crowdstrike-mcp 4.0.0__tar.gz

crowdstrike_mcp-4.0.0/.claude/permissions-full.json

@@ -0,0 +1,14 @@
+{
+  "_comment": "Full access: all tools auto-allowed. Containment and rule changes always prompt. Requires --allow-writes on the server.",
+  "permissions": {
+    "allow": [
+      "mcp__crowdstrike__*"
+    ],
+    "ask": [
+      "mcp__crowdstrike__host_contain",
+      "mcp__crowdstrike__host_lift_containment",
+      "mcp__crowdstrike__correlation_update_rule",
+      "mcp__crowdstrike__correlation_import_to_iac"
+    ]
+  }
+}

crowdstrike_mcp-4.0.0/.claude/permissions-minimal.json

@@ -0,0 +1,23 @@
+{
+  "_comment": "Minimal: query-only analyst. Only NGSIEM queries and host lookups auto-allowed.",
+  "permissions": {
+    "allow": [
+      "mcp__crowdstrike__ngsiem_query",
+      "mcp__crowdstrike__host_lookup"
+    ],
+    "ask": [
+      "mcp__crowdstrike__update_alert_status",
+      "mcp__crowdstrike__correlation_update_rule",
+      "mcp__crowdstrike__correlation_import_to_iac",
+      "mcp__crowdstrike__host_contain",
+      "mcp__crowdstrike__host_lift_containment",
+      "mcp__crowdstrike__case_create",
+      "mcp__crowdstrike__case_update",
+      "mcp__crowdstrike__case_add_alert_evidence",
+      "mcp__crowdstrike__case_add_event_evidence",
+      "mcp__crowdstrike__case_add_tags",
+      "mcp__crowdstrike__case_delete_tags",
+      "mcp__crowdstrike__case_upload_file"
+    ]
+  }
+}

crowdstrike_mcp-4.0.0/.claude/permissions-readonly.json

@@ -0,0 +1,40 @@
+{
+  "_comment": "Read-only (default): all read tools auto-allowed, write tools always prompt.",
+  "permissions": {
+    "allow": [
+      "mcp__crowdstrike__get_alerts",
+      "mcp__crowdstrike__alert_analysis",
+      "mcp__crowdstrike__ngsiem_alert_analysis",
+      "mcp__crowdstrike__ngsiem_query",
+      "mcp__crowdstrike__host_lookup",
+      "mcp__crowdstrike__host_login_history",
+      "mcp__crowdstrike__host_network_history",
+      "mcp__crowdstrike__correlation_list_rules",
+      "mcp__crowdstrike__correlation_get_rule",
+      "mcp__crowdstrike__correlation_export_rule",
+      "mcp__crowdstrike__case_query",
+      "mcp__crowdstrike__case_get",
+      "mcp__crowdstrike__case_get_fields",
+      "mcp__crowdstrike__cloud_list_accounts",
+      "mcp__crowdstrike__cloud_policy_settings",
+      "mcp__crowdstrike__cloud_get_risks",
+      "mcp__crowdstrike__cloud_get_iom_detections",
+      "mcp__crowdstrike__cloud_query_assets",
+      "mcp__crowdstrike__cloud_compliance_by_account"
+    ],
+    "ask": [
+      "mcp__crowdstrike__update_alert_status",
+      "mcp__crowdstrike__correlation_update_rule",
+      "mcp__crowdstrike__correlation_import_to_iac",
+      "mcp__crowdstrike__host_contain",
+      "mcp__crowdstrike__host_lift_containment",
+      "mcp__crowdstrike__case_create",
+      "mcp__crowdstrike__case_update",
+      "mcp__crowdstrike__case_add_alert_evidence",
+      "mcp__crowdstrike__case_add_event_evidence",
+      "mcp__crowdstrike__case_add_tags",
+      "mcp__crowdstrike__case_delete_tags",
+      "mcp__crowdstrike__case_upload_file"
+    ]
+  }
+}

