{"templateId":"markdown","sharedDataIds":{"sidebar":"sidebar-sidebars.yaml"},"props":{"metadata":{"markdoc":{"tagList":[]},"type":"markdown"},"seo":{"title":"CrowdStrike Falcon Integration","description":"Control the power of AI Agents in runtime.","llmstxt":{"hide":false,"sections":[{"title":"Table of contents","includeFiles":["**/*"],"excludeFiles":[]}],"excludeFiles":[]}},"dynamicMarkdocComponents":[],"compilationErrors":[],"ast":{"$$mdtype":"Tag","name":"article","attributes":{},"children":[{"$$mdtype":"Tag","name":"Heading","attributes":{"level":1,"id":"crowdstrike-falcon-integration","__idx":0},"children":["CrowdStrike Falcon Integration"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Connect your CrowdStrike Falcon tenant to Capsule Security to discover the AI agents, local LLMs, and vibe-coding tools running on your endpoints."]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"overview","__idx":1},"children":["Overview"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["This integration uses CrowdStrike's Falcon platform APIs to sync:"]},{"$$mdtype":"Tag","name":"ul","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Devices"]}," — Host inventory from the Falcon Hosts API (hostnames, OS, last-seen user, IP addresses, agent version)"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Local LLM models"]}," — Ollama, LM Studio, and other local model runtimes detected from process telemetry"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["AI coding agents"]}," — Claude Code, Cursor, GitHub Copilot, Cline, and similar developer agents observed on managed devices"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Vibe-coding apps"]}," — DNS and network telemetry to surface AI-assisted browser-based coding tools (Lovable, Replit, Bolt, Base44, etc.)"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Device owners"]}," — Last-login users mapped from Falcon agent telemetry"]}]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["The integration uses the ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["xdr"]}," NG-SIEM repository for telemetry queries and the standard Hosts API for device inventory."]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"prerequisites","__idx":2},"children":["Prerequisites"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Before you begin, ensure you have:"]},{"$$mdtype":"Tag","name":"ul","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":["An active ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["CrowdStrike Falcon"]}," subscription with the ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Falcon Insight XDR"]}," or ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Falcon Complete"]}," module (for NG-SIEM/LogScale telemetry)"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Falcon Administrator"]}," role, or another role with permission to create API clients"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["The ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Falcon cloud region"]}," your tenant is hosted in (US-1, US-2, EU-1, US-GOV-1, or US-GOV-2)"]}]},{"$$mdtype":"Tag","name":"blockquote","attributes":{},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Recommended — NG-SIEM / Falcon LogScale licensed."]}," The richest AI-discovery experience (runtime detection of local LLMs, AI coding agents, and vibe-coding network activity) requires the ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Falcon LogScale / NGSIEM Investigate"]}," scope, which only appears in the API client UI when NG-SIEM / Falcon LogScale is licensed. If your tenant does not have NG-SIEM, the integration still installs and provides device inventory, installed AI-application discovery, and security-context enrichment — see ",{"$$mdtype":"Tag","name":"a","attributes":{"href":"#feature-availability-by-scope"},"children":["Feature availability by scope"]}," below."]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Optional modules (graceful degradation)."]}," ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Spotlight Vulnerabilities"]}," and ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Identity Protection"]}," scopes will only appear if those modules are licensed. If they are absent, Capsule will skip the corresponding enrichments and the integration will still function with reduced context — no action required."]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Note:"]}," When NG-SIEM is licensed, Capsule queries the ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["xdr"]}," LogScale repository by default. If your tenant uses a non-default repository, contact Capsule support before installing."]}]},{"$$mdtype":"Tag","name":"hr","attributes":{},"children":[]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"step-1-create-an-api-client-in-the-falcon-console","__idx":3},"children":["Step 1: Create an API Client in the Falcon Console"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Capsule authenticates to CrowdStrike using OAuth2 client credentials. You need to create a dedicated API client and grant it the scopes listed below."]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":3,"id":"steps","__idx":4},"children":["Steps"]},{"$$mdtype":"Tag","name":"ol","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Sign in to the ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Falcon Console"]}," for your region:"]},{"$$mdtype":"Tag","name":"div","attributes":{"className":"md-table-wrapper"},"children":[{"$$mdtype":"Tag","name":"table","attributes":{"className":"md"},"children":[{"$$mdtype":"Tag","name":"thead","attributes":{},"children":[{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"th","attributes":{"data-label":"Region"},"children":["Region"]},{"$$mdtype":"Tag","name":"th","attributes":{"data-label":"Console URL"},"children":["Console URL"]}]}]},{"$$mdtype":"Tag","name":"tbody","attributes":{},"children":[{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"code","attributes":{},"children":["us-1"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"code","attributes":{},"children":["https://falcon.crowdstrike.com"]}]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"code","attributes":{},"children":["us-2"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"code","attributes":{},"children":["https://falcon.us-2.crowdstrike.com"]}]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"code","attributes":{},"children":["eu-1"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"code","attributes":{},"children":["https://falcon.eu-1.crowdstrike.com"]}]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"code","attributes":{},"children":["us-gov-1"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"code","attributes":{},"children":["https://falcon.laggar.gcw.crowdstrike.com"]}]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"code","attributes":{},"children":["us-gov-2"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"code","attributes":{},"children":["https://falcon.us-gov-2.crowdstrike.mil"]}]}]}]}]}]}]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":["From the menu, navigate to ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Support and resources → API clients and keys"]}," (sometimes shown as ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Support → API Clients and Keys"]},")."]