TL;DR: Connect CrowdStrike Falcon to Claude Code via falcon-mcp. Hunt threats, triage detections, and query NGSIEM from the terminal — no console tab-switching needed. Claude handles data gathering; the human owns judgment and authorization.
Claude x Falcon MCP
What falcon-mcp Does
falcon-mcp is an open-source MCP server from CrowdStrike. It connects AI agents directly to the CrowdStrike Falcon platform.
What this means for a security engineer:
No more tabbing between the Falcon console and your terminal. Check detections, search telemetry, or investigate a host from Claude Code without leaving the session.
No more ad-hoc API scripts. Instead of writing curl commands or Python SDK boilerplate for every Falcon API call, describe what you need in plain English and Claude executes it.
The server exposes tools covering detections, threat intelligence, NGSIEM queries, host management, real-time response, and vulnerability data.
Claude x Human Analyst
Here is the division of labor that makes sense:
Claude handles the initial triage, data gathering, IOC enrichment, pattern matching across telemetry sources, CQL query generation, and report drafting.
The human handles judgment calls: strategic decisions, nuanced threat validation, containment authorization, and tuning detection rules.
The analyst skips the "gathering data" phase and goes straight to "making decisions."
Prerequisites
Before starting, confirm these are in place:
A CrowdStrike Falcon tenant with API access
A Falcon API client with
FALCON_CLIENT_IDandFALCON_CLIENT_SECRETscoped to the modules you plan to useuvinstalled (for runningfalcon-mcpviauvx)
Step 1: Install falcon-mcp
The fastest path uses uvx with no explicit install required:
Command: Send below command to terminal
uvx falcon-mcpTo run the server with a subset of modules (keeps the exposed tool set smaller):
Command: Send below command to terminal
uvx falcon-mcp --helpStep 2: Connect falcon-mcp to Claude Code
Two options for credential management.
Option A: Environment variables in the command
Command: Send below command to terminal
claude mcp add --transport stdio falcon-mcp \
-e FALCON_CLIENT_ID=your_client_id \
-e FALCON_CLIENT_SECRET=your_client_secret \
-e FALCON_BASE_URL=https://api.crowdstrike.com \
-- uvx falcon-mcpReplace your_client_id and your_client_secret with the values from your Falcon API client. The FALCON_BASE_URL depends on your Falcon cloud. api.crowdstrike.com is the US-1 endpoint. For US-2 use api.us-2.crowdstrike.com, for EU use api.eu-1.crowdstrike.com.
Create a .env file:
FALCON_CLIENT_ID=your_client_id
FALCON_CLIENT_SECRET=your_client_secret
FALCON_BASE_URL=https://api.crowdstrike.comThen register the server:
Command: Send below command to terminal
claude mcp add --transport stdio falcon-mcp \
--env-file /path/to/.env \
-- uvx falcon-mcpThe server persists globally after this. Open a new Claude Code session and run:
List all available tools from falcon-mcpClaude should respond with the full tool list: falcon_check_connectivity, falcon_search_detections, falcon_search_ngsiem, and the rest.
Project context (CLAUDE.md)
Drop this into the project's CLAUDE.md so Claude knows how to use the connection:
## Falcon MCP Integration
- falcon-mcp is connected as an MCP server -- tools are available to query
CrowdStrike Falcon data
- For NGSIEM queries, write CQL (CrowdStrike Query Language) or ask Claude to
generate the CQL
- Prefer read-only tools for investigation; write tools (IOC create, quarantine
actions) require explicit user confirmationStep 3: Use falcon-mcp in Claude Code
Use Case 1: Detection Triage
A common pattern: open Claude code, check what happened overnight.
Prompt: Send below prompt to Claude Code
Search all CrowdStrike detections from the last 24 hours with severity 'high'.
Group them by hostname, summarize the behavior type for each, and tell me which
host has the most detections.Claude calls falcon_search_detections, processes the JSON response, groups by host, and returns a structured triage summary. Hostnames, detection counts, behavior descriptions, severity breakdowns - no Falcon console needed.
Expected output shape:
Host: CORP-WIN-042
Detections: 4
Top behavior: "Persistence via scheduled task creation"
Severities: 3x high, 1x critical
Host: CORP-WIN-107
Detections: 2
Top behavior: "Credential dumping via LSASS"
Severities: 2x critical
...Use Case 2: Threat Hunting with NGSIEM
Hunting for suspicious process execution patterns, classic attacker behavior.
Prompt: Send below prompt to Claude Code
Execute a CQL query against NGSIEM to find all events where powershell.exe was
spawned by winword.exe, excel.exe, or outlook.exe in the last 7 days. Show me
the parent process, command line, hostname, and timestamp.Claude generates the CQL (or uses one you provide), calls falcon_search_ngsiem, and returns matching events with process ancestry, command lines, and timestamps.
The CQL that gets generated looks something like:
#event_simpleName=ProcessRollup2
AND ImageFileName=*/powershell.exe
AND (ParentBaseFileName=winword.exe
OR ParentBaseFileName=excel.exe
OR ParentBaseFileName=outlook.exe)
| groupBy([ComputerName, CommandLine], function=count(aid))
| in(ComputerName, ComputerName, function=count(aid))This is the kind of query that normally requires the NGSIEM console, knowing the schema, and typing the CQL manually. With falcon-mcp, the query is one sentence away.
Use Case 3: IOC Enrichment and Impact Assessment
A new IOC drops, an IP address, domain, or hash. The question is always the same: has it touched anything in the environment?
