Falcon Endpoint Collector
With the Falcon Endpoint collector, you can monitor AI activity in web browsers through the Falcon browser extension. Instead of deploying a standalone AIDR browser extension, you can enable AIDR capabilities on the Falcon browser extension. The Falcon sensor deploys and manages this extension.
The Falcon Endpoint collector supports the same policy rules as the standalone browser collector, including Site Access, Input Rules, and Output Rules.
Deploy the Falcon Endpoint collector when:
- Your endpoints run the Falcon sensor.
- You prefer centralized deployment through the Falcon sensor instead of managing a separate browser extension with enterprise tools, such as Chrome Enterprise, Intune, GPO, and Jamf.
- You want to assign AIDR policies to Falcon host groups for consistent security coverage.
If your endpoints don't run the Falcon sensor, use the
standalone browser collector instead.The Falcon browser extension supports only Google Chrome and Microsoft Edge. If you deployed the standalone AIDR browser extension on Firefox, continue to use it for Firefox coverage.
Requirements
Supported operating system: Windows
CrowdStrike clouds: US-1, US-2, EU-1
Requires all of these subscriptions:
- AIDR for Workforce
- Falcon Insight XDR
Requires one of these subscriptions:
- Falcon Data Protection for Endpoint
- Falcon Identity Threat Protection
Sensor: Falcon sensor for Windows versions 7.39 and later
Falcon Browser Extension: v2
Default roles:
- AIDR Admin
- Falcon Admin (read and write)
- Falcon Host Administrator (read and write)
Permissions required for custom roles:
- Manage AIDR findings and workforce collectors
- Read AIDR data from LogScale
- Read AIDR findings and workforce collectors
- Read permissions for Browser Extension UI
- Write permissions for Browser Extension UI
- View browser extension policies
- Write browser extension policies
- View advanced fields for browser extension policies
- Write advanced fields for browser extension policies
System requirements:
- Workstations with Windows 10 or later (64-bit only). ARM-based Windows endpoints are not supported.
- Windows Server 2016 or later for automated installation.
Your Windows Server instance must meet one of these conditions:
- Joined to a Microsoft Active Directory domain
- Joined to a Microsoft Entra ID domain
- Managed through MDM
- Enrolled in Chrome Browser Cloud Management
Supported browsers:
Your organization must manage all browsers.
- Google Chrome - Latest three major release versions
- Microsoft Edge - Latest three major release versions
Deploy Falcon sensor
Install the Falcon sensor on all Windows endpoints that you want to monitor with the Falcon Endpoint collector. The Falcon browser extension requires a running sensor.
The sensor version must meet the requirements for this collector.
For installation steps, see
Falcon sensor for Windows deployment .After you install the sensor, add the endpoints to a host group. You assign this host group to both the browser extension policy and the AIDR deployment policy in later steps.
For more information, see Host and Host Group Management .
Deploy Falcon browser extension
Before you configure the AIDR integration, deploy the Falcon browser extension to your endpoints through a browser extension policy. The AIDR deployment policy enables the AIDR module on the extension but doesn't install the extension itself.
You can deploy the extension through automatic installation in the Falcon console or custom installation with MDM tools, such as Intune and Workspace ONE.
For deployment options and steps, see Falcon Browser Extension .
After you deploy the extension on endpoints, continue with the following AIDR configuration steps.
Create policy
The Falcon Endpoint collector requires its own policies, separate from browser policies. Create a Falcon Endpoint policy to define the detection rules for this collector. The Falcon Endpoint policy type supports the same rule settings as the browser policy type.
- In the Falcon console, go to AIDR detection and response > Policies.
- Click + Policy.
- Select Falcon Endpoint as the policy type.
- Enter a Display Name.
- Click Save.
AIDR creates the policy and opens its details page. Define Site Access, Input Rules, and Output Rules as needed.
For more information, see Policy Configuration .
Register collector
-
On the Collectors page, click + Collector.
- Click Falcon Endpoint, select Falcon Endpoint as the collector type and click Next.
-
On the Add a Collector screen:
- Collector Name - Enter a descriptive name for the collector. This name appears in dashboards and reports.
- Logging - Select whether to log prompt data and model responses, or only metadata sent to AIDR. You can also exclude prompt content in access rule action settings .
- Policy (optional) - Assign a policy to analyze incoming data and model responses.
-
You can select an existing policy available for this collector type or create a policy on the Policies page.
The selected policy name appears under the dropdown. After you save the collector registration, this label becomes a link to the corresponding policy page.
-
You can also select
No Policy, Log Only. Without a policy, AIDR records activity for visibility and analysis without applying detection rules.
The assigned policy determines which detections run on data sent to AIDR. Policies define rules for detecting malicious activity, sensitive data exposure, topic violations, and other risks in AI interactions.
- Click Save to complete collector registration.
This opens the collector details page, where you can:
- Update the collector name, logging preference, and policy assignment.
- Click the policy link to view the policy details.
- View installation instructions for the collector type on the Install tab.
- View the collector configuration activity logs.
To open the collector details page later, select your collector from the list on the Collectors page.
Deploy collector
After you register the collector, create an AIDR deployment policy to assign the collector to Falcon host groups. This policy enables AIDR capabilities on the Falcon browser extension for endpoints in the assigned groups.
Create AIDR deployment policy
-
On the collector details page, click Install.
-
Click Manage AIDR Endpoint Policies.
You can also open AIDR deployment policies from the main menu: AIDR detection and response > AIDR Deployment Policy.
-
On the AIDR Policies page, click Create policy.
-
Enter a policy name and description.
-
Click Create policy.
Assign collector to AIDR deployment policy
- On the deployment policy details page, under AIDR Collector, select your registered Falcon Endpoint collector from the Collector dropdown.
