CrowdStrike adds AI security tools & Microsoft SIEM

CrowdStrike has introduced new AI security features for its Falcon platform and added Falcon Next-Gen SIEM support for Microsoft Defender for Endpoint. Together, the updates extend its reach across endpoint security and security operations.

The AI security announcement focuses on the endpoint, now a primary place where AI agents execute commands, access data and trigger actions that can resemble legitimate user activity. CrowdStrike says its sensors detect more than 1,800 distinct AI applications running on enterprise devices, representing nearly 160 million unique application instances across its customer base.

Those figures highlight how quickly AI software has spread through corporate environments, often beyond the view of security teams. The new features are designed to discover AI applications and agents, apply governance to unauthorised or "shadow" AI use, and detect threats at runtime across endpoints, browsers, software-as-a-service platforms and cloud environments.

AI oversight

At the endpoint level, Falcon can now provide runtime visibility into AI behaviour by capturing commands, scripts, file activity and network connections from applications running on a device, including agent-based software. This gives security teams a way to trace suspicious behaviour to the originating process and isolate affected endpoints if needed.

CrowdStrike has also expanded its discovery tools to identify AI applications, agents, large language model runtimes, MCP servers and development tools on endpoints, linking them to asset context and privilege exposure. Another addition extends prompt-layer inspection to desktop AI applications including ChatGPT, Gemini, Claude, DeepSeek, Microsoft Copilot, O365 Copilot, GitHub Copilot and Cursor.

Beyond the device itself, AI agents increasingly operate across browsers, SaaS tools and cloud workloads, often using permissions not designed for machine-speed governance. CrowdStrike says its recent acquisition of Seraphic extends runtime protection into the browser, where many AI-driven tasks now take place.

In SaaS and cloud environments, Falcon can identify AI agent activity and data access across platforms including Microsoft Copilot for Power Platform, Salesforce Agentforce, ChatGPT Enterprise, OpenAI Enterprise GPT and Nexos.ai. CrowdStrike has also introduced monitoring for Microsoft Copilot Studio agents, along with cloud-focused tools to identify ungoverned AI services, monitor AI data flows and detect prompt attacks, data leaks and policy violations.

"AI agents are fundamentally changing how technology operates and how it must be secured," said Michael Sentonas, President, CrowdStrike. "Security built for static applications can't keep up with autonomous systems. Organisations need real-time visibility and control over AI behaviour wherever it runs. CrowdStrike is that new standard."

SIEM Expansion

The second announcement focuses on security information and event management, or SIEM, where vendors are trying to bring together large volumes of security telemetry from different products and data stores. Falcon Next-Gen SIEM can now ingest and correlate telemetry from Microsoft Defender for Endpoint without requiring deployment of a Falcon endpoint sensor.

That matters for organisations that already rely on Microsoft's endpoint protection and want to consolidate monitoring, analytics and incident response workflows without deploying another agent. Defender telemetry can be combined with Falcon log data, threat intelligence and analytics in real time.

CrowdStrike also outlined several related additions to its SIEM offering, including native Falcon Onum real-time data pipelines, federated search across third-party data stores, integration of external indicators of compromise and a Query Translation Agent designed to convert legacy SIEM queries, including Splunk searches, into CrowdStrike Query Language.

These changes are intended to reduce the cost and effort of moving away from older SIEM systems. According to CrowdStrike, the Onum integration can improve streaming speed and lower storage and ingestion overhead, while federated search lets analysts query data where it resides rather than duplicating it in a central platform.

CrowdStrike also said Falcon Next-Gen SIEM is growing 75 per cent year on year, though it did not provide an absolute revenue figure. The growth rate points to continued demand for alternatives to long-established SIEM tools as security teams manage larger data volumes and more varied environments.

"Strategic alignment and disciplined execution between industry leaders is what drives meaningful innovation and stronger security outcomes for customers," said Daniel Bernard, Chief Business Officer, CrowdStrike. "Our integration with Microsoft accelerates legacy SIEM transformation without the operational burden of deploying additional sensors. By advancing our open, data-agnostic architecture, we are giving organisations the flexibility, performance, and data economics to modernise security operations across any technology stack - meeting customers where they are to unlock the protection outcomes and value from Falcon."

Microsoft also commented on the integration. "It is great to see Microsoft Defender telemetry being leveraged within Falcon Next-Gen SIEM," said Rob Lefferts, Corporate Vice President for Threat Protection, Microsoft. "Defender operates at a global scale, and integrations like this reinforce the importance of an open ecosystem where leading platforms interoperate to help customers improve security outcomes."