Skip to main content

Falcon Endpoint Collector

With the Falcon Endpoint collector, you can monitor AI activity in web browsers through the Falcon browser extension. Instead of deploying a standalone AIDR browser extension, you can enable AIDR capabilities on the Falcon browser extension. The Falcon sensor deploys and manages this extension.

The Falcon Endpoint collector supports the same policy rules as the standalone browser collector, including Site Access, Input Rules, and Output Rules.

Deploy the Falcon Endpoint collector when:

  • Your endpoints run the Falcon sensor.
  • You prefer centralized deployment through the Falcon sensor instead of managing a separate browser extension with enterprise tools, such as Chrome Enterprise, Intune, GPO, and Jamf.
  • You want to assign AIDR policies to Falcon host groups for consistent security coverage.

If your endpoints don't run the Falcon sensor, use the

standalone browser collector instead.

note:

The Falcon browser extension supports only Google Chrome and Microsoft Edge. If you deployed the standalone AIDR browser extension on Firefox, continue to use it for Firefox coverage.

Requirements

Supported operating system: Windows

CrowdStrike clouds: US-1, US-2, EU-1

Requires all of these subscriptions:

  • AIDR for Workforce
  • Falcon Insight XDR

Requires one of these subscriptions:

  • Falcon Data Protection for Endpoint
  • Falcon Identity Threat Protection

Sensor: Falcon sensor for Windows versions 7.39 and later

Falcon Browser Extension: v2

Default roles:

  • AIDR Admin
  • Falcon Admin (read and write)
  • Falcon Host Administrator (read and write)

Permissions required for custom roles:

  • Manage AIDR findings and workforce collectors
  • Read AIDR data from LogScale
  • Read AIDR findings and workforce collectors
  • Read permissions for Browser Extension UI
  • Write permissions for Browser Extension UI
  • View browser extension policies
  • Write browser extension policies
  • View advanced fields for browser extension policies
  • Write advanced fields for browser extension policies

System requirements:

  • Workstations with Windows 10 or later (64-bit only). ARM-based Windows endpoints are not supported.
  • Windows Server 2016 or later for automated installation. Your Windows Server instance must meet one of these conditions:
    • Joined to a Microsoft Active Directory domain
    • Joined to a Microsoft Entra ID domain
    • Managed through MDM
    • Enrolled in Chrome Browser Cloud Management

Supported browsers:

Your organization must manage all browsers.

  • Google Chrome - Latest three major release versions
  • Microsoft Edge - Latest three major release versions

Deploy Falcon sensor

Install the Falcon sensor on all Windows endpoints that you want to monitor with the Falcon Endpoint collector. The Falcon browser extension requires a running sensor.

The sensor version must meet the requirements for this collector.

For installation steps, see

Falcon sensor for Windows deployment .

After you install the sensor, add the endpoints to a host group. You assign this host group to both the browser extension policy and the AIDR deployment policy in later steps.

For more information, see Host and Host Group Management .

Deploy Falcon browser extension

Before you configure the AIDR integration, deploy the Falcon browser extension to your endpoints through a browser extension policy. The AIDR deployment policy enables the AIDR module on the extension but doesn't install the extension itself.

You can deploy the extension through automatic installation in the Falcon console or custom installation with MDM tools, such as Intune and Workspace ONE.

For deployment options and steps, see Falcon Browser Extension .

After you deploy the extension on endpoints, continue with the following AIDR configuration steps.

Create policy

The Falcon Endpoint collector requires its own policies, separate from browser policies. Create a Falcon Endpoint policy to define the detection rules for this collector. The Falcon Endpoint policy type supports the same rule settings as the browser policy type.

  1. In the Falcon console, go to AIDR detection and response > Policies.
  2. Click + Policy.
  3. Select Falcon Endpoint as the policy type.
  4. Enter a Display Name.
  5. Click Save.

AIDR creates the policy and opens its details page. Define Site Access, Input Rules, and Output Rules as needed.

For more information, see Policy Configuration .

