Connect your CrowdStrike Falcon tenant to Capsule Security to discover the AI agents, local LLMs, and vibe-coding tools running on your endpoints.
This integration uses CrowdStrike's Falcon platform APIs to sync:
- Devices — Host inventory from the Falcon Hosts API (hostnames, OS, last-seen user, IP addresses, agent version)
- Local LLM models — Ollama, LM Studio, and other local model runtimes detected from process telemetry
- AI coding agents — Claude Code, Cursor, GitHub Copilot, Cline, and similar developer agents observed on managed devices
- Vibe-coding apps — DNS and network telemetry to surface AI-assisted browser-based coding tools (Lovable, Replit, Bolt, Base44, etc.)
- Device owners — Last-login users mapped from Falcon agent telemetry
The integration uses the xdr NG-SIEM repository for telemetry queries and the standard Hosts API for device inventory.
Before you begin, ensure you have:
- An active CrowdStrike Falcon subscription with the Falcon Insight XDR or Falcon Complete module (for NG-SIEM/LogScale telemetry)
- Falcon Administrator role, or another role with permission to create API clients
- The Falcon cloud region your tenant is hosted in (US-1, US-2, EU-1, US-GOV-1, or US-GOV-2)
Recommended — NG-SIEM / Falcon LogScale licensed. The richest AI-discovery experience (runtime detection of local LLMs, AI coding agents, and vibe-coding network activity) requires the Falcon LogScale / NGSIEM Investigate scope, which only appears in the API client UI when NG-SIEM / Falcon LogScale is licensed. If your tenant does not have NG-SIEM, the integration still installs and provides device inventory, installed AI-application discovery, and security-context enrichment — see Feature availability by scope below.
Optional modules (graceful degradation). Spotlight Vulnerabilities and Identity Protection scopes will only appear if those modules are licensed. If they are absent, Capsule will skip the corresponding enrichments and the integration will still function with reduced context — no action required.
Note: When NG-SIEM is licensed, Capsule queries the
xdrLogScale repository by default. If your tenant uses a non-default repository, contact Capsule support before installing.
Capsule authenticates to CrowdStrike using OAuth2 client credentials. You need to create a dedicated API client and grant it the scopes listed below.
Sign in to the Falcon Console for your region:
Region Console URL us-1https://falcon.crowdstrike.comus-2https://falcon.us-2.crowdstrike.comeu-1https://falcon.eu-1.crowdstrike.comus-gov-1https://falcon.laggar.gcw.crowdstrike.comus-gov-2https://falcon.us-gov-2.crowdstrike.milFrom the menu, navigate to Support and resources → API clients and keys (sometimes shown as Support → API Clients and Keys).
Click Create API client.
Configure the client:
- Client name: Enter a descriptive name (e.g.,
Capsule Security Integration) - Description: Optional — e.g.,
Read-only Hosts + LogScale access for Capsule Security - API scopes: See Required Scopes below — select each scope and grant only the Read permission
- Client name: Enter a descriptive name (e.g.,
Click Create.
Important: Copy the Client ID and Client Secret immediately. The secret is shown only once and cannot be retrieved later.
Note your Base URL / Cloud value displayed on the same screen — this is the region you'll select in Step 2 (e.g.,
US-1,US-2,EU-1,US-GOV-1,US-GOV-2).
All scopes are read-only — Capsule never writes to your Falcon tenant.
| Scope | Permission | Why Capsule needs it |
|---|---|---|
| Hosts | Read | Pulls device inventory from GET /devices/queries/devices/v1 and POST /devices/entities/devices/v2 — hostnames, OS version, agent version, last-seen user, IPs. |
| Falcon LogScale / NG-SIEM (Investigate) | Read | Runs LogScale (LQL) aggregations against the xdr repository via POST /api/v1/repositories/xdr/query to detect local LLMs, AI coding agents, and vibe-coding network activity. |
| Detections | Read | Correlates discovered AI agents and local LLMs with existing Falcon EDR detections so risky tools running on already-flagged hosts surface in Capsule's risk view. |
| Alerts | Read | Reads from Falcon's unified Alerts API — the modern superset of Detections that CrowdStrike is migrating tenants to. Lets Capsule keep working as customers roll over from the legacy Detections endpoints. |
| Apps | Read | Pulls Falcon's installed-application inventory so AI desktop apps (Cursor, Claude Desktop, ChatGPT, Ollama installers, Copilot extensions, etc.) are discovered even when not actively running in process telemetry. |
| Zero Trust Assessment | Read | Reads per-device Zero Trust posture scores so AI tools running on poorly-postured devices are prioritized in Capsule's risk surfaces and exec dashboards. |
| Spotlight Vulnerabilities | Read | Enriches device records with CVE exposure so an autonomous coding agent (e.g. Cursor, Claude Code) running on a critically-vulnerable host is flagged accordingly. |
| Identity Protection Entities | Read | Maps users to devices via Identity Protection's GraphQL entities API — accurate user attribution for AI tool usage, especially on shared or multi-user devices. |
Naming note: depending on which Falcon modules your tenant has licensed, the LogScale scope may appear as Falcon LogScale, NGSIEM Investigate, or Investigate, and the Identity Protection scope may appear as Identity Protection Entities or Identity Protection GraphQL. Pick whichever appears in your console and grant only
Read.
