CrowdStrike used the RSA Conference to announce new features aimed at securing the use of AI agents on endpoints and integrating Microsoft Defender for Endpoint telemetry into its Falcon Next-Gen SIEM.
The first announcement focuses on monitoring and controlling AI agent activity from the endpoint, which CrowdStrike says is where many AI-driven actions execute, including command execution and data access. The company said it has added capabilities for AI agent discovery, “shadow AI” governance and runtime threat detection across endpoints, SaaS, browsers and cloud environments.
CrowdStrike said its endpoint sensors detect more than 1,800 distinct AI applications running on enterprise devices, representing nearly 160 million unique application instances across its customer base.
The company’s new endpoint-focused features include what it calls EDR AI Runtime Protection to capture commands, scripts, file activity and network connections for applications running on a device, including “agentic” applications. It also outlined “Shadow AI Discovery for Endpoint” to identify AI applications and related components running across endpoints, and “AIDR for Endpoint” to inspect prompts and detect prompt injection attempts and data leakage in desktop AI tools.
CrowdStrike president Michael Sentonas said organisations need “real-time visibility and control over AI behaviour wherever it runs”.
The second announcement targets security operations teams running Microsoft Defender for Endpoint. CrowdStrike said Falcon Next-Gen SIEM can now ingest and correlate Microsoft Defender for Endpoint telemetry, allowing Microsoft endpoint customers to add Falcon’s analytics and threat intelligence without deploying an additional Falcon sensor.
CrowdStrike also announced additional Next-Gen SIEM-related updates including real-time data pipelines through Falcon Onum, federated search across third-party data stores, third-party threat intelligence integration, and a Query Translation Agent designed to convert legacy SIEM queries into CrowdStrike Query Language.
Daniel Bernard, CrowdStrike’s chief business officer, said the Microsoft integration is intended to support legacy SIEM replacement efforts while reducing the operational burden of deploying additional endpoint sensors. Microsoft corporate vice president for threat protection Rob Lefferts said the integration reflects a broader push for interoperability across security platforms.
The announcements reflect a growing focus among security vendors on governance and detection for AI agents, alongside continued competition to modernise SIEM platforms by lowering data onboarding and migration barriers for security operations centres.