crowdstrike_mcp-4.0.0/.claude/permissions-standard.json

@@ -0,0 +1,48 @@
+{
+  "_comment": "Standard SOC analyst: read tools auto-allowed, alert triage auto-allowed, containment and rule changes prompt.",
+  "permissions": {
+    "allow": [
+      "mcp__crowdstrike__get_alerts",
+      "mcp__crowdstrike__alert_analysis",
+      "mcp__crowdstrike__ngsiem_alert_analysis",
+      "mcp__crowdstrike__ngsiem_query",
+      "mcp__crowdstrike__host_lookup",
+      "mcp__crowdstrike__host_login_history",
+      "mcp__crowdstrike__host_network_history",
+      "mcp__crowdstrike__correlation_list_rules",
+      "mcp__crowdstrike__correlation_get_rule",
+      "mcp__crowdstrike__correlation_export_rule",
+      "mcp__crowdstrike__case_query",
+      "mcp__crowdstrike__case_get",
+      "mcp__crowdstrike__case_get_fields",
+      "mcp__crowdstrike__cloud_list_accounts",
+      "mcp__crowdstrike__cloud_policy_settings",
+      "mcp__crowdstrike__cloud_get_risks",
+      "mcp__crowdstrike__cloud_get_iom_detections",
+      "mcp__crowdstrike__cloud_query_assets",
+      "mcp__crowdstrike__cloud_compliance_by_account",
+      "mcp__crowdstrike__case_query_access_tags",
+      "mcp__crowdstrike__case_get_access_tags",
+      "mcp__crowdstrike__case_aggregate_access_tags",
+      "mcp__crowdstrike__case_get_rtr_file_metadata",
+      "mcp__crowdstrike__case_get_rtr_recent_files",
+      "mcp__crowdstrike__correlation_list_templates",
+      "mcp__crowdstrike__correlation_get_template",
+      "mcp__crowdstrike__spotlight_supported_evaluations",
+      "mcp__crowdstrike__update_alert_status",
+      "mcp__crowdstrike__case_create",
+      "mcp__crowdstrike__case_update",
+      "mcp__crowdstrike__case_add_alert_evidence",
+      "mcp__crowdstrike__case_add_event_evidence",
+      "mcp__crowdstrike__case_add_tags",
+      "mcp__crowdstrike__case_delete_tags",
+      "mcp__crowdstrike__case_upload_file"
+    ],
+    "ask": [
+      "mcp__crowdstrike__host_contain",
+      "mcp__crowdstrike__host_lift_containment",
+      "mcp__crowdstrike__correlation_update_rule",
+      "mcp__crowdstrike__correlation_import_to_iac"
+    ]
+  }
+}

crowdstrike_mcp-4.0.0/.claude/settings.json

@@ -0,0 +1,40 @@
+{
+  "_comment": "Read-only (default): all read tools auto-allowed, write tools always prompt.",
+  "permissions": {
+    "allow": [
+      "mcp__crowdstrike__get_alerts",
+      "mcp__crowdstrike__alert_analysis",
+      "mcp__crowdstrike__ngsiem_alert_analysis",
+      "mcp__crowdstrike__ngsiem_query",
+      "mcp__crowdstrike__host_lookup",
+      "mcp__crowdstrike__host_login_history",
+      "mcp__crowdstrike__host_network_history",
+      "mcp__crowdstrike__correlation_list_rules",
+      "mcp__crowdstrike__correlation_get_rule",
+      "mcp__crowdstrike__correlation_export_rule",
+      "mcp__crowdstrike__case_query",
+      "mcp__crowdstrike__case_get",
+      "mcp__crowdstrike__case_get_fields",
+      "mcp__crowdstrike__cloud_list_accounts",
+      "mcp__crowdstrike__cloud_policy_settings",
+      "mcp__crowdstrike__cloud_get_risks",
+      "mcp__crowdstrike__cloud_get_iom_detections",
+      "mcp__crowdstrike__cloud_query_assets",
+      "mcp__crowdstrike__cloud_compliance_by_account"
+    ],
+    "ask": [
+      "mcp__crowdstrike__update_alert_status",
+      "mcp__crowdstrike__correlation_update_rule",
+      "mcp__crowdstrike__correlation_import_to_iac",
+      "mcp__crowdstrike__host_contain",
+      "mcp__crowdstrike__host_lift_containment",
+      "mcp__crowdstrike__case_create",
+      "mcp__crowdstrike__case_update",
+      "mcp__crowdstrike__case_add_alert_evidence",
+      "mcp__crowdstrike__case_add_event_evidence",
+      "mcp__crowdstrike__case_add_tags",
+      "mcp__crowdstrike__case_delete_tags",
+      "mcp__crowdstrike__case_upload_file"
+    ]
+  }
+}

crowdstrike_mcp-4.0.0/.dockerignore

@@ -0,0 +1,10 @@
+.venv/
+.git/
+__pycache__/
+*.pyc
+tests/
+docs/
+.github/
+.claude/
+.ruff_cache/
+*.egg-info/

crowdstrike_mcp-4.0.0/.github/dependabot.yml

@@ -0,0 +1,12 @@
+# To get started with Dependabot version updates, you'll need to specify which
+# package ecosystems to update and where the package manifests are located.
+# Please see the documentation for all configuration options:
+# https://docs.github.com/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file
+
+version: 2
+updates:
+  - package-ecosystem: "" # See documentation for possible values
+    directory: "/" # Location of package manifests
+    schedule:
+      interval: "weekly"
+      