}]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Click ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Create API client"]},"."]}]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Configure the client:"]},{"$$mdtype":"Tag","name":"ul","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Client name"]},": Enter a descriptive name (e.g., ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["Capsule Security Integration"]},")"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Description"]},": Optional — e.g., ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["Read-only Hosts + LogScale access for Capsule Security"]}]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["API scopes"]},": See ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Required Scopes"]}," below — select each scope and grant only the ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Read"]}," permission"]}]}]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Click ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Create"]},"."]}]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Important"]},": Copy the ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Client ID"]}," and ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Client Secret"]}," immediately. The secret is shown only once and cannot be retrieved later."]}]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Note your ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Base URL / Cloud"]}," value displayed on the same screen — this is the region you'll select in Step 2 (e.g., ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["US-1"]},", ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["US-2"]},", ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["EU-1"]},", ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["US-GOV-1"]},", ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["US-GOV-2"]},")."]}]}]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":3,"id":"required-scopes","__idx":5},"children":["Required Scopes"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["All scopes are ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["read-only"]}," — Capsule never writes to your Falcon tenant."]},{"$$mdtype":"Tag","name":"div","attributes":{"className":"md-table-wrapper"},"children":[{"$$mdtype":"Tag","name":"table","attributes":{"className":"md"},"children":[{"$$mdtype":"Tag","name":"thead","attributes":{},"children":[{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"th","attributes":{"data-label":"Scope"},"children":["Scope"]},{"$$mdtype":"Tag","name":"th","attributes":{"data-label":"Permission"},"children":["Permission"]},{"$$mdtype":"Tag","name":"th","attributes":{"data-label":"Why Capsule needs it"},"children":["Why Capsule needs it"]}]}]},{"$$mdtype":"Tag","name":"tbody","attributes":{},"children":[{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Hosts"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"code","attributes":{},"children":["Read"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Pulls device inventory from ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["GET /devices/queries/devices/v1"]}," and ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["POST /devices/entities/devices/v2"]}," — hostnames, OS version, agent version, last-seen user, IPs."]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Falcon LogScale / NG-SIEM (Investigate)"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"code","attributes":{},"children":["Read"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Runs LogScale (LQL) aggregations against the ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["xdr"]}," repository via ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["POST /api/v1/repositories/xdr/query"]}," to detect local LLMs, AI coding agents, and vibe-coding network activity."]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Detections"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"code","attributes":{},"children":["Read"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Correlates discovered AI agents and local LLMs with existing Falcon EDR detections so risky tools running on already-flagged hosts surface in Capsule's risk view."]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Alerts"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"code","attributes":{},"children":["Read"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Reads from Falcon's unified Alerts API — the modern superset of Detections that CrowdStrike is migrating tenants to. Lets Capsule keep working as customers roll over from the legacy Detections endpoints."]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Apps"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"code","attributes":{},"children":["Read"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Pulls Falcon's installed-application inventory so AI desktop apps (Cursor, Claude Desktop, ChatGPT, Ollama installers, Copilot extensions, etc.) are discovered even when not actively running in process telemetry."]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Zero Trust Assessment"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"code","attributes":{},"children":["Read"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Reads per-device Zero Trust posture scores so AI tools running on poorly-postured devices are prioritized in Capsule's risk surfaces and exec dashboards."]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Spotlight Vulnerabilities"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"code","attributes":{},"children":["Read"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Enriches device records with CVE exposure so an autonomous coding agent (e.g. Cursor, Claude Code) running on a critically-vulnerable host is flagged accordingly."]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Identity Protection Entities"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"code","attributes":{},"children":["Read"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Maps users to devices via Identity Protection's GraphQL entities API — accurate user attribution for AI tool usage, especially on shared or multi-user devices."]