CrowdStrike adds AI security tools & Microsoft SIEM link
CrowdStrike has added new AI security features to its Falcon platform and expanded Falcon Next-Gen SIEM to work with Microsoft Defender for Endpoint.
The updates come as security teams face growing pressure from the spread of AI tools across corporate systems and from efforts to replace older security operations technology.
The new Falcon features are intended to make the endpoint the main control point for AI security. They cover AI agent discovery, governance and runtime protection across endpoints, software-as-a-service applications, browsers and cloud environments.
According to CrowdStrike, its sensors are detecting more than 1,800 distinct AI applications on enterprise devices across its customer base, representing nearly 160 million unique application instances. It says the rise of agentic AI is creating new risks because AI agents can execute commands, access sensitive data and trigger workflows with system-level privileges.
The vendor's latest threat report found that attackers are increasingly trying to compromise AI agents and use them as malicious insiders. That helps explain the company's focus on the endpoint, where those actions are often carried out and where behaviour can resemble ordinary user activity.
The additions include runtime monitoring tools for AI behaviour on devices, discovery of AI applications and related tools running on endpoints, and prompt-layer protections for desktop AI applications. Desktop coverage includes ChatGPT, Gemini, Claude, DeepSeek, Microsoft Copilot, O365 Copilot, GitHub Copilot and Cursor.
Beyond the endpoint, CrowdStrike is extending visibility into AI agent activity across SaaS platforms, browsers and cloud systems. This includes discovery of AI agent usage and permissions in platforms such as Microsoft Copilot in Power Platform, Salesforce Agentforce, ChatGPT Enterprise, OpenAI Enterprise GPT and Nexos.ai, along with cloud-focused tools to track data exposure and inspect AI workloads.
Michael Sentonas, President of CrowdStrike, said the shift requires a new security model. "AI agents are fundamentally changing how technology operates and how it must be secured," Sentonas said. "Security built for static applications can't keep up with autonomous systems. Organisations need real-time visibility and control over AI behavior wherever it runs. CrowdStrike is that new standard."
SIEM integration
Separately, Falcon Next-Gen SIEM can now ingest and correlate telemetry from Microsoft Defender for Endpoint without requiring deployment of the Falcon sensor on those devices. The move is aimed at organisations that use Microsoft endpoint security tools but want to modernise security operations workflows without adding another endpoint agent.
CrowdStrike also announced related changes intended to ease migration from older SIEM products. These include native Falcon Onum real-time data pipelines, federated search across third-party data stores, third-party threat intelligence integration and a Query Translation Agent that converts legacy SIEM searches into CrowdStrike Query Language.
The broader SIEM changes are designed to simplify data onboarding, reduce storage and ingestion costs, and let analysts search external data where it already resides. CrowdStrike cited compatibility with external data sources including Falcon LogScale and ExtraHop.
Daniel Bernard, Chief Business Officer at CrowdStrike, described the Microsoft tie-up as part of a broader open-architecture approach. "Strategic alignment and disciplined execution between industry leaders is what drives meaningful innovation and stronger security outcomes for customers," Bernard said. "Our integration with Microsoft accelerates legacy SIEM transformation without the operational burden of deploying additional sensors. By advancing our open, data-agnostic architecture, we are giving organizations the flexibility, performance, and data economics to modernize security operations across any technology stack - meeting customers where they are to unlock the protection outcomes and value from Falcon."
Microsoft also commented on the new telemetry support. "It is great to see Microsoft Defender telemetry being leveraged within Falcon Next-Gen SIEM," Lefferts said. "Defender operates at a global scale, and integrations like this reinforce the importance of an open ecosystem where leading platforms interoperate to help customers improve security outcomes."
Market pressure
The announcements come as cyber security suppliers race to adapt their products for customers navigating two overlapping transitions: wider AI adoption and the modernisation of security operations centres. In practice, that means more scrutiny of how AI tools behave inside organisations and greater demand for security products that can work across mixed technology estates rather than force wholesale replacement.
CrowdStrike said its Next-Gen SIEM business has been growing 75 per cent year on year. It also said its Onum integration can deliver up to 5x faster streaming, 50 per cent lower storage costs, 70 per cent faster incident response and 40 per cent less ingestion overhead through filtering and in-pipeline detection.
For security teams, the significance of the two launches lies in the same operational challenge: gaining visibility across sprawling environments without adding more tools or manual work. CrowdStrike's count of 1,800 AI applications and nearly 160 million instances across customer environments underlines how quickly that challenge is expanding.