CrowdStrike Falcon

CrowdStrike Falcon MCP Connector for Claude

A+

Detect threats, manage endpoints, investigate incidents, and query telemetry from CrowdStrike Falcon — the #1 endpoint detection and response platform.

8 tools Official Updated Jun 28, 2026 Official Vinkius Partner

Connect your CrowdStrike Falcon tenant to any AI agent and operate security at machine speed through natural conversation.

What you can do

  • Detections — Query, triage, and update detection alerts across your fleet
  • Hosts — Search and inspect endpoint details, OS info, and sensor versions
  • Incidents — List, investigate, and manage security incidents
  • IOCs — Create, list, and manage Indicators of Compromise
  • Real-Time Response — Query active sessions and retrieve device status
  • Vulnerabilities — Spotlight vulnerability data across managed endpoints

Who is this for?

  • SOC Analysts — triage detections and incidents 10x faster through chat
  • Security Engineers — automate IOC management and threat hunting
  • CISOs — get real-time fleet health and threat posture summaries
  • IT Operations — monitor endpoint compliance and sensor coverage
endpoint-protectionthreat-intelligenceedrxdrincident-responsecybersecurity

8 tools expose this connector's capabilities to your AI agent.

list_detections

Use FQL filter syntax for precision: severity, technique, hostname, etc. Returns detection details with MITRE ATT&CK mapping. Query detection alerts

update_detection

Optionally add a triage comment. Update detection status

search_hosts

Returns full device inventory details. Search endpoints

list_incidents

Filter by state, severity, assigned_to, or date range using FQL syntax. Query security incidents

list_iocs

Includes type, value, action, and metadata. List custom IOCs

create_ioc

Types: sha256, md5, domain, ipv4, ipv6. Create a custom IOC indicator.. Actions: default

list_vulnerabilities

Filter by CVE, severity, host, or remediation status. Query Spotlight vulnerabilities

contain_device

Contain or lift containment on a device.. Actions: default

See how to talk to your AI agent using CrowdStrike Falcon.

Show me all critical detections from the last 24 hours.

Found 3 critical detections in the last 24h: 1. 'CobaltStrike Beacon' on WIN-SERVER-05 (Critical, T1059.001 PowerShell). 2. 'Credential Dumping - LSASS' on DC-PROD-01 (Critical, T1003.001). 3. 'Lateral Movement - PsExec' on WS-FIN-12 (Critical, T1021.002). Recommend immediate containment of DC-PROD-01.

How many endpoints are running outdated sensors?

Fleet Health: 2,847 total endpoints. 2,691 (94.5%) on latest sensor v7.18. 127 (4.5%) on v7.16 (1 version behind). 29 (1.0%) on v7.14 or older - URGENT update needed. Top affected: Finance dept (12), Remote workers (9), Lab servers (8).

List all IOCs related to ransomware campaigns added this month.

18 ransomware IOCs added this month: 8 SHA256 hashes (LockBit 3.0 variants), 5 domains (C2 infrastructure), 3 IPs (data exfiltration endpoints), 2 mutex names. Sources: CrowdStrike Intelligence (12), Custom (6). All set to 'Detect' action.

CrowdStrike uses OAuth 2.0 Client Credentials. You create an API Client in the Falcon Console under Support > API Clients and Keys. The server automatically obtains and caches Bearer tokens using your Client ID and Secret.

Related Connectors