- Click Save.
Assign host groups
- On the deployment policy details page, click Assigned host groups.
- Click Assign host groups.
- Select the host groups you want to assign to the policy.
- Click Assign n groups.
After you assign host groups, click a group name to open the group details:
-
Click View host group detail page to view the hosts in the group. This opens Host setup and management > Host groups in the Falcon console.
For more information about managing host groups, see Host and Host Group Management .
-
In the list of policies using this host group, click a policy name to open its deployment policy page.
Enable the deployment policy
Click Enable policy to activate the deployment policy. If multiple deployment policies apply to a host group, the policy with the highest precedence takes effect. To deactivate the policy later, click Disable policy and follow the confirmation steps.
Verify deployment
After you enable the deployment policy, verify that the collector is active and sending events to AIDR:
- On an endpoint in the assigned host group, open a supported browser, Chrome or Edge.
- Browse to a site matched by your Falcon Endpoint policy; for example, a site in your Site Access rules.
- In the Falcon console, go to AIDR detection and response > Findings.
- Filter by Collector Type
Falcon Endpoint(falcon_endpoint) and Tags containingBrowserand confirm that new events appear.
If no events appear after several minutes:
- Verify that the endpoint's Falcon sensor version meets the requirements.
- Confirm that the AIDR deployment policy is enabled and assigned to the correct host group.
View collector data
Falcon Endpoint data
The Falcon Endpoint collector populates the following fields from sensor-provided data:
collector_instance_id- Falcon sensor AID. Join this value withaidoragent.idin sensor event repositories for cross-dataset correlation. You can correlate AIDR findings with endpoint telemetry, such as EDR, identity, and network data, in Next-Gen SIEM.user_id- User identifier (Windows SID), provided by the sensor.extra_info.user_name- User's display name, provided by the sensor.extra_info.hostname- Hostname of the endpoint where the Falcon sensor is installed.
AIDR Findings
You can identify Falcon Endpoint collector events by Collector Type falcon_endpoint and a Browser tag in Tags:
{
...
"collector_type": "falcon_endpoint",
"collector_name": "My Falcon Endpoint collector",
"collector_instance_id": "92d83ea497e64ca79d630a57ec474d0d",
"user_id": "S-1-5-21-1729003050-33016928-2308870259-1004",
"citations": {
"tags": ["Browser"]
},
"extra_info": {
"hostname": "DESKTOP-W10PC01",
"user_name": "jgoines",
"extension_version": "2.0.27",
...
},
...
}
View collector event data in AIDR Findings and Visibility:
- Findings - View individual events, filter by collector type, and inspect detection details.
- Visibility - Explore relationships between logged data attributes and view metrics in AIDR dashboards.
Next-Gen SIEM
Falcon Endpoint events include endpoint identification fields that the parser promotes to top-level fields.
host.hostname- Parsed fromVendor.extra_info.hostname(lowercased).ComputerName- Parsed fromVendor.extra_info.hostname(original case).
{
...
"agent.type": "falcon_endpoint",
"agent.name": "My Falcon Endpoint collector",
"host.hostname": "desktop-w10pc01",
"ComputerName": "DESKTOP-W10PC01",
"Vendor.collector_instance_id": "92d83ea497e64ca79d630a57ec474d0d",
"Vendor.extra_info.hostname": "DESKTOP-W10PC01",
"Vendor.extra_info.user_name": "jgoines",
"Vendor.extra_info.extension_version": "2.0.27",
"Vendor.collector_type": "falcon_endpoint",
"Vendor.citations.tags[0]": "Browser",
...
}
Correlation example
Find Falcon Endpoint events and enrich with endpoint data from the same sensor:
defineTable(
name="host_info",
query={#repo="base_sensor" #event_simpleName="HostInfo"},
include=[aid, MachineDomain, ComputerName, event_platform, aip]
)
| #repo="aidr"
event_type="AIDRPromptDataEvent"
agent.type="falcon_endpoint"
| match(
table="host_info",
field=Vendor.collector_instance_id,
column=aid,
strict=false
)
| select([Vendor.collector_instance_id, Vendor.application_name, Vendor.summary, ComputerName, MachineDomain, event_platform, aip, @timestamp])
| sort(@timestamp, order=desc, limit=50)
Example results:
| Vendor.collector_instance_id | Vendor.application_name | Vendor.summary | ComputerName | MachineDomain | event_platform | aip |
|---|---|---|---|---|---|---|
| 92d83ea497e...4d0d | ChatGPT | The operation was completed successfully. | AIDR1-PC07 | aidr1.idpro | Win | 69.210.71.37 |
| 92d83ea497e...4d0d | ChatGPT | Confidential and PII Entity was detected and redacted. | AIDR1-PC07 | aidr1.idpro | Win | 69.210.71.37 |
The joined fields (ComputerName, MachineDomain, event_platform, aip) come from the sensor's HostInfo event.
They confirm the endpoint identity and network location associated with each AIDR finding.
For more information about querying AIDR events in LogScale, see Next-Gen SIEM .
Next steps
-
If you're migrating from the standalone AIDR browser extension, remove it after verifying the Falcon browser extension.
During the transition, the standalone AIDR extension automatically disables itself when the Falcon browser extension with the AIDR module is present. After you confirm the Falcon browser extension works correctly, remove the standalone extension.
To confirm which version is installed, open the AIDR extension from the browser toolbar.
-
View collected data on Visibility and Findings pages. Analyze it in Next-Gen SIEM to decide on further implementation steps.
-
Determine which policy to apply:
- Start with monitoring policies and report actions.
- Apply protection to identified risks by enforcing blocking and data transformation actions based on your organization’s AI usage guidelines.
-
For more information, see Collector Categories.