Register collector

  1. On the Collectors page, click + Collector.

  2. Click Falcon Endpoint, select Falcon Endpoint as the collector type and click Next.
  3. On the Add a Collector screen:

    • Collector Name - Enter a descriptive name for the collector. This name appears in dashboards and reports.
    • Logging - Select whether to log prompt data and model responses, or only metadata sent to AIDR. You can also exclude prompt content in access rule action settings .
    • Policy (optional) - Assign a policy to analyze incoming data and model responses.
    • The assigned policy determines which detections run on data sent to AIDR. Policies define rules for detecting malicious activity, sensitive data exposure, topic violations, and other risks in AI interactions.

      • You can select an existing policy available for this collector type or create a policy on the Policies page.

        The selected policy name appears under the dropdown. After you save the collector registration, this label becomes a link to the corresponding policy page.

      • You can also select No Policy, Log Only. Without a policy, AIDR records activity for visibility and analysis without applying detection rules.

  1. Click Save to complete collector registration.

This opens the collector details page, where you can:

  • Update the collector name, logging preference, and policy assignment.
  • Click the policy link to view the policy details.
  • View installation instructions for the collector type on the Install tab.
  • View the collector configuration activity logs.

To open the collector details page later, select your collector from the list on the Collectors page.

Deploy collector

After you register the collector, create an AIDR deployment policy to assign the collector to Falcon host groups. This policy enables AIDR capabilities on the Falcon browser extension for endpoints in the assigned groups.

Create AIDR deployment policy

  1. On the collector details page, click Install.

  2. Click Manage AIDR Endpoint Policies.

    You can also open AIDR deployment policies from the main menu: AIDR detection and response > AIDR Deployment Policy.

  3. On the AIDR Policies page, click Create policy.

  4. Enter a policy name and description.

  5. Click Create policy.

Assign collector to AIDR deployment policy

  1. On the deployment policy details page, under AIDR Collector, select your registered Falcon Endpoint collector from the Collector dropdown.
  2. Click Save.

Assign host groups

  1. On the deployment policy details page, click Assigned host groups.
  2. Click Assign host groups.
  3. Select the host groups you want to assign to the policy.
  4. Click Assign n groups.

After you assign host groups, click a group name to open the group details:

  • Click View host group detail page to view the hosts in the group. This opens Host setup and management > Host groups in the Falcon console.

    For more information about managing host groups, see Host and Host Group Management .

  • In the list of policies using this host group, click a policy name to open its deployment policy page.

Enable the deployment policy

Click Enable policy to activate the deployment policy. If multiple deployment policies apply to a host group, the policy with the highest precedence takes effect. To deactivate the policy later, click Disable policy and follow the confirmation steps.

Verify deployment

After you enable the deployment policy, verify that the collector is active and sending events to AIDR:

  1. On an endpoint in the assigned host group, open a supported browser, Chrome or Edge.
  2. Browse to a site matched by your Falcon Endpoint policy; for example, a site in your Site Access rules.
  3. In the Falcon console, go to AIDR detection and response > Findings.
  4. Filter by Collector Type Falcon Endpoint (falcon_endpoint) and Tags containing Browser and confirm that new events appear.

If no events appear after several minutes:

  • Verify that the endpoint's Falcon sensor version meets the requirements.
  • Confirm that the AIDR deployment policy is enabled and assigned to the correct host group.

View collector data

Falcon Endpoint data

The Falcon Endpoint collector populates the following fields from sensor-provided data:

  • collector_instance_id - Falcon sensor AID. Join this value with aid or agent.id in sensor event repositories for cross-dataset correlation. You can correlate AIDR findings with endpoint telemetry, such as EDR, identity, and network data, in Next-Gen SIEM.
  • user_id - User identifier (Windows SID), provided by the sensor.
  • extra_info.user_name - User's display name, provided by the sensor.
  • extra_info.hostname - Hostname of the endpoint where the Falcon sensor is installed.

