Endpoint Security Integrations
Endpoint integrations capture malware detections, device compliance status, and security policy violations from your EDR and device management platforms.
Supported Platforms
| Platform | Connection Method | Events Captured |
|---|---|---|
| CrowdStrike Falcon | Falcon API | Detections, incidents, device health, IoC matches |
| SentinelOne | REST API | Threat detections, device compliance, policy violations |
| Microsoft Defender for Endpoint | Microsoft Graph API | Alerts, device risk scores, vulnerability assessments |
| Carbon Black | REST API | Alerts, watchlist hits, device policy status |
| Jamf Pro | REST API | Device compliance, OS status, encryption status |
| Microsoft Intune | Graph API | Compliance status, configuration profiles |
Setting Up CrowdStrike
- Navigate to Admin → Integrations → Add Integration
- Select CrowdStrike Falcon
- Enter your CrowdStrike API client ID and secret
- Select the base URL for your CrowdStrike region
- Test the connection and activate
API Scopes
The CrowdStrike API client needs the following scopes: Detections (Read), Hosts (Read), Incidents (Read). Create a dedicated API client for TIDALBAY with only these permissions.
Device-to-Employee Mapping
Endpoint events are mapped to employees through:
- Email address: Device assigned email matches employee record
- Username: Local or domain username mapped to employee
- Device assignment: MDM device assignment records
If a device cannot be mapped to an employee, events are logged but do not affect any score. Review unmapped devices in Admin → Integrations → Unmapped Devices.
Events Captured
| Event | Default Impact |
|---|---|
| Malware detected | -40 points |
| PUP/adware detected | -10 points |
| OS outdated (>2 versions behind) | -10 points |
| Disk encryption disabled | -15 points |
| Firewall disabled | -10 points |
| Device non-compliant | -10 points |