Authenticate via the CrowdStrike OAuth2 client-credentials flow by POSTing client_id and client_secret to https://api.crowdstrike.com/oauth2/token (adjust base URL for your cloud region, e.g., api.us-2.crowdstrike.com for US-2) and cache the returned access_token.
Query threat intelligence indicators with GET https://api.crowdstrike.com/intel/combined/indicators/v1, using filter parameters (type, malicious_confidence, last_updated, malware_families) in FQL (Falcon Query Language) syntax via the filter query parameter.
Page through results using the offset and limit parameters; increment offset by limit on each call until the response meta.pagination.total is reached.
Parse each indicator object for indicator value, type (hash_md5, hash_sha256, ip_address_v4, domain, url), malicious_confidence (high, medium, low), targets, threat_types, and kill_chains fields.
Push confirmed high-confidence indicators to your SIEM or SOAR as enrichment context; store the CrowdStrike indicator ID and last_updated timestamp to enable incremental syncs on subsequent runs.
Known gotchas
CrowdStrike Intelligence API access requires a Falcon Intelligence subscription tier; the endpoint returns HTTP 403 if the OAuth client credentials do not have the appropriate scope (intel-indicators:read).
FQL filter syntax is CrowdStrike-specific and case-sensitive; malformed FQL returns HTTP 400 — test filters in the Falcon console API Explorer before deploying in code.
Access tokens expire in 30 minutes; build automatic token refresh into your client rather than requesting a new token per call, to avoid hitting the token-generation rate limit.
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp