Witness Anywhere: CrowdStrike (Windows)

Witness Anywhere: CrowdStrike (Windows)

List view

Quick Start
Welcome
Console & Settings
Release Notes
October 9, 2025 WitnessAI Update
October 23, 2025 WitnessAI Update
October 2, 2025 WitnessAI Update
September 30, 2025: WitnessAI Update
September 23, 2025: WitnessAI Update
August 12, 2025: WitnessAI Update
July 31, 2025: WitnessAI Update
July 18, 2025: WitnessAI Update
June 23, 2025: WitnessAI Update
June 9, 2025: WitnessAI Update
April 11, 2025: WitnessAI Release v2.0
Copy August 12, 2025: WitnessAI Update
Supported Applications & LLMs
User Guide
Lists - OLD
Private Applications
Home
Discovery
Discovered Apps
App Catalog
Analytics
Conversations
Users
Alerts
Policies
Lists
Settings
Configuration
Access Control
System
Secure AI Portal
User Menu
Policies & GuardRails
Policy Creation
Policy Precedence
GuardRail: Behavioral Activity
GuardRail: Data Protection
GuardRail: Harmful Response Prevention (Beta)
GuardRail: Model Identity Protection
GuardRail: Model Protection
GuardRail: Organizational Behavior (Beta)
GuardRail: Risk Analysis
Witness Anywhere: Remote Device Security
Witness Anywhere Overview
Witness Anywhere with Stunnel
Witness Anywhere: Azure VDI - Intune
Witness Anywhere: CrowdStrike (Windows)
Witness Anywhere: GPO (Windows)
Witness Anywhere: Jamf (macOS) (Beta)
Witness Anywhere: SentinelOne
Witness Anywhere: FAQ
Witness Attack
Witness Attack: AI Red Teaming 
Administrator Guide
Integrations: Identity Providers
Identity: Microsoft Entra ID (Azure AD)
Identity: Okta Identity
Integrations: Network Security
Netskope SWG
Palo Alto Networks NGFW
Prisma Access: DNS Sinkhole
Prisma Access: Explicit Proxy
Zscaler Internet Access
Zscaler Beta
Status Page
API Reference
Input API
Complete API
Text-Completion API
Prompt-Protect API
Encryption
 

Deploying on Windows with CrowdStrike

Witness Anywhere enables portable and remote endpoint devices to connect directly to your dedicated WitnessAI instance, without having to connect through your organization’s firewall. This keeps your AI models, applications, and traffic (AI Services) secure when accessed from your portable devices, and over public networks.
Witness Anywhere accomplishes this by deploying “on-device proxy auto-configuration” (PAC) to your endpoint devices using your Endpoint Management Solution (EMS).
Witness Anywhere works just like using WitnessAI from within your firewall, by routing AI-specific traffic to your dedicated WitnessAI service, instead of allowing traffic to connect directly to AI destination services.
💡
Important note: If a monitored device cannot connect to your dedicated WitnessAI service for any reason, by default all AI traffic will connect directly to its intended destination, and no security controls will be applied. This is configurable upon request.
Contact your WitnessAI Account Team or Support for assistance.
notion image

Prerequisites

Witness Anywhere for CrowdStrike requires the following:
  • CrowdStrike Falcon agent must deployed on your target devices.
  • Target devices must be mapped to a CrowdStrike Response Policy which allows RTR.
  • Monitored devices must be running the current or prior Windows version (10 or 11).
  • Your company has been onboarded to WitnessAI.
  • Your dedicated WitnessAI infrastructure has been provisioned.
  • At least one supported AI Service is configured in WitnessAI for testing purposes.

Generate Device Registration Scripts

To register devices with Witness Anywhere you must create a PAC Token. Then you will download the PAC registration scripts. For each supported combination of monitored device plus EMS platform, two scripts are provided. One applies PAC settings to a device, the other removes PAC settings from a device.

On your WitnessAI console, click (1) Settings on the left-side menu, then (2) Proxy Configuraton.
notion image
Type in your preferred name for the token in the (3) Key Name field and choose the (4) Expiration Date.
The Expiration Date should allow time for you to complete the current deployment, for example 30 days.
Once a device has been registered with Witness Anywhere, the token is no longer required. An expired token will not cause the devices already deployed to stop working
Click (5) Generate PAC Token. When it completes you will see this message flash briefly on your screen:
notion image


Download Device Registration Scripts

To download the generated scripts, navigate to the row with your chosen Key Name in the Name column and click the corresponding download symbol on the right side (6).
A dropdown will appear, click on Crowdstrike (Windows) (7).
notion image
This will download a zip file with a long random name, for example: 7786b0568ec6f80f256350ca7786b0568ec6f80f256350ca.zip.
Rename the file to something more useful, e.g. PAC_scripts.zip, and unzip the file. The unzipped folder will contain two folders: “ad_joined” and “non_ad_joined”.
Each folder contains two files. “register_device.ps1” to apply PAC settings, and “flush.ps1” to remove PAC settings.

Import Device Registration Scripts

Import the registration script to your CrowdStrike Real-Time-Response (RTR) Scripts.
Navigate to 1) Host setup and management -> 2)Response scripts and files -> 3)Create Script.
If your IdP is Active Directory, use the “register_device.ps1” in the “ad_joined” folder.
notion image
notion image
  1. Enter a name for the script in the (1) Name field, for example “register_device”.
  1. Choose “PowerShell” from the (2) “Shell Type” drop-down list.
  1. Enable the options as shown in section (3) “Script access” above.
  1. Click the (4) “Script” tab to open the script window.
  1. If your Identity Provider (IdP) is Active Directory, use the “register_device.ps1” script in the “ad_joined” folder. For other IdPs use the “register_device.ps1” script in the “non_ad_joined” folder.
  1. Copy the contents of the appropriate register_device.ps1 file and paste it into the (5) Script window.
  1. Click the Create button at the bottom of the page to save the new RTR script.
  1. Perform the same steps as above to create a script for the flush.ps1 file you saved earlier, starting at the “Import Device Registration Scripts” section above. Choose a name for this script, for example “flush”. As before, for Active Directory use the script in the “ad_joined” folder, and the script in the “non_ad_joined” folder for all other IdPs.

Testing Device Registration

Before deploying to a large group of devices, it’s good practice to test on an individual device, or a small group of devices representing the various devices in your environment.

Requirements

As listed in the Prerequisites section, these settings are required for CrowdStrike to deploy PAC settings to target devices:
  • CrowdStrike Falcon agent must deployed on your target devices.
  • Target devices must be mapped to a CrowdStrike Response Policy which allows RTR.
 
  1. In the CrowdStrike console, navigate to (1) Host setup and management -> (2) Host management.
  1. Choose a (3) Hostname to deploy the PAC to, then click on the vertical ellipsis (⋮) on the right end of the host line to display the action menu, then click on (4) Connect to host.
notion image
You will be connected to the device and the “Falcon Real-Time Response” console opens.
Now that you’re connected to your target device you can run a RTR script:
notion image
  1. Click on the (1) Scripts tab.
  1. Expand the (2) Custom Scripts folder
  1. Click to choose your Device Registration script (3) register_device.
  1. Click the (4) Run commands tab.
  1. Click the (5) Run command button. The script will run and log output to the console.
  1. When the script completes, check the final line, which should read “Device Registration is Successful!”
notion image
  1. After the device is registered, use it to connect to a supported AI service and submit a few user prompts. After receiving your responses, verify the prompts and responses were captured in your WitnessAI Conversations page.
  1. After testing Device Registration and PAC Deployment, you can perform Bulk Deployment to Host Groups.

Removing PAC from Devices

Using the flush RTR script instead of the register_device RTR script, follow the steps in the above Testing Device Registration section to remove PAC from any individual device.

Bulk Deployment to Host Groups

Requirements

  1. Verify that python3 and pip3 are installed on the computer you’re using to perform the bulk deployment, and your logged-in user is configured to execute them.
  1. Run this on the command line: python3 -V
    The expected output should be similar to: Python 3.13.0
  1. Run this on the command line:
      2. pip3 -V
  1. The expected output should be similar to:
      2. pip 24.2 from /Library/Frameworks/Python.framework/Versions/3.13/lib/python3.13/site packages/pip (python 3.13)
If your computer is missing either python3 or pip3, you can get them here:
python3: https://www.python.org/downloads/
pip3: Run ‘ensurepip’ on the command line as follows. It will check if pip is installed, and install it if it’s missing:
python3 -m ensurepip

If pip3 is installed, the expected output should be similar to:
Looking in links:
/var/folders/0n/g5td3xkx5qb9z386b4vfs1dm0000gn/T/tmplu7qb6xt Requirement already satisfied: pip in
/Library/Frameworks/Python.framework/Versions/3.13/lib/python3.13/site packages (24.2)

Bulk Deploying PAC to Host Groups using CrowdStrike.

CrowdStrike does not have a bulk deployment option from the console so use a python script to use their SDK module to do the bulk deployment.
  1. Navigate to Support and Resources -> API Clients and keys.
notion image
  1. The “Create API Client” window will open.
  1. Type in a “Client name” for the new API client.
  1. In the Scope section check the checkboxes for the values below:
notion image
 
notion image
  1. Click the [Create] button to save the API credentials.
  1. Export the environment variables.
      2. On Apple macOS:
      • Open the terminal and edit ~/.zshrc using the command:
          • nano ~/.zshrc
      • Replace the quoted values below with your values and paste the lines into the .zshrc file.
          • export FALCON_CLIENT_ID="1234567890"
          export FALCON_CLIENT_SECRET="1234567890ABDCDEFG12345689"
          export FALCON_BASE_URL="https://api.us-2.crowdstrike.com"
      • Write the file with “Control-O”
      • Exit the editor with “Control-X”:
      • Export the environment variables by running the command:
        source ~/.zshrc
On Microsoft Windows, Open Environment Variables:
  • Press Win + X and select System.
  • Click Advanced system settings -> Environment Variables.
  • Add Environment Variables:
  • Under User variables, click New.
    Variable name: FALCON_CLIENT_ID
    Variable value: your_client_id
  • Repeat for FALCON_CLIENT_SECRET and FALCON_BASE_URL.
  • Click [OK] to save and exit.
  • Close and reopen your terminal (Command Prompt or PowerShell).
  1. Create a static host group in CrowdStrike. Since the deployment script is run manually, new hosts added to a Dynamic group will not be configured automatically.
  1. Navigate to Host Setup and Management -> Host Groups.
  1. Add desired devices to a Static Host Group, save it, then copy the Host Group ID.
  1. Download the Bulk Deployment Script “bulk_deploy.py” for CrowdStrike here.
  1. Download the “requirements.txt” file here, saving it to the folder where you will  run the saved python script above.
  1. Install the required dependencies using python pip.
      2. pip3 install -r requirements.txt
  1. Run the script and provide the Host ID and Script Name as the arguments. python3 bulk_deploy.py --queue_offline group_id cloud_file
      2. Example for Host Group ID “07727425486288438ba77c2c86bdd3e6” and  Script Name “register_device”:
      python3 bulk_deploy.py --queue_offline 07727425486288438ba77c2c86bdd3e6  register_device
  1. The registration script should now be run on all devices in the host group which are  online and for devices offline the script run will be queued.
  1. Once the script execution is completed, it will create a file command_output.csv in  the directory where the script is located, which will have the list of Device IDs and  Hostnames, and the console output result for each device.