Initial Checks
Bug Description
The entire Incidents module is returning 404s against a current Falcon tenant (us-1). Tested falcon_search_incidents, falcon_search_behaviors, and falcon_show_crowd_score - all return:
{"errors":[{"message":"No content was received for this request."}],"resources":[]}
No filter, no parameters, just straight 404. API key has Incidents:read confirmed.
Pretty sure this is because CrowdStrike moved from Incidents to Cases in the portal recently. The underlying /incidents/ endpoints appear to be gone (or no longer returning data), and the replacement (?) is the Case Management API at /casemgmt/.
Relevant FalconPy docs for the new API: https://falconpy.io/Service-Collections/Case-Management.html
The new API uses different scopes (case-templates:read/case-templates:write) and has a different data model - cases have alert evidence, event evidence, SLAs, templates, etc. So this isn't a simple endpoint swap.
What's broken:
- falcon_search_incidents - 404
- falcon_get_incident_details - presumably also 404 (didn't test)
- falcon_search_behaviors - 404
- falcon_show_crowd_score - previously reported as deprecated
Environment:
- falcon-mcp v0.6.0 (Docker image)
- Falcon tenant: us-1
- Transport: streamable-http
Wanted to flag this early since it affects anyone trying to use the incidents module. Happy to help test if you need someone to validate against a live tenant.
Steps to Reproduce
Setup falcon-mcp in docker container
Configure the MCP server in Claude Code
Test connectivity and tool availability — both pass
Run queries:
- falcon_search_detections — works
- falcon_search_hosts — works
- falcon_search_incidents (no filter, limit 1) — 404
- falcon_search_incidents (with FQL filter) — 404
- falcon_search_behaviors (no filter, limit 1) — 404
Installation Method
pip install falcon-mcp
Environment Details
Python Version: 3.13.12 (inside container) | python 3.14.2 on host
OS: macOS 15.4 (host), Docker container (quay.io/crowdstrike/falcon-mcp:latest)
MCP Client: Claude Code & Claude Desktop
Enabled modules: detections, incidents, hosts (and others — all tested)
Falcon API region: us-1
Error Logs (Optional)
Additional Context (Optional)
No response
Initial Checks
Bug Description
The entire Incidents module is returning 404s against a current Falcon tenant (us-1). Tested falcon_search_incidents, falcon_search_behaviors, and falcon_show_crowd_score - all return:
{"errors":[{"message":"No content was received for this request."}],"resources":[]}
No filter, no parameters, just straight 404. API key has Incidents:read confirmed.
Pretty sure this is because CrowdStrike moved from Incidents to Cases in the portal recently. The underlying /incidents/ endpoints appear to be gone (or no longer returning data), and the replacement (?) is the Case Management API at /casemgmt/.
Relevant FalconPy docs for the new API: https://falconpy.io/Service-Collections/Case-Management.html
The new API uses different scopes (case-templates:read/case-templates:write) and has a different data model - cases have alert evidence, event evidence, SLAs, templates, etc. So this isn't a simple endpoint swap.
What's broken:
Environment:
Wanted to flag this early since it affects anyone trying to use the incidents module. Happy to help test if you need someone to validate against a live tenant.
Steps to Reproduce
Setup falcon-mcp in docker container
Configure the MCP server in Claude Code
Test connectivity and tool availability — both pass
Run queries:
Installation Method
pip install falcon-mcp
Environment Details
Error Logs (Optional)
Additional Context (Optional)
No response