}]}]}]}]},{"$$mdtype":"Tag","name":"blockquote","attributes":{},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Naming note:"]}," depending on which Falcon modules your tenant has licensed, the LogScale scope may appear as ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Falcon LogScale"]},", ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["NGSIEM Investigate"]},", or ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Investigate"]},", and the Identity Protection scope may appear as ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Identity Protection Entities"]}," or ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Identity Protection GraphQL"]},". Pick whichever appears in your console and grant only ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["Read"]},"."]}]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":3,"id":"do-not-grant","__idx":6},"children":["Do NOT grant"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["For least-privilege, leave every other scope ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["disabled"]},". In particular Capsule does ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["not"]}," require:"]},{"$$mdtype":"Tag","name":"ul","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"code","attributes":{},"children":["Hosts: Write"]}," or ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["Real Time Response: Write/Admin"]}," — the integration never modifies devices or runs RTR commands"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"code","attributes":{},"children":["Detections: Write"]}," — Capsule reads detections only; it does not create, assign, or close them"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"code","attributes":{},"children":["Sensor Download"]}," — not used"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"code","attributes":{},"children":["Falcon Container"]},", ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["IOA Rules"]},", ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["Custom IOA"]},", ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["Prevention Policies"]},", ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["Response Policies"]},", ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["Sensor Update Policies"]}," — not used"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"code","attributes":{},"children":["User Management"]},", ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["Installation Tokens"]},", ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["API Integrations"]}," — not used"]}]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":3,"id":"security-notes","__idx":7},"children":["Security notes"]},{"$$mdtype":"Tag","name":"ul","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Store the Client Secret in a secrets manager. It cannot be retrieved from the Falcon console after the client is created."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["The Client ID alone is not sensitive, but it should still be treated as restricted information."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["If the secret is ever exposed, ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["revoke the API client"]}," in the Falcon console and create a new one — there is no in-place rotate."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Capsule stores the secret encrypted at rest. It is only used to call ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["/oauth2/token"]}," to obtain short-lived (30-minute) bearer tokens."]}]},{"$$mdtype":"Tag","name":"hr","attributes":{},"children":[]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"step-2-configure-the-integration-in-capsule","__idx":8},"children":["Step 2: Configure the Integration in Capsule"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Once you have the ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Client ID"]},", ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Client Secret"]},", and ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Cloud Region"]},", you can install the integration."]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":3,"id":"steps-1","__idx":9},"children":["Steps"]},{"$$mdtype":"Tag","name":"ol","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Log in to the ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Capsule Security"]}," portal."]}]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Click ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Integrations"]}," in the left sidebar."]}]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Find the ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["CrowdStrike Falcon"]}," card and click ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Set up Integration"]},"."]}]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":["The setup modal asks for three values:"]},{"$$mdtype":"Tag","name":"ul","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Cloud Region"]}," — select the region matching your Falcon tenant (",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["US-1"]},", ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["US-2"]},", ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["EU-1"]},", ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["US-GOV-1"]},", or ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["US-GOV-2"]},")"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Client ID"]}," — paste the value from Step 1"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Client Secret"]}," — paste the secret from Step 1"]}]}]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Click ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Test connection"]},". Capsule will perform an OAuth2 token exchange against your selected region and verify the API client is reachable."]}]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Click ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Save"]},"."]}]}]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":3,"id":"after-setup","__idx":10},"children":["After setup"]},{"$$mdtype":"Tag","name":"ul","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Initial sync begins automatically."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["The first sync typically completes in ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["5–20 minutes"]}," depending on host count and the size of the 30-day telemetry window Capsule queries."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["View synced devices in ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Inventory → Devices"]},"."