CrowdStrike Falcon MCP Policy

GET STARTED

Download this policy scaffold and add your rules. Intercept enforces them on every tool call before it reaches CrowdStrike Falcon.

terminal

# Download policy scaffold


curl -o crowdstrike.yaml https://raw.githubusercontent.com/policylayer/intercept/main/policies/crowdstrike.yaml

# Run with Intercept


intercept --policy crowdstrike.yaml -- npx -y @falcon-mcp

Server documentation: https://github.com/CrowdStrike/falcon-mcp

READ TOOLS

29

falcon_check_connectivity Check connectivity to the Falcon API

falcon_list_enabled_modules List enabled modules in the falcon-mcp server

falcon_list_modules List all available modules in the falcon-mcp server

falcon_search_kubernetes_containers Search for containers from Kubernetes inventory

falcon_count_kubernetes_containers Count containers by filter criteria

falcon_search_images_vulnerabilities Search for container image vulnerabilities

falcon_search_detections Find and analyse detections for malicious activity

falcon_get_detection_details Get comprehensive detection details by ID

falcon_search_applications Search for applications in your environment

falcon_search_unmanaged_assets Search for unmanaged assets without Falcon sensor

falcon_search_hosts Search for hosts in your CrowdStrike environment

falcon_get_host_details Retrieve detailed information for host device IDs

falcon_show_crowd_score View CrowdScores and security posture metrics

falcon_search_incidents Find and analyse security incidents

falcon_get_incident_details Get comprehensive incident details

falcon_search_behaviors Find and analyse suspicious behaviours

falcon_get_behavior_details Get detailed behaviour information

search_ngsiem Execute a CQL query against Next-Gen SIEM

falcon_search_actors Research threat actors tracked by CrowdStrike

falcon_search_indicators Search for threat indicators and IOCs

falcon_search_reports Access intelligence publications and threat reports

falcon_get_mitre_report Generate MITRE ATT&CK reports for threat actors

falcon_search_iocs Search custom IOCs using FQL

falcon_search_sensor_usage Search for weekly sensor usage data

falcon_search_scheduled_reports Search for scheduled reports

falcon_search_report_executions Search for report executions

falcon_download_report_execution Download generated report files

falcon_search_serverless_vulnerabilities Search for serverless function vulnerabilities

falcon_search_vulnerabilities Search for vulnerabilities in your environment

WRITE TOOLS

1

falcon_add_ioc Create one or multiple IOCs

DESTRUCTIVE TOOLS

1

falcon_remove_iocs Remove IOCs by IDs or FQL filter

EXECUTE TOOLS

1

falcon_launch_scheduled_report Launch a scheduled report on demand

OTHER TOOLS

1

idp_investigate_entity Investigate entities for identity protection analysis

POLICY YAML

This scaffold lists every tool with empty rules. Add conditions — rate limits, argument validation, deny rules — then deploy with Intercept.

crowdstrike.yaml

version: "1"
description: "Policy for falcon-mcp"
default: "allow"
tools:
    falcon_check_connectivity:
        rules: []
    falcon_list_enabled_modules:
        rules: []
    falcon_list_modules:
        rules: []
    falcon_search_kubernetes_containers:
        rules: []
    falcon_count_kubernetes_containers:
        rules: []
    falcon_search_images_vulnerabilities:
        rules: []
    falcon_search_detections:
        rules: []
    falcon_get_detection_details:
        rules: []
    falcon_search_applications:
        rules: []
    falcon_search_unmanaged_assets:
        rules: []
    falcon_search_hosts:
        rules: []
    falcon_get_host_details:
        rules: []
    falcon_show_crowd_score:
        rules: []
    falcon_search_incidents:
        rules: []
    falcon_get_incident_details:
        rules: []
    falcon_search_behaviors:
        rules: []
    falcon_get_behavior_details:
        rules: []
    search_ngsiem:
        rules: []
    falcon_search_actors:
        rules: []
    falcon_search_indicators:
        rules: []
    falcon_search_reports:
        rules: []
    falcon_get_mitre_report:
        rules: []
    falcon_search_iocs:
        rules: []
    falcon_search_sensor_usage:
        rules: []
    falcon_search_scheduled_reports:
        rules: []
    falcon_search_report_executions:
        rules: []
    falcon_download_report_execution:
        rules: []
    falcon_search_serverless_vulnerabilities:
        rules: []
    falcon_search_vulnerabilities:
        rules: []
    falcon_add_ioc:
        rules: []
    falcon_remove_iocs:
        rules: []
    falcon_launch_scheduled_report:
        rules: []
    idp_investigate_entity:
        rules: []

RELATED POLICIES

Auth0 21 tools

security

HashiCorp Vault 20 tools

security

Semgrep 8 tools

security

FREQUENTLY ASKED QUESTIONS

What tools does the CrowdStrike Falcon MCP server expose?

The CrowdStrike Falcon MCP Server exposes 33 tools across 5 categories: Read, Write, Destructive, Execute, Other. Each tool can be individually controlled with Intercept policies.

How do I enforce policies on CrowdStrike Falcon?

Download the policy scaffold, add rules (rate limits, argument validation, deny rules), then run Intercept as a proxy in front of the CrowdStrike Falcon MCP server. Every tool call is evaluated against your YAML policy before execution.

Is the CrowdStrike Falcon policy free to use?

Yes. All Intercept policies are open source under the Apache 2.0 licence. Download, modify, and deploy without restrictions.

ENFORCE POLICIES ON CROWDSTRIKE FALCON

Open source. One binary. Zero dependencies.

VIEW ON GITHUB Browse all policies →

GET STARTED

READ TOOLS

WRITE TOOLS

DESTRUCTIVE TOOLS

EXECUTE TOOLS

OTHER TOOLS

POLICY YAML

RELATED POLICIES

FREQUENTLY ASKED QUESTIONS

What tools does the CrowdStrike Falcon MCP server expose?

How do I enforce policies on CrowdStrike Falcon?

Is the CrowdStrike Falcon policy free to use?

ENFORCE POLICIES ON CROWDSTRIKE FALCON

GET IN TOUCH