Introduction
The CrowdStrike EDR integration allows you to manage CrowdStrike Falcon sensors directly from the Splashtop console. You can automate Falcon sensor installation using an Endpoint Security Policy and view high-level detection and incident details within Splashtop.
The integration supports both existing CrowdStrike licenses and licenses purchased through Splashtop.
Supported Subscriptions & Licensing
Option 1: Purchase CrowdStrike Through Splashtop
The CrowdStrike integration is included when you purchase CrowdStrike through Splashtop.
Note: Purchasing CrowdStrike through Splashtop is available for organizations deploying CrowdStrike for their own internal use (Not available for MSPs). Splashtop also offers SentinelOne and Bitdefender EDR for IT and MSPs.
Option 2: Use Your Existing CrowdStrike Licenses (BYOL)
To use existing CrowdStrike licenses (Bring Your Own License), your team must have Splashtop Autonomous Endpoint Management (AEM) enabled.
With AEM enabled, the CrowdStrike integration is included and supports both existing CrowdStrike licenses and licenses purchased through Splashtop.
Requirements
-
Windows 7 and up; Streamer v3.8.0.4 and up
(Exceptions: Windows 8/8.1, Windows server 2003) - macOS 14 and up; Streamer c3.8.2.0 and up
- Note: Falcon Flight Control is not supported with the deployment feature. Deploying from Splashtop will install the agent into the main CID linked to your API details.
Getting Started
-
Sign in to your Falcon Console with an admin account.
-
Falcon US-1: https://falcon.crowdstrike.com/login/
-
Falcon US-2: https://falcon.us-2.crowdstrike.com/login/
-
Falcon EU-1: https://falcon.eu-1.crowdstrike.com/login/
-
Falcon US-GOV-1: https://falcon.laggar.gcw.crowdstrike.com/login/
-
Falcon US-GOV-2: https://falcon.us-gov-2.crowdstrike.com/login/
-
-
In the left menu, select the Support and Resources section, then go to API clients and keys.
Click Create API Client.
For Client Name and Description, enter any values you prefer.
Set the following API scopes:Scope
Read
Write
Alerts ✓
Hosts ✓
Incidents ✓
Sensor Download ✓
Sensor update policies ✓
✓
Note: CrowdStrike is deprecating incidents, so this will be removed by March 2026.
Click Create.
You’ll see the new API client details. Make sure you save the CLIENT ID and SECRET. -
In the Splashtop console (my.splashtop.com/my.splashtop.eu), go to Management > Settings > AV / EDR Integrations, then click Detailed Setup.
-
Choose your Falcon API base URL and enter the CLIENT ID and SECRET you copied from CrowdStrike. Your base URL is located at the top of the page at step 2.
Once you see the Authorized badge in the top-right corner, you’re all set, the integration is live!
Once the integration is enabled, the Splashtop Streamer will automatically detect existing Falcon Sensor installations associated with your provided CrowdStrike CID. Confirmed installations will show "CrowdStrike Falcon Sensor" in the CrowdStrike column on the Endpoint Security page.
For enforcing Falcon Sensor installation or deploying new installations, use one of the methods below.
Install by Endpoint Policy (Automatic Enforcement)
Use Endpoint Policies to automatically install the Falcon Sensor on assigned computers. Splashtop attempts the installation up to three times every two hours until the sensor is successfully installed. If the Falcon Sensor is removed, Splashtop will automatically attempt to reinstall it using the same retry behavior.
- In the Splashtop console (my.splashtop.com/my.splashtop.eu), go to Management > Endpoint Policies, then create or edit an existing policy.
-
Click the Endpoint Security tab and toggle
it
on.
Select CrowdStrike in the Security Product dropdown menu.
Click the Installation checkbox to enable automatic installation.
Install from Endpoint Security Page (On-Demand)
On-demand installation is initiated by an admin and installs silently without user interaction. This option is useful if you do not want Splashtop to automatically enforce sensor installation, or if you want to install the sensor immediately on a computer without waiting for the two-hour policy retry interval.
- In the Splashtop console (my.splashtop.com/my.splashtop.eu), go to Management > Endpoint Security.
-
Select/checkbox the computers that you would like to install
CrowdStrike
on, then click
Actions > CrowdStrike > Install CrowdStrike.
CrowdStrike notification emails are managed through Endpoint Policies, separate from other antivirus notifications that are configured at Team Settings > Endpoint Security.
Automatic sensor installation and notification emails are configured independently within the policy. You can enable CrowdStrike notifications without enabling automatic sensor installation.
- In the Splashtop console (my.splashtop.com/my.splashtop.eu), go to Management > Endpoint Policies, then create or edit an existing policy.
-
Click the Endpoint Security tab and toggle
it on.
Scroll to Notification Settings and select the alerts you would like to receive.
Notes: Threat/Incident "detected" notifications are triggered for the selected severity and above. Threat/Incident "resolved" notifications are triggered when the status of a threat (detection)/incident is changed to Closed. -
Click the Edit Email List button to configure
the email recipients.
You can type or select users/user groups from the dropdown menu.
Team users will be shown in blue, while external emails will be shown in grey.
Once the CrowdStrike integration is enabled for your team, a new CrowdStrike column appears on the Management > Endpoint Security page. Computers with a confirmed Falcon Sensor installation are listed under the CrowdStrike column, while other detected security software appears under Other Software.
This view allows you to see and manage multiple security solutions on an endpoint, if applicable. For best results, it is recommended to use a single solution, or no more than two.
Columns & Icons
- Status (Green/Yellow/Red/Grey): If two solutions are detected, shows the worst of the two.
- Security Events: Total number of detected threats and incidents across all solutions.
-
CrowdStrike - info shown if installation is detected.
- Threats (Detections) counter
- Incidents counter
- Protection status (enabled/disabled)
- Assigned Endpoint Policy name
-
Other Software - other detected security solution.
- Threats counter
- Protection status (enabled/disabled)
- Last scan time
- Details icon - to view threats, incidents and details for specific computers.
View Settings
To customize your view or hide columns/icons, click the View Settings icon at the top-right. For example, if you primarily manage CrowdStrike on all of your endpoints, you can hide the Other Software column.
Filters
To filter the computer list, click the Filters icon at the top-right. For example, you can filter by Status to find computers that have issues that need to be addressed, or filter by EDR Software Install Status to find computers that may have installation issues.
You can view high-level details for CrowdStrike threats (detections)
and incidents
directly within Splashtop. For deeper investigation and remediation,
select a
threat or incident to open it in the CrowdStrike Falcon console.
Note: CrowdStrike is deprecating incidents. This will be removed from the integration by March 2026.
CrowdStrike threats and incidents are available at Management > Threats (CrowdStrike), where you can filter results by computer group or search for a specific computer. A future update will add the ability to view CrowdStrike threats and incidents directly from an individual computer’s properties page.
To clear an alert notification in Splashtop, a CrowdStrike threat or incident must be acknowledged. When the status of a threat or incident is changed to Closed in the CrowdStrike Falcon console, it is automatically acknowledged in Splashtop.
If you want to dismiss an alert in Splashtop without closing the threat or incident in CrowdStrike, you can manually acknowledge the event in Splashtop.