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["View detected AI agents and local LLMs in ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Discovery → Agents"]}," and ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Discovery → Models"]},"."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["View vibe-coding app activity in ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Inventory → Apps"]},"."]}]},{"$$mdtype":"Tag","name":"hr","attributes":{},"children":[]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"feature-availability-by-scope","__idx":11},"children":["Feature Availability by Scope"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["The integration installs and runs with whichever scopes your API client has. Use this matrix to understand what you'll see in Capsule based on which Falcon modules your tenant has licensed."]},{"$$mdtype":"Tag","name":"div","attributes":{"className":"md-table-wrapper"},"children":[{"$$mdtype":"Tag","name":"table","attributes":{"className":"md"},"children":[{"$$mdtype":"Tag","name":"thead","attributes":{},"children":[{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"th","attributes":{"data-label":"Capsule feature"},"children":["Capsule feature"]},{"$$mdtype":"Tag","name":"th","attributes":{"data-label":"Required Falcon scope(s)"},"children":["Required Falcon scope(s)"]},{"$$mdtype":"Tag","name":"th","attributes":{"data-label":"Required Falcon module"},"children":["Required Falcon module"]}]}]},{"$$mdtype":"Tag","name":"tbody","attributes":{},"children":[{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Device inventory"]}," (hostnames, OS, agent version, IPs, last-login user)"]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"code","attributes":{},"children":["Hosts: Read"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Falcon Insight (any tier)"]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Installed AI applications"]}," (Cursor, Claude Desktop, Ollama installer, ChatGPT app, Copilot extensions)"]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"code","attributes":{},"children":["Apps: Read"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Falcon Insight (any tier)"]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Falcon-detected AI risk"]}," (AI tools running on hosts with active EDR detections / alerts)"]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"code","attributes":{},"children":["Detections: Read"]},", ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["Alerts: Read"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Falcon Insight (any tier)"]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Device posture context"]}," (Zero Trust score per device)"]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"code","attributes":{},"children":["Zero Trust Assessment: Read"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Falcon ZTA"]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Vulnerability context"]}," (CVEs on hosts running AI tools)"]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"code","attributes":{},"children":["Spotlight Vulnerabilities: Read"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Falcon Spotlight"]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Accurate user-to-device attribution"]}," (multi-user / shared hosts)"]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"code","attributes":{},"children":["Identity Protection Entities: Read"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Falcon Identity Protection"]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Runtime local LLM detection"]}," (Ollama, LM Studio, llama.cpp processes actively running)"]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"code","attributes":{},"children":["Falcon LogScale / NGSIEM Investigate: Read"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["NG-SIEM / Falcon LogScale"]}]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Runtime AI coding-agent detection"]}," (Claude Code, Cursor, Cline, Copilot CLI processes)"]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"code","attributes":{},"children":["Falcon LogScale / NGSIEM Investigate: Read"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["NG-SIEM / Falcon LogScale"]}]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Vibe-coding network telemetry"]}," (DNS / network activity to Lovable, Replit, Bolt, Base44, etc.)"]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"code","attributes":{},"children":["Falcon LogScale / NGSIEM Investigate: Read"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["NG-SIEM / Falcon LogScale"]}]}]}]}]}]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":3,"id":"without-ng-siem--falcon-logscale","__idx":12},"children":["Without NG-SIEM / Falcon LogScale"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["If your tenant does not license NG-SIEM, you still get a meaningful baseline:"]},{"$$mdtype":"Tag","name":"ul","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":["✅ Full device inventory and security-posture enrichment"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["✅ Discovery of ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["installed"]}," AI desktop applications via Falcon's Apps inventory"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["✅ Risk correlation against existing Falcon detections and alerts"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["❌ No runtime detection of currently-running AI processes"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["❌ No DNS / network signals for browser-based vibe-coding tools"]}]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["The integration's ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Discovery → Agents"]}," and ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Discovery → Models"]}," views in Capsule will show installed AI tools but will not reflect runtime activity. To enable full runtime discovery, work with your CrowdStrike account team to add NG-SIEM / Falcon LogScale, then update the API client to grant the ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Falcon LogScale / NGSIEM Investigate: Read"]}," scope — no other reconfiguration is needed."]},{"$$mdtype":"Tag","name":"hr","attributes":{},"children":[]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"troubleshooting","__idx":13},"children":["Troubleshooting"]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":3,"id":"401-unauthorized-on-token-exchange","__idx":14},"children":[{"$$mdtype":"Tag","name":"code","attributes":{},"children":["401 Unauthorized"]}," on token exchange"]},{"$$mdtype":"Tag","name":"ul","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":["The Client ID or Client Secret is wrong, or the API client has been deleted/disabled in the Falcon console."