AIDR Findings

You can identify Falcon Endpoint collector events by Collector Type falcon_endpoint and a Browser tag in Tags:

Example JSON representation of Falcon Endpoint event data in Findings
{
...
"collector_type": "falcon_endpoint",
"collector_name": "My Falcon Endpoint collector",
"collector_instance_id": "92d83ea497e64ca79d630a57ec474d0d",
"user_id": "S-1-5-21-1729003050-33016928-2308870259-1004",
"citations": {
"tags": ["Browser"]
},
"extra_info": {
"hostname": "DESKTOP-W10PC01",
"user_name": "jgoines",
"extension_version": "2.0.27",
...
},
...
}

View collector event data in AIDR Findings and Visibility:

  • Findings - View individual events, filter by collector type, and inspect detection details.
  • Visibility - Explore relationships between logged data attributes and view metrics in AIDR dashboards.

Next-Gen SIEM

Falcon Endpoint events include endpoint identification fields that the parser promotes to top-level fields.

  • host.hostname - Parsed from Vendor.extra_info.hostname (lowercased).
  • ComputerName - Parsed from Vendor.extra_info.hostname (original case).
Example Falcon Endpoint event in Next-Gen SIEM
{
...
"agent.type": "falcon_endpoint",
"agent.name": "My Falcon Endpoint collector",
"host.hostname": "desktop-w10pc01",
"ComputerName": "DESKTOP-W10PC01",
"Vendor.collector_instance_id": "92d83ea497e64ca79d630a57ec474d0d",
"Vendor.extra_info.hostname": "DESKTOP-W10PC01",
"Vendor.extra_info.user_name": "jgoines",
"Vendor.extra_info.extension_version": "2.0.27",
"Vendor.collector_type": "falcon_endpoint",
"Vendor.citations.tags[0]": "Browser",
...
}

Correlation example

Find Falcon Endpoint events and enrich with endpoint data from the same sensor:

Next-Gen SIEM query - Correlate AIDR alerts with endpoint data
defineTable(
name="host_info",
query={#repo="base_sensor" #event_simpleName="HostInfo"},
include=[aid, MachineDomain, ComputerName, event_platform, aip]
)
| #repo="aidr"
event_type="AIDRPromptDataEvent"
agent.type="falcon_endpoint"
| match(
table="host_info",
field=Vendor.collector_instance_id,
column=aid,
strict=false
)
| select([Vendor.collector_instance_id, Vendor.application_name, Vendor.summary, ComputerName, MachineDomain, event_platform, aip, @timestamp])
| sort(@timestamp, order=desc, limit=50)

Example results:

Vendor.collector_instance_idVendor.application_nameVendor.summaryComputerNameMachineDomainevent_platformaip
92d83ea497e...4d0dChatGPTThe operation was completed successfully.AIDR1-PC07aidr1.idproWin69.210.71.37
92d83ea497e...4d0dChatGPTConfidential and PII Entity was detected and redacted.AIDR1-PC07aidr1.idproWin69.210.71.37

The joined fields (ComputerName, MachineDomain, event_platform, aip) come from the sensor's HostInfo event. They confirm the endpoint identity and network location associated with each AIDR finding.

For more information about querying AIDR events in LogScale, see Next-Gen SIEM .

Next steps

  • If you're migrating from the standalone AIDR browser extension, remove it after verifying the Falcon browser extension.

    During the transition, the standalone AIDR extension automatically disables itself when the Falcon browser extension with the AIDR module is present. After you confirm the Falcon browser extension works correctly, remove the standalone extension.

    To confirm which version is installed, open the AIDR extension from the browser toolbar.

  • View collected data on Visibility and Findings pages. Analyze it in Next-Gen SIEM to decide on further implementation steps.

  • Determine which policy to apply:

    • Start with monitoring policies and report actions.
    • Apply protection to identified risks by enforcing blocking and data transformation actions based on your organization’s AI usage guidelines.
  • For more information, see Collector Categories.

©2026 CrowdStrike. All rights reserved.

PrivacyTerms of UseLegal Notices