MCP Servers

Falcosidekick UI MCP Server

Enables querying and analyzing Falco security events from Falcosidekick UI through MCP tools. Supports filtering events by time windows and retrieving full event details for security monitoring and incident investigation.

README

Falcosidekick UI MCP Server

This folder contains a lightweight Model Context Protocol (MCP) server that exposes the Falcosidekick UI /api/v1/events/search endpoint as a tool. The server uses HTTP Basic Auth (default admin:admin) and runs in streamable HTTP mode so MCP clients can connect over plain HTTP.

Layout

falco_mcp_server.py – FastMCP implementation exposing Falco events over Falcosidekick UI API via two tools
requirements.txt – Python dependencies (mcp, httpx, boto3)
Dockerfile – Container image that launches the server on port 8080
k8s/ – Deployment and Service manifests to run the server in Kubernetes

Environment variables

Variable	Default	Description
`FALCO_BASE_URL`	`http://localhost:8080`	Falcosidekick UI base URL
`FALCO_EVENTS_PATH`	`/api/v1/events/search`	Override the events endpoint path if needed
`FALCO_USERNAME` / `FALCO_PASSWORD`	`admin` / `admin`	Basic Auth credentials
`FALCO_HTTP_TIMEOUT`	`15`	HTTP timeout in seconds
`PORT`	`8080`	MCP HTTP listener port
`MCP_HTTP_PATH`	`/mcp`	Streamable HTTP mount path
`MCP_TRANSPORT`	`streamable-http`	Set to `stdio` if your MCP client expects stdio transport

Available tools

Tool Description

query_falco_events Returns Falco events with normalized output_fields. Syscall, k8s_audit, and aws_cloudtrail sources keep only their most useful fields (container/process info, Kubernetes target metadata, CloudTrail principals). All events always retain uuid, time, priority, rule, source, description, and hostname. Syscall proc.cmdline values are truncated to ~120 chars to limit token usage. Use start_time / end_time for temporal windows instead of embedding time comparisons inside filter_query.

falco_full_event_by_id Fetches the raw Falco event for a single uuid. It builds a UUID filter and leaves the response untouched so you can inspect every original field.

Tool	Description
`query_falco_events`	Returns Falco events with normalized `output_fields`. Syscall, k8s_audit, and aws_cloudtrail sources keep only their most useful fields (container/process info, Kubernetes target metadata, CloudTrail principals). All events always retain `uuid`, `time`, `priority`, `rule`, `source`, `description`, and `hostname`. Syscall `proc.cmdline` values are truncated to ~120 chars to limit token usage. Use `start_time` / `end_time` for temporal windows instead of embedding time comparisons inside `filter_query`.
`falco_full_event_by_id`	Fetches the raw Falco event for a single `uuid`. It builds a UUID filter and leaves the response untouched so you can inspect every original field.

When calling either tool you can pass start_time / end_time arguments. Provide timestamps in ISO 8601 UTC form (e.g. 2025-11-24T03:59:59.848208Z). The server converts them to timezone-aware datetimes internally and removes any events that fall outside that window, while still sending since=1M upstream to keep the search bounded.

Local run

cd falco-mcp
python3 -m venv .venv && source .venv/bin/activate
pip install -r requirements.txt
python3 falco_mcp_server.py

Then configure your MCP client with:

{
  "mcpServers": {
    "falco-events": {
      "type": "http",
      "url": "http://localhost:8080/mcp"
    }
  }
}

Docker

cd falco-mcp
docker build -t falco-mcp .
docker run -p 8080:8080 \
  -e FALCO_BASE_URL=http://falcosidekick-ui.default.svc.cluster.local:2802 \
  -e FALCO_USERNAME=admin \
  -e FALCO_PASSWORD=admin \
  falco-mcp

Kubernetes

The provided manifests assume the Falcosidekick UI is exposed as http://falcosidekick-ui:2802 and that the admin credentials remain admin:admin (see k8s/falco-mcp-deployment.yaml). If your environment uses different credentials or a different service name, edit the env vars before deploying.

kubectl apply -f k8s/falco-mcp-deployment.yaml
kubectl apply -f k8s/falco-mcp-service.yaml

Recommended Servers

playwright-mcp

A Model Context Protocol server that enables LLMs to interact with web pages through structured accessibility snapshots without requiring vision models or screenshots.

Official

Featured

TypeScript

Magic Component Platform (MCP)

An AI-powered tool that generates modern UI components from natural language descriptions, integrating with popular IDEs to streamline UI development workflow.

Audiense Insights MCP Server

Enables interaction with Audiense Insights accounts via the Model Context Protocol, facilitating the extraction and analysis of marketing insights and audience data including demographics, behavior, and influencer engagement.

VeyraX MCP

Single MCP tool to connect all your favorite tools: Gmail, Calendar and 40 more.

Official

Featured

Local

Kagi MCP Server

An MCP server that integrates Kagi search capabilities with Claude AI, enabling Claude to perform real-time web searches when answering questions that require up-to-date information.

Official

Featured

Python

graphlit-mcp-server

The Model Context Protocol (MCP) Server enables integration between MCP clients and the Graphlit service. Ingest anything from Slack to Gmail to podcast feeds, in addition to web crawling, into a Graphlit project - and then retrieve relevant contents from the MCP client.

Official

Featured

TypeScript

E2B

Using MCP to run code via e2b.

Official

Featured

Neon Database

MCP server for interacting with Neon Management API and databases

Official

Featured

Exa Search

A Model Context Protocol (MCP) server lets AI assistants like Claude use the Exa AI Search API for web searches. This setup allows AI models to get real-time web information in a safe and controlled way.

Official

Featured

Qdrant Server

This repository is an example of how to create a MCP server for Qdrant, a vector search engine.

Official

Featured