crowdstrike_mcp-4.0.0/.github/workflows/ci.yml

@@ -0,0 +1,49 @@
+name: CI
+
+on:
+  push:
+    branches: [master]
+  pull_request:
+    branches: [master]
+
+permissions:
+  contents: read
+
+jobs:
+  lint:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-python@v5
+        with:
+          python-version: "3.11"
+      - name: Install dependencies
+        run: pip install -e .[dev]
+      - name: Check linting
+        run: ruff check src/ tests/ --exclude src/crowdstrike_mcp/_version.py
+      - name: Check formatting
+        run: ruff format --check src/ tests/ --exclude src/crowdstrike_mcp/_version.py
+
+  test:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-python@v5
+        with:
+          python-version: "3.11"
+      - name: Install dependencies
+        run: pip install -e .[dev]
+      - name: Run tests
+        run: pytest tests/ -v --tb=short
+
+  smoke:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-python@v5
+        with:
+          python-version: "3.11"
+      - name: Install dependencies
+        run: pip install -e .[dev]
+      - name: Smoke test — tool registration
+        run: pytest tests/test_smoke_tools_list.py -v --tb=short

crowdstrike_mcp-4.0.0/.github/workflows/release.yml

@@ -0,0 +1,116 @@
+name: Release
+
+on:
+  push:
+    tags: ["v*"]
+
+permissions:
+  contents: write
+  packages: write
+
+jobs:
+  lint:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - uses: actions/setup-python@v5
+        with:
+          python-version: "3.11"
+      - name: Install dependencies
+        run: pip install -e .[dev]
+      - name: Check linting
+        run: ruff check src/ tests/ --exclude src/crowdstrike_mcp/_version.py
+      - name: Check formatting
+        run: ruff format --check src/ tests/ --exclude src/crowdstrike_mcp/_version.py
+
+  test:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - uses: actions/setup-python@v5
+        with:
+          python-version: "3.11"
+      - name: Install dependencies
+        run: pip install -e .[dev]
+      - name: Run tests
+        run: pytest tests/ -v --tb=short
+
+  build:
+    needs: [lint, test]
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0  # hatch-vcs needs full history for version
+      - uses: actions/setup-python@v5
+        with:
+          python-version: "3.12"
+      - name: Install build tools
+        run: pip install build
+      - name: Build sdist and wheel
+        run: python -m build
+      - name: Verify package version matches tag
+        run: |
+          TAG_VERSION="${GITHUB_REF_NAME#v}"
+          PKG_VERSION=$(python -c "
+          import pathlib
+          whl = next(pathlib.Path('dist').glob('*.whl'))
+          print(whl.name.split('-')[1])
+          ")
+          if [ "$PKG_VERSION" != "$TAG_VERSION" ]; then
+            echo "::error::Version mismatch: built package is '$PKG_VERSION' but tag is 'v$TAG_VERSION'"
+            exit 1
+          fi
+          echo "Version verified: $TAG_VERSION"
+      - uses: actions/upload-artifact@v4
+        with:
+          name: dist
+          path: dist/
+
+  publish-pypi:
+    needs: [build]
+    runs-on: ubuntu-latest
+    environment: pypi
+    permissions:
+      id-token: write  # OIDC for trusted publishing
+    steps:
+      - uses: actions/download-artifact@v4
+        with:
+          name: dist
+          path: dist/
+      - uses: pypa/gh-action-pypi-publish@release/v1
+
+  release:
+    needs: [build]
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Extract version from tag
+        id: version
+        run: echo "version=${GITHUB_REF_NAME#v}" >> "$GITHUB_OUTPUT"
+
+      - name: Log in to GHCR
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Build and push Docker image
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          push: true
+          tags: |
+            ghcr.io/${{ github.repository }}:${{ steps.version.outputs.version }}
+            ghcr.io/${{ github.repository }}:latest
+
+      - name: Create GitHub Release
+        run: gh release create "$GITHUB_REF_NAME" --generate-notes
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

crowdstrike_mcp-4.0.0/.gitignore

@@ -0,0 +1,27 @@
+# Virtual environment
+.venv/
+venv/
+
+# Python
+__pycache__/
+*.pyc
+*.pyo
+
+# Secrets
+.env
+.env.*
+credentials.json
+
+# IDE
+.vscode/
+.idea/
+
+# OS
+.DS_Store
+
+# Debug/diagnostic utilities
+mcp-debug/
+
+# hatch-vcs generated version file
+src/crowdstrike_mcp/_version.py
+dist/

crowdstrike_mcp-4.0.0/Dockerfile

@@ -0,0 +1,8 @@
+FROM python:3.12-slim
+WORKDIR /app
+COPY . .
+RUN pip install --no-cache-dir .
+RUN useradd -r -s /bin/false mcp
+USER mcp
+EXPOSE 8000
+ENTRYPOINT ["crowdstrike-mcp", "--transport", "streamable-http", "--host", "0.0.0.0"]