Provides tools for querying and retrieving Falco security events from Falcosidekick UI, including normalized event data from syscall, Kubernetes audit, and AWS CloudTrail sources, with support for temporal filtering and full event inspection by UUID.
Enables access to Kubernetes audit events captured by Falco, including metadata about Kubernetes resources and operations for security monitoring and analysis.
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@Falcosidekick UI MCP Servershow me high priority security events from the last hour"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
Falcosidekick UI MCP Server
This folder contains a lightweight Model Context Protocol (MCP) server that exposes the Falcosidekick UI /api/v1/events/search endpoint as a tool. The server uses HTTP Basic Auth (default admin:admin) and runs in streamable HTTP mode so MCP clients can connect over plain HTTP.
Layout
falco_mcp_server.py– FastMCP implementation exposing Falco events over Falcosidekick UI API via two toolsrequirements.txt– Python dependencies (mcp,httpx,boto3)Dockerfile– Container image that launches the server on port8080k8s/– Deployment and Service manifests to run the server in Kubernetes
Environment variables
Variable | Default | Description |
|
| Falcosidekick UI base URL |
|
| Override the events endpoint path if needed |
|
| Basic Auth credentials |
|
| HTTP timeout in seconds |
|
| MCP HTTP listener port |
|
| Streamable HTTP mount path |
|
| Set to |
Available tools
Tool | Description |
| Returns Falco events with normalized |
| Fetches the raw Falco event for a single |
When calling either tool you can pass start_time / end_time arguments. Provide timestamps in ISO 8601 UTC form (e.g. 2025-11-24T03:59:59.848208Z). The server converts them to timezone-aware datetimes internally and removes any events that fall outside that window, while still sending since=1M upstream to keep the search bounded.
Local run
cd falco-mcp
python3 -m venv .venv && source .venv/bin/activate
pip install -r requirements.txt
python3 falco_mcp_server.pyThen configure your MCP client with:
{
"mcpServers": {
"falco-events": {
"type": "http",
"url": "http://localhost:8080/mcp"
}
}
}Docker
cd falco-mcp
docker build -t falco-mcp .
docker run -p 8080:8080 \
-e FALCO_BASE_URL=http://falcosidekick-ui.default.svc.cluster.local:2802 \
-e FALCO_USERNAME=admin \
-e FALCO_PASSWORD=admin \
falco-mcpKubernetes
The provided manifests assume the Falcosidekick UI is exposed as http://falcosidekick-ui:2802 and that the admin credentials remain admin:admin (see k8s/falco-mcp-deployment.yaml). If your environment uses different credentials or a different service name, edit the env vars before deploying.
kubectl apply -f k8s/falco-mcp-deployment.yaml
kubectl apply -f k8s/falco-mcp-service.yamlThis server cannot be installed
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.