CrowdStrike Flight Control

CrowdStrike Flight Control

Overview

The CrowdStrike Flight Control integration is designed for MSSPs and multi-tenant CrowdStrike environments.

It lets the Praetorian Guard Platform (PGP) connect once using a parent or master CID, discover child tenants automatically, and create scoped integrations for each child tenant. PGP then pulls host and vulnerability data from each child tenant and correlates it with Guard exposure data.

Use this integration when you manage multiple CrowdStrike child CIDs from a parent tenant.

Prerequisites

Before you begin, make sure you have:

  • Access to the CrowdStrike Falcon console for the parent CID

  • Permission to create API clients in CrowdStrike

  • A parent tenant licensed for Flight Control

  • Your CrowdStrike cloud region

Create a CrowdStrike API Client

  1. Sign in to the CrowdStrike Falcon console for the parent CID.

  2. Navigate to Support & Resources → API Clients & Keys.

  3. Click Create API Client.

  4. Grant the following read-only scopes based on the modules you want enabled:

    Scope

    Required for

    Flight Control: Read

    Discovering child CIDs from the parent tenant

    Hosts: Read

    Syncing host inventory and correlating vulnerability findings to assets

    Vulnerabilities: Read

    Ingesting Spotlight findings

    SaaS Security (Falcon Shield): Read

    Optional Shield module validation

If you enable Spotlight, you must also grant Hosts: Read so PGP can map findings to the correct assets.

After saving the client, copy the following values and store them securely:

  • Client ID

  • Client Secret

  • Cloud Region from your Falcon console URL

Supported regions:

  • us-1api.crowdstrike.com

  • us-2api.us-2.crowdstrike.com

  • eu-1api.eu-1.crowdstrike.com

  • us-gov-1api.laggar.gcw.crowdstrike.com

You will not be able to retrieve the client secret again later.

Configure the Integration in PGP

  1. In PGP, go to Integrations.

  2. Select Managed Detection & Response → CrowdStrike Flight Control.

  3. Click Connect.

  4. Enter the parent CID's Client ID, Client Secret, and Cloud Region.

  5. Enable the modules you want applied across child tenants.

  6. Click Connect.

PGP validates the credentials and confirms scope access for each enabled module before saving the integration.

What Happens After Connection

After Flight Control is connected, PGP automatically:

  • Discovers child CIDs using the Flight Control API

  • Creates a scoped CrowdStrike integration for each child tenant

  • Uses the parent credentials with member_cid scoping for child-tenant access

  • Applies the module configuration you selected to each child integration

You do not need to create a separate API client for every child tenant.

What Data Is Synced

Hosts → PGP Assets

For enabled child tenants, PGP syncs:

  • Device hostname and local IP address

  • Devices seen in the last 7 days

  • Assets that can be mapped successfully from CrowdStrike host data

Spotlight → PGP Risks

For enabled child tenants, PGP ingests:

  • Open CVEs from Spotlight

  • Findings updated in the last 7 days

  • CVSS score, severity, description, remediation guidance, references, and proof artifacts

  • Findings correlated to assets using CrowdStrike agent IDs

All Spotlight vulnerability vectors are included, not just network-reachable findings.

Shield

The Shield module is currently limited to API scope validation.

Troubleshooting

Issue

Cause

Fix

Flight Control validation fails

Missing Flight Control: Read

Add the scope to the parent CID API client

Spotlight findings are missing for child tenants

Vulnerabilities: Read or Hosts: Read is missing, findings are stale, or host correlation failed

Verify both scopes are granted and confirm the findings are open, recently updated, and tied to valid devices

Child tenants do not appear

The parent tenant cannot enumerate children or Flight Control is not licensed

Verify Flight Control licensing and ensure the parent CID API client has the required scope

No assets appear

Devices may be inactive for more than 7 days, or may be missing hostname/IP data

Confirm the child tenants contain recently seen devices with valid hostname and local IP fields

Need Help?

If you run into issues during setup, contact support@praetorian.com.