CrowdStrike Falcon

Overview

The CrowdStrike Falcon integration brings your endpoint inventory and vulnerability data into the Praetorian Guard Platform (PGP), giving you continuous visibility into what's exposed across your attack surface.

Hosts managed by Falcon sync as assets, and open CVEs from Spotlight flow in as risks. Everything then correlates against your external exposure, so you can trace attack paths from the internet to vulnerable internal endpoints and prioritize remediation effectively.

For managed security providers (MSSPs), the Flight Control integration lets you connect once at the master CID level and automatically fan out to all child tenants.

Integration Options

PGP offers two CrowdStrike integrations depending on your environment:

Integration	Use case
CrowdStrike	Single-tenant environments or individual child CIDs
CrowdStrike Flight Control	MSSP or multi-tenant environments with a parent CID managing multiple child CIDs

Both appear under Managed Detection & Response on the Integrations page.

Modules

Each integration supports three toggleable modules. You can enable or disable them via checkboxes during setup.

Module	Default	What it does	Required CrowdStrike API scope
Hosts	Enabled	Syncs your Falcon-managed endpoint inventory into PGP as assets (hostname + IP). Includes devices seen in the last 7 days.	`Hosts: Read`
Spotlight	Enabled	Ingests open CVEs from Spotlight into PGP as risks with CVSS scores, descriptions, remediation guidance, references, and proof artifacts. Findings updated in the last 7 days are correlated to assets using CrowdStrike agent IDs.	`Vulnerabilities: Read` and `Hosts: Read`
Shield	Disabled	SaaS security posture management. Currently validates API scope only — full data sync is coming in a future release.	`SaaS Security (Falcon Shield): Read`

At least one module must be enabled.

Prerequisites

Before setting up the integration, create an API client in the CrowdStrike Falcon console:

Navigate to Support & Resources → API Clients & Keys in your Falcon console.
Click Create API Client.

Grant the following read-only scopes based on which modules you plan to enable:

Scope	Required for
`Hosts: Read`	Hosts module, and also the Spotlight module because PGP reads from Hosts to correlate findings to assets
`Vulnerabilities: Read`	Spotlight module
`SaaS Security (Falcon Shield): Read`	Shield module
`Flight Control: Read`	Flight Control (MSSP) parent integration to discover child CIDs

If you're enabling Spotlight, you must grant both Vulnerabilities: Read and Hosts: Read. PGP also needs to read from Hosts to map vulnerability findings to the correct assets.

No write permissions are required.

Note your Client ID and Client Secret — you'll need both during setup.
Identify your cloud region from your Falcon console URL:
- us-1 — api.crowdstrike.com (most common)
- us-2 — api.us-2.crowdstrike.com
- eu-1 — api.eu-1.crowdstrike.com
- us-gov-1 — api.laggar.gcw.crowdstrike.com

Setup: Single-Tenant (CrowdStrike)

Go to Integrations → Managed Detection & Response → CrowdStrike.
Select your Cloud Region from the dropdown.
Enter your Client ID and Client Secret.
Toggle the modules you want enabled. Hosts and Spotlight are on by default.
Click Connect. PGP validates your credentials by probing each enabled module's API scope before saving.

If validation fails, you'll see which scopes are missing or not licensed. Correct the API client permissions in Falcon and retry.

Setup: Multi-Tenant / MSSP (CrowdStrike Flight Control)

Use this integration if you manage multiple child CIDs under a parent or master CID:

Go to Integrations → Managed Detection & Response → CrowdStrike Flight Control.
Select your Cloud Region.
Enter the parent CID's Client ID and Client Secret.
Ensure that API client has Flight Control: Read plus the module scopes you plan to enable for child tenants: Hosts: Read, Vulnerabilities: Read, and optionally SaaS Security (Falcon Shield): Read.
Toggle the modules you want enabled for all child tenants.
Click Connect.

Once connected, PGP automatically:

Discovers all child CIDs via the Flight Control API (/mssp/queries/children/v1)
Creates a scoped CrowdStrike integration for each child tenant
Authenticates each child integration using the parent credentials with member_cid scoping, so no per-child API clients are needed

Child integrations inherit the module settings you selected during Flight Control setup.

What Data Is Synced

Hosts → PGP Assets

Device hostname and local IP address
Devices seen in the last 7 days are included
Devices missing a hostname or IP are skipped

Spotlight → PGP Risks

Open CVEs updated in the last 7 days
All Spotlight vulnerability vectors are included, not just network-reachable findings
Each risk includes CVSS score, severity, description, remediation steps, references, and the raw vulnerability data as a proof artifact
Vulnerabilities are correlated to their host asset via CrowdStrike's Agent ID

CrowdStrike API Endpoints Used

Module	Endpoints
Authentication	`POST /oauth2/token` (OAuth2 client credentials; adds `member_cid` for Flight Control children)
Hosts	`GET /devices/queries/devices-scroll/v1` (scroll device IDs, limit 5000) → `GET /devices/entities/devices/v2` (hydrate in batches of 100)
Spotlight	`GET /spotlight/combined/vulnerabilities/v1` (fetches vulnerability details directly, paginated with `after`, limit 5000)
Shield	`GET /saas-security/entities/supported-saas/v3` (scope validation only)
Flight Control	`GET /mssp/queries/children/v1` (paginate child CIDs, limit 100)

Each enabled module is also probed during credential validation to verify API scope access before the integration is saved.

Concurrency and Rate Limits

PGP caps concurrent API requests at 8 parallel calls during vulnerability fetching and processes device hydration in batches to stay within responsible usage of the CrowdStrike API.

If you're running into rate-limiting issues with large environments, reach out to your Praetorian team and we'll work with you to tune throughput.

Troubleshooting

Issue	Cause	Fix
`missing API scope or product not licensed (403)`	The API client doesn't have the required scope for an enabled module	Add the missing scope in Falcon → API Clients & Keys
`missing Flight Control (MSSP) API scope`	The Flight Control integration is missing `Flight Control: Read`	Add the scope to the parent CID's API client
`no modules enabled`	All three module checkboxes are unchecked	Enable at least one module: Hosts, Spotlight, or Shield
No assets appearing	Devices may be inactive for more than 7 days, or may be missing hostname/IP data	Check that Falcon has recently seen devices with valid hostname and local IP values
Missing vulnerabilities	Findings may be closed, older than 7 days, or associated with devices that could not be correlated	Check that the vulnerabilities are still open, recently updated, and tied to devices Guard can map by Agent ID