CrowdStrike Falcon
Overview
The CrowdStrike Falcon integration brings your endpoint inventory and vulnerability data into the Praetorian Guard Platform (PGP), giving you continuous visibility into what's exposed across your attack surface. Hosts managed by Falcon sync as assets, open CVEs from Spotlight flow in as risks — filtered to network-reachable attack vectors — and everything correlates against your external exposure. The result: you can trace attack paths from the internet to vulnerable internal endpoints and prioritize remediation based on what's actually reachable.
For managed security providers (MSSPs), the Flight Control integration lets you connect once at the master CID level and automatically fan out to all child tenants.
Integration Options
PGP offers two CrowdStrike integrations depending on your environment:
Both appear under Managed Detection & Response in the Integrations page.
Modules
Each integration supports three toggleable modules. Enable or disable them via checkboxes during setup:
At least one module must be enabled.
Prerequisites
Before setting up the integration, create an API client in the CrowdStrike Falcon console:
- Navigate to Support & Resources → API Clients & Keys in your Falcon console
- Click Create API Client
- Grant the following scopes based on which modules you plan to enable:
- Note your Client ID and Client Secret — you'll need both during setup
- Identify your cloud region (visible in your Falcon console URL):
us-1—api.crowdstrike.com(most common)us-2—api.us-2.crowdstrike.comeu-1—api.eu-1.crowdstrike.comus-gov-1—api.laggar.gcw.crowdstrike.com
Setup: Single-Tenant (CrowdStrike)
- Go to Integrations → Managed Detection & Response → CrowdStrike
- Select your Cloud Region from the dropdown
- Enter your Client ID and Client Secret
- Toggle the modules you want enabled (Hosts and Spotlight are on by default)
- Click Connect — PGP will validate your credentials by probing each enabled module's API scope before saving
If validation fails, you'll see which scopes are missing or not licensed. Correct the API client permissions in Falcon and retry.
Setup: Multi-Tenant / MSSP (CrowdStrike Flight Control)
Use this integration if you manage multiple child CIDs under a parent/master CID:
- Go to Integrations → Managed Detection & Response → CrowdStrike Flight Control
- Select your Cloud Region
- Enter the parent CID's Client ID and Client Secret (must have
Flight Control: Readscope) - Toggle the modules you want enabled for all child tenants
- Click Connect
Once connected, PGP automatically:
- Discovers all child CIDs via the Flight Control API (
/mssp/queries/children/v1) - Creates a scoped CrowdStrike integration for each child tenant
- Each child integration authenticates using the parent credentials with
member_cidscoping, so no per-child API clients are needed
Child integrations inherit the module settings you selected during Flight Control setup.
What Data Is Synced
Hosts → PGP Assets
- Device hostname and local IP address
- Workstations are excluded; only devices seen in the last 7 days are included
- Devices missing a hostname or IP are skipped
Spotlight → PGP Risks
- Open CVEs with network-reachable attack vectors (
AV:NorAV:Ain the CVSS vector) - Local-only vulnerabilities (
AV:L) are filtered out - Each risk includes: CVSS score, severity, description, remediation steps, references, and the raw vulnerability data as a proof artifact
- Vulnerabilities are correlated to their host asset via CrowdStrike's Agent ID
CrowdStrike API Endpoints Used
Each module also probes its query endpoint with limit=1 during credential validation to verify API scope access before running.
Concurrency & Rate Limits
PGP caps concurrent API requests at 10 parallel calls during device hydration and vulnerability fetching to stay within responsible usage of the CrowdStrike API. If you're running into rate limiting issues with large environments, reach out to your Praetorian team and we'll work with you to tune throughput.