CrowdStrike User Risk Context

Integration between Proofpoint and CrowdStrike provides vulnerability and risk context when conducting alert investigations.

CrowdStrike user risk score and risk factors/insights are visible as part of the Users page and User section in activities and alerts. (See Users Screen.)

For ATO Protection and CASB – CrowdStrike context is available only in Alert activities).

User page with CrowdStrike Risk Score and Factors

CrowdStrike user risk context enriches Alerts

The additional context helps assess a user’s blast radius — their potential impact in the event of a compromise or other threat—across endpoints, cloud environments, and beyond.

CrowdStrike’s user risk score is influenced by various risk factors now detailed in the new section. (For more information on these risk factors, refer to the [Risk Factors Documentation]—CrowdStrike access required.)

A notable (searchable) highlight is available for the Watched risk factor, which means a user is part of the CrowdStrike Watchlist - a logical grouping of users in CrowdStrike. When a user is placed in the CrowdStrike Watchlist, it indicates greater risk, per CrowdStrike. Falcon Identity Protection treats watched users with greater attention. In addition, policies may apply in CrowdStrike to watched users, that typically include additional actions such as step-up authentication.

Prerequisite

Displaying CrowdStrike user risk data requires integrating People Risk Explorer (PRE) with CrowdStrike. Follow the quick integration steps in CrowdStrike Integration Guide.