CrowdStrike

Find the right integration to enhance your identity security

⭐ Overview

CrowdStrike Falcon protects and correlates signals across your endpoints and environment. SpyCloud gives Falcon the darknet intelligence to close the gap that endpoint and network telemetry alone can't see: credentials stolen in third-party breaches, malware infections, and successful phishes that never touch your network.

SpyCloud recaptures stolen credentials, session cookies, and PII directly from criminal communities - sourced from breaches, infostealer malware logs, combolists, and phishing kits - weeks to months before this data surfaces publicly. By delivering this intelligence directly into the Falcon tools your team already uses, your SOC can see compromised identities and infected devices before they're weaponized, and act on them without changing how analysts investigate.

SpyCloud offers two purpose-built integrations for CrowdStrike Falcon, covering both SIEM-based detection and EDR-based response.


⚙️ Available integrations

SpyCloud Workforce Threat Protection/Employee ATO Prevention for CrowdStrike Falcon Next-Gen SIEM

Platform: Falcon Next-Gen SIEM | Audience: SOC analysts, threat hunters

A data connector that continuously delivers recaptured exposure data — breaches, infostealer malware logs, phishing kits, and combolists — directly into Advanced Event Search, parsed and host-enriched alongside every other Falcon signal. Analysts see compromised employee credentials weeks before they're weaponized.

SpyCloud Endpoint Threat Protection/SpyCloud Compass for CrowdStrike Falcon (EDR)

Platform: Falcon EDR | Audience: Endpoint/IR teams

An integration that delivers post-infection identity evidence (plaintext credentials, session cookies, and tokens) for endpoints compromised by infostealer malware, including malware that bypasses EDR or lands on unmanaged devices. Falcon policies can then isolate compromised endpoints and block further exfiltration.


Integration comparison

Workforce Threat Protection/Employee ATO Prevention for CrowdStrike Falcon Next-Gen SIEMEndpoint Threat Protection/SpyCloud Compass for Falcon EDR
AudienceSOC analysts, threat huntersEndpoint/IR teams
PlatformFalcon Next-Gen SIEM / Falcon Next-Gen SIEM 10GBFalcon EDR
SpyCloud license requiredWorkforce Threat Protection with API accessEndpoint Threat Protection with API access
Data deliveredBreach Watchlist events, Breach Catalog eventsPost-infection identity evidence (credentials, cookies/tokens)
Primary use caseCorrelate credential exposure signals alongside other Falcon signals in Advanced Event SearchDetect and contain infostealer-compromised endpoints, including EDR bypasses and unmanaged devices
Setup requiredConfigure Data Connector in Log management › Data onboardingConnect SpyCloud post-infection identity data via your established ingest/automation method

🛠️ How it works

Each integration surfaces a different stage of the identity threat lifecycle:

Workforce Threat Protection Data Connector — SpyCloud continuously recaptures breach, malware log, phishing, and combolist data and pushes Breach Watchlist and Breach Catalog events into Falcon Next-Gen SIEM's Advanced Event Search, parsed and host-enriched alongside your other signals. This is the earliest available signal of credential compromise — before it's used in an attack.

Endpoint Threat Protection for Falcon EDR — When a device is infected by infostealer malware, SpyCloud recaptures the credentials, cookies, and tokens siphoned from that endpoint. That identity evidence is correlated with Falcon-managed hosts and users to understand blast radius, and Falcon policies can isolate the endpoint and block further exfiltration while credentials and sessions are reset and revoked.

Note: The two integrations require different SpyCloud licenses. The Data Connector requires an active Workforce Threat Protection subscription with API access; the EDR integration requires an Endpoint Threat Protection license.

If you're not sure which applies to your use case, contact your SpyCloud account team before getting started.


🔎 What SpyCloud delivers

SourceWhat it covers
Third-party breachesCredentials exposed in external breaches
Infostealer malware logsCredentials, session cookies, and device data harvested from malware-infected devices, including unmanaged devices outside EDR coverage
CombolistsAggregated credential lists compiled and traded in criminal markets
Phishing kitsCredentials captured through phishing campaigns

Additional resources