Scan Endpoint Data at Rest with Falcon Data Protection for Endpoint Data Discovery

Sensitive data doesn’t just move through removable media, browsers, and cloud apps — it also sits quietly on endpoints, waiting to be discovered. Left unmonitored, this data-at-rest poses serious risks, from insider misuse to regulatory non-compliance.

With Falcon^® Data Protection for Endpoint, CrowdStrike extends its data protection capabilities to uncover sensitive content stored on Windows workstations and servers. Endpoint Data Discovery, now generally available, is a new capability that scans local file systems to proactively identify documents, spreadsheets, archives, and other files containing personally identifiable information (PII), payment card industry (PCI) data, and custom-defined sensitive content.

This new functionality empowers security teams to meet compliance requirements, reduce insider risk, and gain comprehensive visibility into their data landscape — all from the same unified Falcon platform.

See how Falcon Data Protection scans endpoints for sensitive data at rest, classifies results, and provides actionable insights directly in the Falcon console.

Why Endpoint Data Discovery Matters

Attackers and insiders alike know that sensitive data often lurks in unexpected places — forgotten spreadsheets, downloaded reports, or old archives. Once an adversary gains access, defenders may have only minutes to act: the average breakout time is just 48 minutes, and the fastest observed breakout occurred in 51 seconds. Any unprotected sensitive data on a host quickly becomes a prime target.

Regulators are raising the bar as well: frameworks like PCI DSS mandate discovery of cardholder data at rest. Organizations relying solely on data-in-motion controls face critical blind spots. Endpoint Data Discovery fills this gap, ensuring you know where your most sensitive files live before adversaries or auditors do.

Key Benefits

With Endpoint Data Discovery, security teams can finally close the gap between knowing where sensitive data lives and protecting it before it’s exposed. By combining proactive data-at-rest visibility with unified classifications already used for data in motion, Falcon Data Protection empowers organizations to reduce risk, streamline compliance, and accelerate investigations — all without adding complexity or agents.

Falcon Data Protection for Endpoint now delivers:

• Data-at-rest scanning for Windows workstations and servers
• Automated classification and reporting for PII, PCI, PHI, and custom patterns
• Unified classifications across both data-at-rest and data-in-motion for consistency
• Flexible scanning options for on-demand, scheduled, recurring, and incremental scans
• Comprehensive reporting with file-level metadata for investigation and compliance

How It Works

Endpoint Data Discovery uses a scan profile-based approach to define and execute scanning operations. Security teams can configure parameters such as:

• Target host groups
• Data classifications (PII, PCI, PHI, custom regex patterns, labels, and more)
• Execution type (immediate, scheduled, or recurring)

Scans leverage the existing Falcon sensor (v7.28 and later) — no additional agents or infrastructure required. Results flow into the Falcon console with detailed metadata, including:

• File names, paths, and system information
• Matched classifications and detection patterns
• Host details and scan execution history

From the results page, analysts can drill into each finding for granular detail or pivot directly to the host view to evaluate endpoint performance, scan timing, and result summaries.

Deployment and Requirements

Getting started is fast and frictionless:

• Subscriptions required: Falcon Insight XDR and Falcon Data Protection for Endpoint
• Sensor: Windows 7.28 or later (64-bit Windows 10+, Windows Server 2016+)
• Policies: Target host groups must be assigned to an active Data Protection Policy with content and context inspection enabled
• Roles: Default roles include Data Protection Admin (read and write) and Analyst (read-only)

Unified Data Protection from Endpoint to Cloud

This release is another milestone in CrowdStrike’s delivery of unified data protection from endpoint to cloud. With a shared classification engine, the same definitions and policies that protect sensitive data in motion now extend to files at rest on endpoints. Security teams get a consistent, enterprise-wide framework without the silos and complexity of legacy DLP tools.

Falcon Data Protection for Endpoint Data Discovery is available today in US-1, US-2, EU-1, Gov-1, and Gov-2 clouds.

Additional Resources

• Visit the Falcon Data Protection webpage to learn how CrowdStrike is redefining the data protection market.
• Sign up today to experience firsthand the benefits of Falcon Data Protection.