## Tools

### contain_device
Immediately isolate or lift the isolation status on a specific endpoint device.

### create_ioc
Manually add custom Indicators of Compromise (hashes, domains, IPs) into your threat intelligence feed.

### list_detections
Query and receive detailed reports on specific security detection alerts using advanced filtering syntax.

### list_incidents
Retrieve a list of ongoing or closed security incidents, filterable by state or severity level.

### list_iocs
View all existing custom Indicators of Compromise currently tracked within the system.

### list_vulnerabilities
Pull a list of vulnerability data across managed endpoints, filtering by CVE or severity.

### search_hosts
Perform a full inventory search to retrieve detailed operational information for any endpoint device.

### update_detection
Change the status of an existing detection alert and add internal triage notes for documentation.

## Prompt Examples

**Prompt:** 
```
Show me all critical detections from the last 24 hours.
```

**Response:** 
```
Found 3 critical detections in the last 24h: 1. 'CobaltStrike Beacon' on WIN-SERVER-05 (Critical, T1059.001 PowerShell). 2. 'Credential Dumping - LSASS' on DC-PROD-01 (Critical, T1003.001). 3. 'Lateral Movement - PsExec' on WS-FIN-12 (Critical, T1021.002). Recommend immediate containment of DC-PROD-01.
```

**Prompt:** 
```
How many endpoints are running outdated sensors?
```

**Response:** 
```
Fleet Health: 2,847 total endpoints. 2,691 (94.5%) on latest sensor v7.18. 127 (4.5%) on v7.16 (1 version behind). 29 (1.0%) on v7.14 or older - URGENT update needed. Top affected: Finance dept (12), Remote workers (9), Lab servers (8).
```

**Prompt:** 
```
List all IOCs related to ransomware campaigns added this month.
```

**Response:** 
```
18 ransomware IOCs added this month: 8 SHA256 hashes (LockBit 3.0 variants), 5 domains (C2 infrastructure), 3 IPs (data exfiltration endpoints), 2 mutex names. Sources: CrowdStrike Intelligence (12), Custom (6). All set to 'Detect' action.
```

## Capabilities

### Review Active Threats
Query detailed lists of security detections, including mapping to specific MITRE ATT&CK techniques.

### Investigate Device Status
Search and gather full inventory details for any endpoint device, checking OS versions and sensor status.

### Manage Incidents
List existing security incidents, filtering by severity or assigned user to track investigation progress.

### Isolate Compromised Devices
Execute immediate containment actions on a device, either isolating it completely or lifting the restriction.

### Identify Malicious Signatures
Create and manage custom Indicators of Compromise (IOCs) using various formats like SHA256 hashes or domains.

## Use Cases

### Responding to a suspicious alert
An agent detects an odd process. The analyst asks the MCP to run `search_hosts` on the affected machine, then checks `list_vulnerabilities` for related weaknesses. If nothing looks right, they use `contain_device` immediately.

### Hunting for new threats
The threat intel team suspects a new C2 domain. They instruct the agent to run `create_ioc`, adding the domain and type of hash, which automatically populates the system's defenses.

### Post-incident cleanup
After resolving an incident found via `list_incidents`, the analyst uses `update_detection` to mark all related alerts as false positives and adds a detailed comment for audit records.

### Quick fleet health check
The ops team needs to know which machines are missing sensor coverage. They ask the agent to run `search_hosts` across the entire domain, getting an instant report on compliance gaps.

## Benefits

- Triage detections faster than ever. Use `list_detections` to query alerts, and then use `update_detection` to document your findings, all without leaving the conversation.
- Pinpoint vulnerabilities and assets at once. Running `search_hosts` gives you full device details, which you can immediately cross-reference against vulnerability data from `list_vulnerabilities`.
- Respond with surgical precision. If a machine is compromised, use `contain_device` to isolate it instantly, preventing lateral movement before the threat spreads.
- Build your intelligence feed on demand. Instead of manually updating rulesets, you can run `create_ioc` directly through chat, adding hashes or domains as needed.
- Streamline incident tracking. Use `list_incidents` to see the full picture of active threats and use `list_iocs` to check if related signatures are already known.

## How It Works

The bottom line is that you talk to it like talking to an analyst on your team; it handles the platform clicks and API calls for you.

1. First, you connect your AI client to the MCP. This establishes a single point of access for all security tools.
2. Next, you give your agent a natural language command, like 'Show me all critical detections from last night' or 'What devices have vulnerable sensors?'
3. The system executes the required tool calls and returns structured, actionable data—like a list of affected hosts or a confirmed incident report—straight back to your client.

## Frequently Asked Questions

**How do I use the list_detections tool with CrowdStrike Falcon?**
You ask your agent to run `list_detections` and specify criteria like severity or technique. The system returns a detailed report of alerts, including mapping to MITRE ATT&CK.

**What is the difference between list_incidents and list_detections?**
List detections shows specific security events that happened on an endpoint (like a malicious file execution). List incidents tracks the broader, ongoing investigation or confirmed breach associated with those events.

**Can I use contain_device to stop a threat via chat?**
Yes. You can command `contain_device` directly through your agent conversation after confirming which host needs isolation. It executes the necessary action immediately.

**How do I find out what vulnerabilities exist on my hosts using list_vulnerabilities?**
Ask the MCP to run `list_vulnerabilities`, and you can filter by CVE or severity level. This gives an instant snapshot of risk across your entire fleet.

**How do I filter results when using the list_detections tool?**
The tool accepts FQL filter syntax for precise querying. You can narrow down alerts by severity, specific technique ID, or hostname to pinpoint exact events quickly.

**What types of indicators can I use when running the create_ioc tool?**
You can build IOCs using multiple data types. The system accepts SHA256 hashes, MD5, domains, IPv4, and IPv6 addresses to establish comprehensive threat profiles.

**Does the search_hosts tool return complete inventory information for a device?**
Yes, running search_hosts returns full device inventory details. This includes OS information, sensor versions, and hardware specifics for every endpoint you manage.

**After investigating an alert, how do I change its status using update_detection?**
Use the update_detection tool to manage the alert lifecycle. You can modify the detection's status and optionally add a triage comment for your internal record-keeping.