CrowdStrike Falcon Integration
Integration with CrowdStrike Falcon platform including Falcon Insight EDR, Falcon Spotlight, and Falcon Discover. Piscium ingests endpoint detection data, vulnerability assessments, and asset inventory from Falcon to enrich attack graph modeling. Validated exposures can trigger Falcon Real Time Response actions and Falcon Fusion SOAR workflows.
What You Get
Integration with CrowdStrike Falcon platform including Falcon Insight EDR, Falcon Spotlight, and Falcon Discover. Piscium ingests endpoint detection data, vulnerability assessments, and asset inventory from Falcon to enrich attack graph modeling. Validated exposures can trigger Falcon Real Time Response actions and Falcon Fusion SOAR workflows.
Why CrowdStrike Falcon?
CrowdStrike Falcon provides best-in-class endpoint visibility and detection. Piscium extends this by validating whether detected vulnerabilities and misconfigurations on Falcon-managed endpoints can be chained into complete attack paths that reach critical OT assets — turning endpoint telemetry into validated, business-prioritized risk.
Example Scenario
Falcon Spotlight identifies a critical vulnerability on a Windows jump server used by OT engineers to access the SCADA network. Piscium ingests this finding, correlates it with the endpoint's network position from Falcon Discover, and deploys an AI agent that validates a full attack chain: the jump server vulnerability allows credential theft, which grants RDP access to an HMI workstation, which has unmonitored USB access to a safety controller. Piscium publishes the validated path back to Falcon and triggers a Fusion workflow to enforce network isolation on the jump server until patching is complete.
Implementation Notes
Requires CrowdStrike API client credentials (OAuth2) with Spotlight Vulnerabilities read, Hosts read, and Real Time Response write scopes. Piscium queries the Falcon API on a configurable polling interval or reacts to Falcon streaming API events. Asset correlation uses Falcon Agent ID, hostname, and IP address. Supports Falcon GovCloud and commercial cloud environments. Recommended: create a dedicated API client with minimum required scopes.
Webhook Payload Example
{
"event": "exposure.validated",
"timestamp": "2026-03-06T15:33:00Z",
"exposure_id": "EXP-2026-00245",
"severity": "critical",
"cvss_score": 9.2,
"cve": "CVE-2025-26633",
"affected_asset": "jump-srv-01.corp.local",
"crowdstrike_agent_id": "a1b2c3d4e5f67890a1b2c3d4e5f67890",
"crowdstrike_spotlight_id": "vuln_987654321",
"attack_path_id": "AG-0698",
"blast_radius": 15,
"remediation_status": "pending"
}Ready to Connect CrowdStrike Falcon?
See the integration running live in your environment.