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Confirm the ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Cloud Region"]}," matches the cloud where the API client was created — credentials are not portable across regions."]}]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":3,"id":"403-forbidden-on-hosts-logscale-detections-alerts-apps-zta-spotlight-or-identity-protection-endpoints","__idx":15},"children":[{"$$mdtype":"Tag","name":"code","attributes":{},"children":["403 Forbidden"]}," on Hosts, LogScale, Detections, Alerts, Apps, ZTA, Spotlight, or Identity Protection endpoints"]},{"$$mdtype":"Tag","name":"ul","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":["The API client is missing one of the required scopes. Re-open the client in ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Support and resources → API clients and keys"]}," and confirm all of ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Hosts: Read"]},", ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Falcon LogScale / NGSIEM Investigate: Read"]},", ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Detections: Read"]},", ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Alerts: Read"]},", ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Apps: Read"]},", ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Zero Trust Assessment: Read"]},", ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Spotlight Vulnerabilities: Read"]},", and ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Identity Protection Entities: Read"]}," are checked."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["If your tenant does not license ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Spotlight"]},", ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Zero Trust Assessment"]},", or ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Identity Protection"]},", those scopes will not appear in the client UI — Capsule will skip the corresponding enrichments and the integration will continue to function with reduced context."]}]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":3,"id":"unsupported-crowdstrike-falcon-cloud-region","__idx":16},"children":[{"$$mdtype":"Tag","name":"code","attributes":{},"children":["Unsupported CrowdStrike Falcon cloud region"]}]},{"$$mdtype":"Tag","name":"ul","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":["The region selector in Capsule must be one of ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["us-1"]},", ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["us-2"]},", ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["eu-1"]},", ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["us-gov-1"]},", or ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["us-gov-2"]},". Custom or commercial-preview regions are not supported."]}]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":3,"id":"logscale-query-failed-404-on-the-xdr-repository","__idx":17},"children":[{"$$mdtype":"Tag","name":"code","attributes":{},"children":["LogScale query failed: 404"]}," on the ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["xdr"]}," repository"]},{"$$mdtype":"Tag","name":"ul","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Your tenant does not have NG-SIEM/Falcon LogScale licensed, or the ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["xdr"]}," repository is not provisioned. The integration will continue to run in ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["baseline mode"]}," (device inventory + installed AI app discovery + detection/alert correlation) — see ",{"$$mdtype":"Tag","name":"a","attributes":{"href":"#feature-availability-by-scope"},"children":["Feature availability by scope"]},". Contact your CrowdStrike account team if you want to enable runtime AI process discovery."]}]},{"$$mdtype":"Tag","name":"hr","attributes":{},"children":[]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"support","__idx":18},"children":["Support"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["For help with this integration:"]},{"$$mdtype":"Tag","name":"ul","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Email"]},": support@capsule.security"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Include"]},": Your tenant ID, integration status, cloud region, and any error messages from the Capsule portal"]}]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["For CrowdStrike API client or scope issues:"]},{"$$mdtype":"Tag","name":"ul","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Falcon Console"]},": ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Support and resources → CrowdStrike technical support"]}]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Include"]},": Your CID (Customer ID), API client name, and the scope you are trying to enable"]}]}]},"headings":[{"value":"CrowdStrike Falcon Integration","id":"crowdstrike-falcon-integration","depth":1},{"value":"Overview","id":"overview","depth":2},{"value":"Prerequisites","id":"prerequisites","depth":2},{"value":"Step 1: Create an API Client in the Falcon Console","id":"step-1-create-an-api-client-in-the-falcon-console","depth":2},{"value":"Steps","id":"steps","depth":3},{"value":"Required Scopes","id":"required-scopes","depth":3},{"value":"Do NOT grant","id":"do-not-grant","depth":3},{"value":"Security notes","id":"security-notes","depth":3},{"value":"Step 2: Configure the Integration in Capsule","id":"step-2-configure-the-integration-in-capsule","depth":2},{"value":"Steps","id":"steps-1","depth":3},{"value":"After setup","id":"after-setup","depth":3},{"value":"Feature Availability by Scope","id":"feature-availability-by-scope","depth":2},{"value":"Without NG-SIEM / Falcon LogScale","id":"without-ng-siem--falcon-logscale","depth":3},{"value":"Troubleshooting","id":"troubleshooting","depth":2},{"value":"401 Unauthorized on token exchange","id":"401-unauthorized-on-token-exchange","depth":3},{"value":"403 Forbidden on Hosts, LogScale, Detections, Alerts, Apps, ZTA, Spotlight, or Identity Protection endpoints","id":"403-forbidden-on-hosts-logscale-detections-alerts-apps-zta-spotlight-or-identity-protection-endpoints","depth":3},{"value":"Unsupported CrowdStrike Falcon cloud region","id":"unsupported-crowdstrike-falcon-cloud-region","depth":3},{"value":"LogScale query failed: 404 on the xdr repository","id":"logscale-query-failed-404-on-the-xdr-repository","depth":3},{"value":"Support","id":"support","depth":2}],"frontmatter":{"seo":{"title":"CrowdStrike Falcon Integration"}},"lastModified":"2026-05-01T07:26:53.000Z","pagePropGetterError":{"message":"","name":""}},"slug":"/guides/crowdstrike-falcon","userData":{"isAuthenticated":false,"teams":["anonymous"]},"isPublic":true}