For least-privilege, leave every other scope disabled. In particular Capsule does not require:
Hosts: WriteorReal Time Response: Write/Admin— the integration never modifies devices or runs RTR commandsDetections: Write— Capsule reads detections only; it does not create, assign, or close themSensor Download— not usedFalcon Container,IOA Rules,Custom IOA,Prevention Policies,Response Policies,Sensor Update Policies— not usedUser Management,Installation Tokens,API Integrations— not used
- Store the Client Secret in a secrets manager. It cannot be retrieved from the Falcon console after the client is created.
- The Client ID alone is not sensitive, but it should still be treated as restricted information.
- If the secret is ever exposed, revoke the API client in the Falcon console and create a new one — there is no in-place rotate.
- Capsule stores the secret encrypted at rest. It is only used to call
/oauth2/tokento obtain short-lived (30-minute) bearer tokens.
Once you have the Client ID, Client Secret, and Cloud Region, you can install the integration.
Log in to the Capsule Security portal.
Click Integrations in the left sidebar.
Find the CrowdStrike Falcon card and click Set up Integration.
The setup modal asks for three values:
- Cloud Region — select the region matching your Falcon tenant (
US-1,US-2,EU-1,US-GOV-1, orUS-GOV-2) - Client ID — paste the value from Step 1
- Client Secret — paste the secret from Step 1
- Cloud Region — select the region matching your Falcon tenant (
Click Test connection. Capsule will perform an OAuth2 token exchange against your selected region and verify the API client is reachable.
Click Save.
- Initial sync begins automatically.
- The first sync typically completes in 5–20 minutes depending on host count and the size of the 30-day telemetry window Capsule queries.
- View synced devices in Inventory → Devices.
- View detected AI agents and local LLMs in Discovery → Agents and Discovery → Models.
- View vibe-coding app activity in Inventory → Apps.
The integration installs and runs with whichever scopes your API client has. Use this matrix to understand what you'll see in Capsule based on which Falcon modules your tenant has licensed.
| Capsule feature | Required Falcon scope(s) | Required Falcon module |
|---|---|---|
| Device inventory (hostnames, OS, agent version, IPs, last-login user) | Hosts: Read | Falcon Insight (any tier) |
| Installed AI applications (Cursor, Claude Desktop, Ollama installer, ChatGPT app, Copilot extensions) | Apps: Read | Falcon Insight (any tier) |
| Falcon-detected AI risk (AI tools running on hosts with active EDR detections / alerts) | Detections: Read, Alerts: Read | Falcon Insight (any tier) |
| Device posture context (Zero Trust score per device) | Zero Trust Assessment: Read | Falcon ZTA |
| Vulnerability context (CVEs on hosts running AI tools) | Spotlight Vulnerabilities: Read | Falcon Spotlight |
| Accurate user-to-device attribution (multi-user / shared hosts) | Identity Protection Entities: Read | Falcon Identity Protection |
| Runtime local LLM detection (Ollama, LM Studio, llama.cpp processes actively running) | Falcon LogScale / NGSIEM Investigate: Read | NG-SIEM / Falcon LogScale |
| Runtime AI coding-agent detection (Claude Code, Cursor, Cline, Copilot CLI processes) | Falcon LogScale / NGSIEM Investigate: Read | NG-SIEM / Falcon LogScale |
| Vibe-coding network telemetry (DNS / network activity to Lovable, Replit, Bolt, Base44, etc.) | Falcon LogScale / NGSIEM Investigate: Read | NG-SIEM / Falcon LogScale |
If your tenant does not license NG-SIEM, you still get a meaningful baseline:
- ✅ Full device inventory and security-posture enrichment
- ✅ Discovery of installed AI desktop applications via Falcon's Apps inventory
- ✅ Risk correlation against existing Falcon detections and alerts
- ❌ No runtime detection of currently-running AI processes
- ❌ No DNS / network signals for browser-based vibe-coding tools
The integration's Discovery → Agents and Discovery → Models views in Capsule will show installed AI tools but will not reflect runtime activity. To enable full runtime discovery, work with your CrowdStrike account team to add NG-SIEM / Falcon LogScale, then update the API client to grant the Falcon LogScale / NGSIEM Investigate: Read scope — no other reconfiguration is needed.
- The Client ID or Client Secret is wrong, or the API client has been deleted/disabled in the Falcon console.
- Confirm the Cloud Region matches the cloud where the API client was created — credentials are not portable across regions.
- The API client is missing one of the required scopes. Re-open the client in Support and resources → API clients and keys and confirm all of Hosts: Read, Falcon LogScale / NGSIEM Investigate: Read, Detections: Read, Alerts: Read, Apps: Read, Zero Trust Assessment: Read, Spotlight Vulnerabilities: Read, and Identity Protection Entities: Read are checked.
- If your tenant does not license Spotlight, Zero Trust Assessment, or Identity Protection, those scopes will not appear in the client UI — Capsule will skip the corresponding enrichments and the integration will continue to function with reduced context.
- The region selector in Capsule must be one of
us-1,us-2,eu-1,us-gov-1, orus-gov-2. Custom or commercial-preview regions are not supported.
- Your tenant does not have NG-SIEM/Falcon LogScale licensed, or the
xdrrepository is not provisioned. The integration will continue to run in baseline mode (device inventory + installed AI app discovery + detection/alert correlation) — see Feature availability by scope. Contact your CrowdStrike account team if you want to enable runtime AI process discovery.
For help with this integration:
- Email: support@capsule.security
- Include: Your tenant ID, integration status, cloud region, and any error messages from the Capsule portal
For CrowdStrike API client or scope issues:
- Falcon Console: Support and resources → CrowdStrike technical support
- Include: Your CID (Customer ID), API client name, and the scope you are trying to enable