# CrowdStrike Falcon MCP for AI Agents MCP > CrowdStrike Falcon connects your AI client directly to one of the industry's top endpoint detection and response platforms. It lets you query telemetry, triage alerts, investigate security incidents, and manage Indicators of Compromise—all through natural conversation. ## Overview - **Category:** fort-knox - **Price:** Free - **Tags:** endpoint-protection, threat-intelligence, edr, xdr, incident-response, cybersecurity ## Description Security teams can now operate at machine speed. Instead of clicking through complex dashboards, your AI client handles the deep dive into threat data using plain language commands. You can ask for all critical detections from the past 24 hours or find out which specific endpoints are running outdated sensor versions. The platform lets you search device inventory, manage active security incidents, and even create custom Indicators of Compromise (IOCs) to block known threats. By connecting this MCP through Vinkius, your AI agent gains access to a full set of specialized tools that normally require deep knowledge of the CrowdStrike console. You use natural conversation to run complex queries and get immediate answers about threat posture. ## Tools ### list_detections Use FQL filter syntax for precision: severity, technique, hostname, etc. Returns detection details with MITRE ATT&CK mapping. Query detection alerts ### update_detection Optionally add a triage comment. Update detection status ### search_hosts Returns full device inventory details. Search endpoints ### list_incidents Filter by state, severity, assigned_to, or date range using FQL syntax. Query security incidents ### list_iocs Includes type, value, action, and metadata. List custom IOCs ### create_ioc Types: sha256, md5, domain, ipv4, ipv6. Create a custom IOC indicator.. Actions: default ### list_vulnerabilities Filter by CVE, severity, host, or remediation status. Query Spotlight vulnerabilities ### contain_device Contain or lift containment on a device.. Actions: default ## Prompt Examples **Prompt:** ``` Show me all critical detections from the last 24 hours and tell me who should contain them. ``` **Response:** ``` **Critical Detections (Last 24 Hours):** * `CobaltStrike Beacon` on WIN-SERVER-05 (Severity: Critical, MITRE T1059.001). **Action:** Immediate Containment Recommended. * `Credential Dumping - LSASS` on DC-PROD-01 (Severity: Critical, MITRE T1003.001). **Action:** Investigate and Isolate. **Summary:** The primary risk is lateral movement targeting domain controllers. I recommend running the `contain_device` action on DC-PROD-01 immediately. ``` **Prompt:** ``` What's the overall health of our remote worker laptops? ``` **Response:** ``` **Fleet Health Check: Remote Workers** * **Total Devices:** 987 * **Latest Sensor Version (v7.18):** 920 devices (93%) - *Good.* * **Outdated/Missing Sensors:** 67 devices (7%) - **URGENT UPDATE REQUIRED.** * **Top Vulnerability:** Missing patch for CVE-2024-xxxx on 15 machines. You need to prioritize patching the remote worker group. ``` **Prompt:** ``` List any IOCs related to known phishing campaigns from this week. ``` **Response:** ``` **IOC Report: Phishing Campaigns** I found 14 relevant Indicators of Compromise: * **SHA256 Hashes:** 7 hashes (e.g., `a1b2c3d4...`) - *Action:* Detect * **Domains:** 4 domains (e.g., `bad-phishing.com`) - *Action:* Block * **IP Addresses:** 3 IPs (Command & Control) - *Action:* Detect These IOCs are ready to be added or updated in the system. ``` ## Capabilities ### Querying detection alerts Retrieve detailed information on security detections, filtering by severity, technique, or hostname. ### Updating detection status Change the status of a detected threat and add triage comments for record-keeping. ### Searching device inventory Get full details on any endpoint, including OS information and sensor versions. ### Investigating security incidents List and investigate active security incidents, filtering by date range or severity level. ### Managing threat indicators Create new custom Indicators of Compromise (IOCs) like hashes or domains, or list existing ones. ### Reviewing vulnerability data Spotlight and query vulnerability information across all managed endpoints using specific criteria. ### Containing network devices Isolate a compromised device from the network or lift containment as needed. ## Use Cases ### Investigating a suspicious network connection An agent queries the platform for all critical detections related to lateral movement. The response points to a specific device and provides enough detail that the analyst immediately uses contain_device to isolate it, stopping potential data exfiltration. ### Auditing endpoint compliance An operations manager needs to know which devices are running outdated sensors. They query vulnerability data using list_vulnerabilities and get a clear count of endpoints needing urgent updates across the entire fleet. ### Threat hunting for specific malware families A security engineer wants to check if any internal hosts have been targeted by known ransomware. They use list_iocs to pull in all relevant hashes and then query detections to see if the patterns match any active alerts. ## Benefits - Faster Incident Triage: You can query detection alerts, like 'CobaltStrike Beacon' activity, instantly and see the full MITRE ATT&CK mapping without leaving your chat. - Full Visibility on Devices: Use search hosts to get immediate details on device inventory, including OS info and sensor versions, helping identify compliance gaps. - Proactive Threat Blocking: You can create_ioc new Indicators of Compromise (IOCs) like specific hashes or domains as soon as they are identified, hardening your defenses fast. - Rapid Response Action: If a threat is found, you don't stop at detection. Use contain_device to immediately isolate the machine and prevent further damage. - Structured Incident Review: List incidents allows you to easily query all active security events by date range or severity, keeping track of high-priority issues. ## How It Works The bottom line is, it takes complex, multi-step console investigations and boils them down to a single conversation thread. 1. Connect your AI client to this MCP via Vinkius. You authenticate using your CrowdStrike Falcon tenant credentials. 2. Your agent accesses the available tools, allowing you to issue natural language commands like 'Show me all critical detections from last week.' 3. The MCP translates that request into specific platform calls, returns structured data, and presents actionable security summaries directly in your chat window. ## Frequently Asked Questions **How does the CrowdStrike Falcon MCP help with day-to-day threat investigation?** It turns complex, multi-step console investigations into a simple chat conversation. You can ask about an alert and get back not just the details, but also related device status, vulnerability information, and recommended actions like containment. **Can I use the CrowdStrike Falcon MCP to manage my Indicators of Compromise?** Yes. You can list existing IOCs to review what's active and create new ones—like known bad IP addresses or hashes—to immediately strengthen your defense posture. **What if I need to check the overall compliance of my endpoints?** You can use this MCP to search device inventory, giving you a clear view of all connected hosts. You can also query vulnerability data to pinpoint exactly which machines are running outdated or vulnerable software. **Does connecting the CrowdStrike Falcon MCP mean I can stop threats?** Absolutely. If an investigation shows a machine is compromised, you can use the contain_device tool through your agent to instantly isolate it from the network before the threat spreads. **Is this useful for CISOs who need high-level summaries?** Yes. You don't have to read every alert. The MCP allows you to query reports on security incidents or vulnerability data and get executive summaries that highlight the biggest risks immediately.