Prompt: Send below prompt to Claude Code
Search for IOC matches against IP 213.155.151.149 across all hosts. Show me
which hosts communicated with this IP, the first and last seen timestamps, and
any associated detections.Claude hits the IOC search tools (and optionally NGSIEM), finds the IP across telemetry, correlates results with detections, and builds an impact assessment per host.
Result looks like:
Host: CORP-LNX-023
First seen: 2026-05-28 03:14 UTC
Last seen: 2026-05-28 03:52 UTC
Detections: 1 (C&C communication detected)
Host: CORP-MAC-011
First seen: 2026-05-28 04:01 UTC
Last seen: 2026-05-28 04:01 UTC
Detections: 0
...Use Case 4: Deep Dive on a Specific Detection
Prompt: Send below prompt to Claude Code
Get the full details on detection ID:det:abc123. Summarize the behavior chain,
affected files, registry keys, and network connections involved.Claude calls falcon_get_detection_details, then falcon_get_behavior_details for each behavior in the chain, and synthesizes a coherent summary of what happened, in what order, and what artifacts were touched.
Use Case 5: Threat Intel Correlation
Prompt: Send below prompt to Claude Code
Search CrowdStrike threat intel for any reports mentioning the threat actor
associated with this detection pattern. What campaign IDs, related IOCs, and
recommended mitigations exist?This pulls intelligence reports from the Intel module, cross-references IOCs, and returns the full threat context without leaving the terminal.
Use Case 6: Executive Summary
Prompt: Send below prompt to Claude Code
Create an executive summary of detection ID:det:abc123 including: what
happened, what data was accessed (if any), current containment status, and
recommended next steps. Format it for sharing with a non-technical manager.Claude takes the raw detection data, strips the jargon, and produces a concise summary that can go straight into an incident ticket or email.
Follow-Up Prompts
Prompt: Write a CQL query that surfaces all processes launched by Office applications (winword.exe, excel.exe, outlook.exe) in the last 7 days, grouped by host and parent process.
Prompt: Write a bash script that periodically checks CrowdStrike Falcon for new critical detections, outputs them to a log file, and opens a Claude Code session pre-loaded with the detection context.
Prompt: Using falcon-mcp tools, build an initial triage sequence for a compromised host: isolate via RTR, collect volatility data, search NGSIEM for lateral movement, and generate a containment report.
Tools Reference
Module categories and what they expose
Module | Description |
|---|---|
Core | Basic connectivity and system information |
Case lifecycle management, evidence attachment, tagging, and templates | |
Kubernetes containers, image vulnerabilities, CSPM asset inventory, IOM findings, and suppression rules | |
Search, create, update, and manage NG-SIEM correlation rules | |
Create and manage Custom IOA behavioral detection rules and rule groups | |
Search Data Protection classifications, policies, and content patterns | |
Find and analyze detections to understand malicious activity | |
Search application inventory and discover unmanaged assets | |
Search and manage firewall rules and rule groups | |
Manage and query host/device information | |
Entity investigation and identity protection analysis | |
Research threat actors, IOCs, and intelligence reports | |
Search, create, and remove custom indicators of compromise | |
Execute CQL queries against Next-Gen SIEM | |
Search quarantine records, preview action counts, and release, unrelease, or delete quarantined files | |
Audit, summarize, and run read-only RTR triage workflows | |
Manage scheduled reports and download report files | |
Access and analyze sensor usage data | |
Search for vulnerabilities in serverless functions | |
SaaS security posture, checks, alerts, and app inventory | |
Manage and analyze vulnerability data and security assessments |
Each tool maps to a Falcon API endpoint. Required scopes for each module are documented in the falcon-mcp README.
Security Considerations
Credential management: Use environment variables or
.envfiles for API credentials. Never hardcode them in prompts or code. The.envapproach is better for shared environments. It keeps secrets out of shell history.Scope your API client: Create Falcon API clients with only the scopes needed. For investigation-only use cases, a read-only API client is the right call. The default is permissive; trimming scopes prevents accidental write operations.
Access levels by category: Tools fall into Read (low), Write (medium), and Destructive (high) categories. Claude Code requires user confirmation for write and destructive tool calls. Good practice is to keep API client scopes read-only unless write operations are explicitly needed.
Input injection: Malicious content in detection descriptions or SIEM results could influence subsequent AI actions. Validate any MCP gateway policies. The same way you wouldn't blindly trust a detection description in the console, don't blindly trust it when piped through an AI agent.
Preview status:
falcon-mcpis in public preview (pre-1.0). Features and APIs may change. Test thoroughly before depending on it in production. Pin the version.
Conclusion
falcon-mcp gives Claude Code native access to CrowdStrike Falcon's telemetry, detections, and host data. The usual interaction pattern is simple: get an alert, ask Claude about it, understand the incident. All in one conversation, without leaving the terminal.
Further Reading
CrowdStrike: falcon-mcp GitHub Repository - official server source, module reference, and scope documentation
MCP Protocol: Model Context Protocol Specification - protocol spec, SDKs, and server development guides
Claude Code: MCP Server Configuration — configuring and managing MCP servers in Claude Code
CQL: CrowdStrike Query Language Reference - NGSIEM query syntax and schema documentation
Ready to apply AI to your Security Engineering?
Subscribe to Secengai Newsletter for weekly actionable content on AI for security engineers.
This content reflects personal views, experiments, and use cases in AI and security engineering. It does not represent any employer's positions, policies, or practices.
